Hide Forgot
Description of problem: Every 5 minutes a small tree is created in /tmp like that: /tmp/adcli-krb5-xxxxx `- krb5.d `- adcli-krb5-conf-XXXXX The file is a partial duplication of /etc/krb5.conf The file are gathered and I discovered them when there were about 5000 trees like that on each server. Now I clean them weekly, with a cron job. Yet, this is still a bug that need to be solved. Version-Release number of selected component (if applicable): Main release are RHEL 7.3 and 7.4 adcli-0.8.* and sssd-1.14 or sssd-1.15 or sssd-1.16 How reproducible: I only guess that the problem lies with AD records that include Hebrew ISO codes combines with double-quote (") that follow a back-slash (\), for example from sssd logs: (Mon Mar 26 12:25:25 2018) [sssd[be[default]]] [ad_enum_cross_dom_members] (0x0080): Failed to add [CN=אגף/פיתוח/מחלקה/קבוצה ארה\"ב,OU=Groups,OU=Site,OU=Company,DC=com]: Input/output error Note: The Hebrew string is reversed by the mailer editor, but I guess that would help only to whom may able to recognize the letters. And a second example: Date Time [sssd[be[default]]] [ad_enum_cross_dom_numbers] (0x0080): Failed to add [CN=ב\"כג/דכ\"ד/קקר,OU=כע\"י/רח\"ג/עיחעגד חיכגח//חיחי 456,OU=ANOTHER OU,OU=YET MORE,DC=realm]: Input/outoput error Date Time [sssd[be[default]]] [ldb] (0X4000): Added timed event "ltdb_callback": 0x55b66975178b0 Steps to Reproduce: 1. Again, I only guess that creating users with CN and OU that include strings like described above, will create the problem that leave the small tree of files in /tmp every 5 minutes. 2. 3. Actual results: Expected results: Additional info: There are cases that I created with a local analyst in Israel and with RED HAT support, but since I didn't get reasonable response, I hope that a record in Bugzilla will expedite the solution.
Hi, If adding 'ad_maximum_machine_account_password_age = 0' to the [domain/...] section of sssd.conf does not help please add 'debug_level=9' to the [domain/...] section of sssd.conf, restart SSSD, let it run for e.g. 15min and attach the /var/log/sssd/sssd_your.domain.name.log to this ticket. bye, Sumit
Customer confirmed test packed worked for him. No more krb temp files. Thanks Sumit.
To reproduce I would remove the 'NAME$@AD.REALM' entry from the keytab and call 'adcli update'. Without the fix there should be a /tmp/adcli-krb5-xxxxx left in /tmp/. With the fix there should be no such directory.
I'm sorry to inform that the fix above was applied and did not solve the problem. Those small file trees continue to accumulate in /tmp, one every 5 minutes. The problem appeared first on RHEL 7.3, continued on 7.4, solved on 7.5 and sadly appear again on RHEL 7.6. The temporary solution is to remove the adcli rpm of 7.6 and reapply the 7.5 rpm. Please open the problem again.
The description above related to Hebrew letters, was a wrong guess. Actually the problem is caused by the Lower case user principal versus an Upper case one. Windows is case insensitive, yet Linux and MIT are case sensitive.
*** Bug 1698063 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2019:2256