We run an NFS4 server cluster that uses HA and virtual IP addresses. Because of this, we run the NFS4 rpc.svcgssd process with the '-n' flag, which causes rpc.svcgssd to defer credential creation for a context until the context is needed.
When run this way, it exposes a kerberos bug that leaks rcache opens in gss_accept_context by opening a new file handle for each client context created. Eventually, rpc.svcgssd runs up agains ulimit and must be restarted.
Here is some discussion of the problem:
The fix should be included in 1.9.2:
We are running into this bug in krb5-workstation-1.9-22.el6_2.1.x86_64.
Patch merged for krb5-1.9-25.el6 and later.
*** Bug 812014 has been marked as a duplicate of this bug. ***
Is the patched version available for RHEL 6.2?
(In reply to comment #6)
> Is the patched version available for RHEL 6.2?
No, but if your use-case has an urgent enough business justification, you can:
1. contact Red Hat Global Support Services (https://access.redhat.com/support/cases/new)
2. provide them the data they need to verify that you hit this bug
3. describe the urgency and business justification
4. request an errata for RHEL-6.2
Currently, this bug is scheduled to be fixed with RHEL-6.3.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.