File descriptors leak on server with kerberos export ticket & replay cache

[franck-eyraud]

This behaviour has been observed with package versions xrootd.x86_64 1:3.3.6-5.CERN.el7.cern and xrootd.x86_64 1:3.3.6-4.CERN.slc6.

Using EOS with kerberos authentication for which we activated ticket exportation (-exptkn option), we have experienced a file descriptors leak (files remain opened by the process) server-side (MGM), up to reaching the OS maximum limit of 65K fds per process after several days, causing service unavailability.
Files descriptors were pointing towards file located in /var/tmp directory, most of them were deleted and had a name with pattern krb5_RCxxxxx. The process also keeps several file descriptors toward the same existing file named after the principal used for the authentication.

It appeared that these files are replay cache. If we set KRB5RCACHEDIR, then files are found to this new location. And if we set KRB5RCACHETYPE=none no files are created, and no leak occurs.

We then realized that also when deactivating ticket exportation, the issue also doesn't occur. Since we in fact don't need it (we're not sure what is the role of that), this is what we did as a long term solution. But we still wanted to report the issue in case it makes sense.

Without having any knowledge about kerberos library, we noted that the function krb5_get_server_rcache is used to generate replay cache, but the krb5_rc_close is never mentioned in the code, however it is said to be necessary to clean up the resources.

[abh3]

Thank you for reporting this and indicating that we have a missing close().

[abh3]

Actually, this is a bug in the kerberos library as we really do close the cache but the descriptor may still leak. This is a known issue and has been fixed in various version of kerberos but apparently not in the version being used here. The only mitigation is to not export tickets (which is not necessary).