SUMMARY: NIS+ won't let users in !!!

From: Luis M Ibarra (mibarra@galois.dgaesc.unam.mx)
Date: Fri Apr 21 1995 - 22:53:49 CDT


        The original problem:

        Once in a while, users under control of NIS+, were unable to
login in the system, they got messages of incorrects logins, and I
couldn't see the users passwords with NIS+ utilities.

        Diagnostic (from patch 101620-01's README file):

        Problem 1156333: keyserv has a file descriptor leak.

        keyserv runs out file descriptors.

        The client-side to keyserv (in libnsl) caches one client
handle/per process thread. It tries to use COTS_ORD as the loopback
transport to talk to keyserv - which means that keyserv will have an
open fd for every client handle that is cached (and using
COTS/COTS_ORD transport). Now, every nis+ lookup requires at least one
rpc call to keyserv (two if the session key is not already
established); this means all the getXXbyYY calls made by csh,
sendmail, nis_cachemgr, .... (almost all the processes running on the
server). So, we need to increase the fd limit (currently 64) to the
maximum allowed (1024).

        This patch "solves" the problem, BUT *grin*...

        the file descriptor leak IS NOT fixed, Sun's solution was getting
the file descriptor limit to 1024, so, we can expect this
problem to reapear in the future, Gene Loriot (epl@caps.kodak.com)
mentions that the patch 101318-70 also solves the problem, I didn't
try this patch because 101620-01 seems to work fine, and I'm out of time :).

        We are waiting for Sun to made public a patch for their patch :)...

        I want to thank the following people for their help...

 
                                CAST

   Neil Rickert <rickert@cs.niu.edu> point me to 101620-01 patch.
   Gene Loriot <epl@caps.kodak.com> point me to 101318-70 patch.
   Normand Ranger <rangern@CIRANO.UMontreal.CA> point me to 101620-01 patch.

        



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:10:22 CDT