Thanks Stephen, we will give the patches a try here and report back how it looks.


From: Stephen Gallagher <>
To: Development of the System Security Services Daemon <>
Cc: Shantanu Goel <>
Sent: Monday, June 18, 2012 11:33 AM
Subject: Re: [SSSD] [PATCH] Add support for terminating idle connections in sssd_nss

On Mon, 2012-06-18 at 09:33 -0400, Stephen Gallagher wrote:
> On Mon, 2012-06-18 at 06:30 -0700, Shantanu Goel wrote:
> > Hi Stephen,
> >
> >
> > Please feel free to modify the patch in any way or shape you deem
> > necessary for inclusion.  We are just glad that you agree there is a
> > real problem which needs fixing.  One thing I ask is if you expect to
> > have rhel 5 or 6 test RPMs that we could test with the ultimate fix
> > any time soon, please drop me a note and we will gladly install them
> > on some of our problematic machines here to see if they address the
> > problems we have seen.
> Sure, once this is done I'm going to be committing it upstream for the
> master branch (future 1.9), the sssd-1-8 branch (our current LTM
> release) and the sssd-1-5 branch (our previous LTM release).
> You should be able to pull the patches from the sssd-1-5 branch and
> build them for your systems once they're ready.

Ok, new patches attached. Shantanu, these are currently designed for the
master branch. We'll get them committed there first and tested out for a
little while, then we'll backport them.

Patch 0001: Return the correct errno value. Previously it could have
been reset by closing the socket.

Patch 0002: Add some additional debugging to the client_destructor()

Patch 0003: On systems that support MSG_NOSIGNAL, we should use it. This
way, if a client app isn't configured to listen for SIGPIPE, it will not

Patch 0004: Add a timer to each client context. If sixty seconds pass
(configurable in the patch 0005) without either read or write activity,
we will free the client context and close the socket. The client code is
already written to be tolerant of this and will reconnect on the next
request. This will help us avoid resource exhaustion if we have clients
that hang on to NSS and PAM file descriptors indefinitely (like 'su' and
'login' do for PAM).

Patch 0005: Make the client idle timeout value configurable and add it
to the manpages and config API.