16042 – rpc workers with long living clients grow server memory keytab

Bug 16042 - rpc workers with long living clients grow server memory keytab

Summary: rpc workers with long living clients grow server memory keytab

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	DCE-RPCs and pipes (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba release manager
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2026-03-27 10:12 UTC by Noel Power
Modified:	2026-04-09 09:35 UTC (History)
CC List:	2 users (show)

See Also:	https://gitlab.com/samba-team/samba/-/merge_requests/4476 https://gitlab.com/samba-team/samba/-/merge_requests/4477

Attachments
patch to fix issues (version 1 - creates uniquely named mem keytab) (2.18 KB, patch) 2026-03-27 10:12 UTC, Noel Power	no flags	Details
Alternative version of the patch to fix this issue (3.20 KB, patch) 2026-03-27 10:22 UTC, Noel Power	no flags	Details
patch for 4-22-test through to v4-24-test (2.77 KB, patch) 2026-03-30 10:44 UTC, Noel Power	metze: review+	Details
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Noel Power 2026-03-27 10:12:44 UTC

Created attachment 18927 [details]
patch to fix issues (version 1 - creates uniquely named mem keytab)

related to bug #15979 (same customer)

rpc_worker_new_client
 ->dcesrv_bind
   -> gensec_update_send
      -> gensec_spnego_update_send
         -> gse_init_server
            -> gensec_spnego_update_pre
               -> gensec_spnego_server_negTokenInit_start
                  -> gensec_spnego_server_negTokenInit_step
                     -> gensec_start_mech
                        -> gensec_gse_server_start
                           -> gse_krb5_get_server_keytab
                              -> fill_mem_keytab_from_system_keytab


gse_krb5_get_server_keytab
  creates a new memory keytab and populates it (however if there is an existing client then it gets back an existing memory keytab)

In a system with long lived (or permanent/semi permanent) clients then this can continue grow the memory keytab resulting in both memory exhaustion and additionally significant performance degradation as the population of the memory keytab becomes slower and slower as its size grows.

patch (to be attached) creates a new memory cache based on a dynamic memory name so we don't reuse an existing memory keytab.

Alternative approach would be to prevent adding existing entries when populating the memory keytab (will attach a patch for this approach as well)

Comment 1 Noel Power 2026-03-27 10:22:51 UTC

Created attachment 18928 [details]
Alternative version of the patch to fix this issue

Comment 2 Samba QA Contact 2026-03-30 09:37:03 UTC

This bug was referenced in samba master:

c28a86c45d9d9673de18f9c29ea80dff12c9e7dd

Comment 3 Noel Power 2026-03-30 10:44:07 UTC

Created attachment 18933 [details]
patch for 4-22-test through to v4-24-test

Comment 4 Samba QA Contact 2026-04-08 17:41:45 UTC

This bug was referenced in samba v4-22-test:

178c213067500c7ae27819f0f83d9fcfd5a16813

Comment 5 Samba QA Contact 2026-04-09 09:35:58 UTC

This bug was referenced in samba v4-22-stable (Release samba-4.22.9):

178c213067500c7ae27819f0f83d9fcfd5a16813