[Samba] Prevent `wbinfo -u` from making Winbind unresponsive

Jeremy Allison jra at samba.org
Wed Apr 1 22:33:00 UTC 2020

On Wed, Apr 01, 2020 at 02:09:57PM -0700, Alexey A Nikitin via samba wrote:
> Hi,
> Recently I by mistake ran `wbinfo -u <username>` when I was actually intending to run `wbinfo -n <username>`. It ignored the <username> part and proceeded to fetch the usernames. On a small domain this shouldn't be too much of an issue, but I did it on a domain with thousands upon thousands of users. The result was that Winbind became for all intents and purposes unresponsive for about six minutes - I couldn't authenticate me (or anyone else) for any new sessions, and it wouldn't even acknowledge me as a valid user in an existing session ('unknown uid: 3234505'). It pretty much blocked on that user search request for anything else, even things that were supposed to be cached locally like my UID.
> I do have the following lines in smb.conf:
> winbind enum users = no
> winbind enum groups = no

Ah, the winbindd code only prohibits
enumerating users when requested from
nsswitch lookups.

The code looks like:

        if (request->wb_flags & WBFLAG_FROM_NSS && !lp_winbind_enum_users()) {
                return tevent_req_post(req, ev);

so making an explicit request via wbinfo will
still do the enumeration.

More information about the samba mailing list