[Samba] Prevent `wbinfo -u` from making Winbind unresponsive
Jeremy Allison
jra at samba.org
Wed Apr 1 22:33:00 UTC 2020
On Wed, Apr 01, 2020 at 02:09:57PM -0700, Alexey A Nikitin via samba wrote:
> Hi,
>
> Recently I by mistake ran `wbinfo -u <username>` when I was actually intending to run `wbinfo -n <username>`. It ignored the <username> part and proceeded to fetch the usernames. On a small domain this shouldn't be too much of an issue, but I did it on a domain with thousands upon thousands of users. The result was that Winbind became for all intents and purposes unresponsive for about six minutes - I couldn't authenticate me (or anyone else) for any new sessions, and it wouldn't even acknowledge me as a valid user in an existing session ('unknown uid: 3234505'). It pretty much blocked on that user search request for anything else, even things that were supposed to be cached locally like my UID.
>
> I do have the following lines in smb.conf:
>
> winbind enum users = no
> winbind enum groups = no
Ah, the winbindd code only prohibits
enumerating users when requested from
nsswitch lookups.
The code looks like:
if (request->wb_flags & WBFLAG_FROM_NSS && !lp_winbind_enum_users()) {
tevent_req_done(req);
return tevent_req_post(req, ev);
}
so making an explicit request via wbinfo will
still do the enumeration.
More information about the samba
mailing list