[Samba] Prevent `wbinfo -u` from making Winbind unresponsive

Thu Apr 2 18:18:34 UTC 2020

On Wed, Apr 01, 2020 at 03:33:00PM -0700, Jeremy Allison via samba wrote:
> On Wed, Apr 01, 2020 at 02:09:57PM -0700, Alexey A Nikitin via samba wrote:
> > Hi,
> > 
> > Recently I by mistake ran `wbinfo -u <username>` when I was actually intending to run `wbinfo -n <username>`. It ignored the <username> part and proceeded to fetch the usernames. On a small domain this shouldn't be too much of an issue, but I did it on a domain with thousands upon thousands of users. The result was that Winbind became for all intents and purposes unresponsive for about six minutes - I couldn't authenticate me (or anyone else) for any new sessions, and it wouldn't even acknowledge me as a valid user in an existing session ('unknown uid: 3234505'). It pretty much blocked on that user search request for anything else, even things that were supposed to be cached locally like my UID.
> > 
> > I do have the following lines in smb.conf:
> > 
> > winbind enum users = no
> > winbind enum groups = no
> 
> Ah, the winbindd code only prohibits
> enumerating users when requested from
> nsswitch lookups.
> 
> The code looks like:
> 
>         if (request->wb_flags & WBFLAG_FROM_NSS && !lp_winbind_enum_users()) {
>                 tevent_req_done(req);
>                 return tevent_req_post(req, ev);
>         }
> 
> so making an explicit request via wbinfo will
> still do the enumeration.

The rpc client code uses the dcerpc call_id
field to allow multiple outstanding calls at
once (asynchronously using tevent). It'd be
interesting to know where exactly winbind
is blocking (I think it might be on queuing
calls between master and client) to see
how we can improve the asynchronous performance.

If you're willing to reproduce and investigate,
that is !