[Samba] Prevent `wbinfo -u` from making Winbind unresponsive

Alexey A Nikitin nikitin at amazon.com
Fri Apr 3 17:07:43 UTC 2020


Looks like Peter already did a rather in-depth investigation. From my end - I can easily reproduce the issue, and I've also observed rather obscene memory use growth, but I haven't had time to do any detailed tracing yet.


On Thursday, 2 April 2020 11:18:34 PDT Jeremy Allison wrote:
> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.
> 
> 
> 
> On Wed, Apr 01, 2020 at 03:33:00PM -0700, Jeremy Allison via samba wrote:
> > On Wed, Apr 01, 2020 at 02:09:57PM -0700, Alexey A Nikitin via samba wrote:
> > > Hi,
> > >
> > > Recently I by mistake ran `wbinfo -u <username>` when I was actually intending to run `wbinfo -n <username>`. It ignored the <username> part and proceeded to fetch the usernames. On a small domain this shouldn't be too much of an issue, but I did it on a domain with thousands upon thousands of users. The result was that Winbind became for all intents and purposes unresponsive for about six minutes - I couldn't authenticate me (or anyone else) for any new sessions, and it wouldn't even acknowledge me as a valid user in an existing session ('unknown uid: 3234505'). It pretty much blocked on that user search request for anything else, even things that were supposed to be cached locally like my UID.
> > >
> > > I do have the following lines in smb.conf:
> > >
> > > winbind enum users = no
> > > winbind enum groups = no
> >
> > Ah, the winbindd code only prohibits
> > enumerating users when requested from
> > nsswitch lookups.
> >
> > The code looks like:
> >
> >         if (request->wb_flags & WBFLAG_FROM_NSS && !lp_winbind_enum_users()) {
> >                 tevent_req_done(req);
> >                 return tevent_req_post(req, ev);
> >         }
> >
> > so making an explicit request via wbinfo will
> > still do the enumeration.
> 
> The rpc client code uses the dcerpc call_id
> field to allow multiple outstanding calls at
> once (asynchronously using tevent). It'd be
> interesting to know where exactly winbind
> is blocking (I think it might be on queuing
> calls between master and client) to see
> how we can improve the asynchronous performance.
> 
> If you're willing to reproduce and investigate,
> that is !
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.samba.org/pipermail/samba/attachments/20200403/81858bd3/signature.sig>


More information about the samba mailing list