[Samba] Prevent `wbinfo -u` from making Winbind unresponsive
Alexey A Nikitin
nikitin at amazon.com
Fri Apr 3 22:26:42 UTC 2020
On Friday, 3 April 2020 10:46:54 PDT Ralph Boehme wrote:
> Am 4/1/20 um 11:09 PM schrieb Alexey A Nikitin via samba:
> > Is there a way, preferrably without ugly hacks, to prevent this from happening on accident, by mistake? By this I mean ideally so that Winbind remains responsive even if someone mistakenly ran `wbinfo -u` or `wbinfo -g`, but limiting the result sets of these commands or blocking them altogether is acceptable too.
> well, blocking it altogether by means of a new smb.conf option (maybe
> wbinfo enum users|groups ?) would be trivial.
> It would be interesting to know whether you see the issue with settings
> of winbind max domain connections higher then the default of 1. If so,
> does increasing it to some sane value eg 10 help?
Well, looks like setting 'winbindf max domain connections' to a value above 1 makes 'wbinfo -u' no longer a threat, but it is pretty much ignored if 'winbind offline logon' is enabled... Can anyone explain why? Because when auth can be broken so easily--just run 'wbinfo -u', for which you don't even need elevated privileges--despite offline logon enabled, that makes one wonder what is even the point of having that option.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: This is a digitally signed message part.
More information about the samba