[Samba] Prevent `wbinfo -u` from making Winbind unresponsive

Christof Schmitt cs at samba.org
Sat Apr 4 00:12:44 UTC 2020


On Fri, Apr 03, 2020 at 07:46:54PM +0200, Ralph Boehme via samba wrote:
> Am 4/1/20 um 11:09 PM schrieb Alexey A Nikitin via samba:
> > Is there a way, preferrably without ugly hacks, to prevent this from happening on accident, by mistake? By this I mean ideally so that Winbind remains responsive even if someone mistakenly ran `wbinfo -u` or `wbinfo -g`, but limiting the result sets of these commands or blocking them altogether is acceptable too.
> 
> well, blocking it altogether by means of a new smb.conf option (maybe
> wbinfo enum users|groups ?) would be trivial.
> 
> It would be interesting to know whether you see the issue with settings
> of winbind max domain connections higher then the default of 1. If so,
> does increasing it to some sane value eg 10 help?

This came up in different contexts in the past. One question is whether
it is necessary to have "wbinfo -u" and "wbinfo -g" to go through
winbindd at all. "net ads search -P objectClass=user" does a similar
query and avoids congesting winbindd with those huge queries.

What do you think of deprecating the -u and -g options and possible
provide a wrapper in "net" as an alternative?

Christof



More information about the samba mailing list