[Samba] Prevent `wbinfo -u` from making Winbind unresponsive
jra at samba.org
Fri Apr 10 21:34:05 UTC 2020
On Fri, Apr 03, 2020 at 05:12:44PM -0700, Christof Schmitt via samba wrote:
> On Fri, Apr 03, 2020 at 07:46:54PM +0200, Ralph Boehme via samba wrote:
> > Am 4/1/20 um 11:09 PM schrieb Alexey A Nikitin via samba:
> > > Is there a way, preferrably without ugly hacks, to prevent this from happening on accident, by mistake? By this I mean ideally so that Winbind remains responsive even if someone mistakenly ran `wbinfo -u` or `wbinfo -g`, but limiting the result sets of these commands or blocking them altogether is acceptable too.
> > well, blocking it altogether by means of a new smb.conf option (maybe
> > wbinfo enum users|groups ?) would be trivial.
> > It would be interesting to know whether you see the issue with settings
> > of winbind max domain connections higher then the default of 1. If so,
> > does increasing it to some sane value eg 10 help?
> This came up in different contexts in the past. One question is whether
> it is necessary to have "wbinfo -u" and "wbinfo -g" to go through
> winbindd at all. "net ads search -P objectClass=user" does a similar
> query and avoids congesting winbindd with those huge queries.
> What do you think of deprecating the -u and -g options and possible
> provide a wrapper in "net" as an alternative?
Yes, that seems like a cleaner solution to me. There's no need to
bug winbindd with these huge queries from a command line
We can keep 'wbinfo -u' and 'wbinfo -g' but have the
wbinfo program do the queries itself and ensure the
output format is identical.
More information about the samba