[Samba] Prevent `wbinfo -u` from making Winbind unresponsive

Jeremy Allison jra at samba.org
Fri Apr 10 21:37:45 UTC 2020

On Fri, Apr 03, 2020 at 03:26:42PM -0700, Alexey A Nikitin via samba wrote:
> On Friday, 3 April 2020 10:46:54 PDT Ralph Boehme wrote:
> > Am 4/1/20 um 11:09 PM schrieb Alexey A Nikitin via samba:
> > > Is there a way, preferrably without ugly hacks, to prevent this from happening on accident, by mistake? By this I mean ideally so that Winbind remains responsive even if someone mistakenly ran `wbinfo -u` or `wbinfo -g`, but limiting the result sets of these commands or blocking them altogether is acceptable too.
> > 
> > well, blocking it altogether by means of a new smb.conf option (maybe
> > wbinfo enum users|groups ?) would be trivial.
> > 
> > It would be interesting to know whether you see the issue with settings
> > of winbind max domain connections higher then the default of 1. If so,
> > does increasing it to some sane value eg 10 help?
> > 
> > -slow
> > 
> > 
> Well, looks like setting 'winbindf max domain connections' to a value above 1 makes 'wbinfo -u'
> no longer a threat, but it is pretty much ignored if 'winbind offline logon' is enabled...
> Can anyone explain why? Because when auth can be broken so easily--just run 'wbinfo -u',
> for which you don't even need elevated privileges--despite offline logon enabled,
> that makes one wonder what is even the point of having that option.

Well it *is* in the man page :-) :


  7         <para>This parameter specifies the maximum number of simultaneous
  8         connections that the <citerefentry><refentrytitle>winbindd</refentrytitle>
  9         <manvolnum>8</manvolnum></citerefentry> daemon should open to the
 10         domain controller of one domain.
 11         Setting this parameter to a value greater than 1 can improve
 12         scalability with many simultaneous winbind requests,
 13         some of which might be slow.
 14         </para>
 15         <para>
 16         Note that if <smbconfoption name="winbind offline logon"/> is set to
 17         <constant>Yes</constant>, then only one
 18         DC connection is allowed per domain, regardless of this setting.

But I'll have to look into why this is. Obviously there's a reason :-).

More information about the samba mailing list