[Samba] Prevent `wbinfo -u` from making Winbind unresponsive
jra at samba.org
Fri Apr 10 21:57:23 UTC 2020
On Fri, Apr 10, 2020 at 02:41:39PM -0700, Jeremy Allison wrote:
> On Fri, Apr 10, 2020 at 02:37:45PM -0700, Jeremy Allison via samba wrote:
> > On Fri, Apr 03, 2020 at 03:26:42PM -0700, Alexey A Nikitin via samba wrote:
> > > no longer a threat, but it is pretty much ignored if 'winbind offline logon' is enabled...
> > > Can anyone explain why? Because when auth can be broken so easily--just run 'wbinfo -u',
> > > for which you don't even need elevated privileges--despite offline logon enabled,
> > > that makes one wonder what is even the point of having that option.
> > Well it *is* in the man page :-) :
> > docs-xml/smbdotconf/winbind/winbindmaxdomainconnections.xml
> > 7 <para>This parameter specifies the maximum number of simultaneous
> > 8 connections that the <citerefentry><refentrytitle>winbindd</refentrytitle>
> > 9 <manvolnum>8</manvolnum></citerefentry> daemon should open to the
> > 10 domain controller of one domain.
> > 11 Setting this parameter to a value greater than 1 can improve
> > 12 scalability with many simultaneous winbind requests,
> > 13 some of which might be slow.
> > 14 </para>
> > 15 <para>
> > 16 Note that if <smbconfoption name="winbind offline logon"/> is set to
> > 17 <constant>Yes</constant>, then only one
> > 18 DC connection is allowed per domain, regardless of this setting.
> > But I'll have to look into why this is. Obviously there's a reason :-).
> Aha. Here it is:
> commit 9c2fcb689b647be60731ea8ce8abfe22c0e63dde
> This implementation breaks offline logons, as the cached credentials are
> maintained in a child (this needs fixing). So, if the offline logons are
> active, only allow one DC connection.
> Probably the offline logon and the scalable file server cases are
> So to make both work, we'll need to fix where the cached credentials
> are maintained.
> If this use case is important to Amazon, I know of a couple of companies
> who you could pay to get this fixed :-). Or we'd also be happy to receive
> a patch from you that fixes this limitation !
The cached creds are pinned in memory in the child to ensure they're
not put on disk anywhere. See:
inside source3/winbindd/winbindd_cred_cache.c for details.
That would need to be updated to allow all winbindd children
of talking to the domain to share this cached memory area
without allowing it to be stored on disk anywhere.
More information about the samba