[Samba] Prevent `wbinfo -u` from making Winbind unresponsive
Alexey A Nikitin
nikitin at amazon.com
Mon Apr 13 17:10:12 UTC 2020
On Friday, 10 April 2020 14:57:23 PDT Jeremy Allison wrote:
> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.
> On Fri, Apr 10, 2020 at 02:41:39PM -0700, Jeremy Allison wrote:
> > On Fri, Apr 10, 2020 at 02:37:45PM -0700, Jeremy Allison via samba wrote:
> > > On Fri, Apr 03, 2020 at 03:26:42PM -0700, Alexey A Nikitin via samba wrote:
> > > > no longer a threat, but it is pretty much ignored if 'winbind offline logon' is enabled...
> > > > Can anyone explain why? Because when auth can be broken so easily--just run 'wbinfo -u',
> > > > for which you don't even need elevated privileges--despite offline logon enabled,
> > > > that makes one wonder what is even the point of having that option.
> > >
> > > Well it *is* in the man page :-) :
> > >
> > > docs-xml/smbdotconf/winbind/winbindmaxdomainconnections.xml
> > >
> > > 7 <para>This parameter specifies the maximum number of simultaneous
> > > 8 connections that the <citerefentry><refentrytitle>winbindd</refentrytitle>
> > > 9 <manvolnum>8</manvolnum></citerefentry> daemon should open to the
> > > 10 domain controller of one domain.
> > > 11 Setting this parameter to a value greater than 1 can improve
> > > 12 scalability with many simultaneous winbind requests,
> > > 13 some of which might be slow.
> > > 14 </para>
> > > 15 <para>
> > > 16 Note that if <smbconfoption name="winbind offline logon"/> is set to
> > > 17 <constant>Yes</constant>, then only one
> > > 18 DC connection is allowed per domain, regardless of this setting.
> > >
> > > But I'll have to look into why this is. Obviously there's a reason :-).
> > Aha. Here it is:
> > commit 9c2fcb689b647be60731ea8ce8abfe22c0e63dde
> > This implementation breaks offline logons, as the cached credentials are
> > maintained in a child (this needs fixing). So, if the offline logons are
> > active, only allow one DC connection.
> > Probably the offline logon and the scalable file server cases are
> > So to make both work, we'll need to fix where the cached credentials
> > are maintained.
> > If this use case is important to Amazon, I know of a couple of companies
> > who you could pay to get this fixed :-). Or we'd also be happy to receive
> > a patch from you that fixes this limitation !
> The cached creds are pinned in memory in the child to ensure they're
> not put on disk anywhere. See:
> inside source3/winbindd/winbindd_cred_cache.c for details.
> That would need to be updated to allow all winbindd children
> of talking to the domain to share this cached memory area
> without allowing it to be stored on disk anywhere.
I see, that explains it. Thank you very much! And please disregard the email I sent earlier without reading the later responses.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: This is a digitally signed message part.
More information about the samba