[Samba] Prevent `wbinfo -u` from making Winbind unresponsive

Alexey A Nikitin nikitin at amazon.com
Mon Apr 13 17:10:12 UTC 2020 

On Friday, 10 April 2020 14:57:23 PDT Jeremy Allison wrote:
> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.
> 
> 
> 
> On Fri, Apr 10, 2020 at 02:41:39PM -0700, Jeremy Allison wrote:
> > On Fri, Apr 10, 2020 at 02:37:45PM -0700, Jeremy Allison via samba wrote:
> > > On Fri, Apr 03, 2020 at 03:26:42PM -0700, Alexey A Nikitin via samba wrote:
> > > > no longer a threat, but it is pretty much ignored if 'winbind offline logon' is enabled...
> > > > Can anyone explain why? Because when auth can be broken so easily--just run 'wbinfo -u',
> > > > for which you don't even need elevated privileges--despite offline logon enabled,
> > > > that makes one wonder what is even the point of having that option.
> > >
> > > Well it *is* in the man page :-) :
> > >
> > > docs-xml/smbdotconf/winbind/winbindmaxdomainconnections.xml
> > >
> > >   7         <para>This parameter specifies the maximum number of simultaneous
> > >   8         connections that the <citerefentry><refentrytitle>winbindd</refentrytitle>
> > >   9         <manvolnum>8</manvolnum></citerefentry> daemon should open to the
> > >  10         domain controller of one domain.
> > >  11         Setting this parameter to a value greater than 1 can improve
> > >  12         scalability with many simultaneous winbind requests,
> > >  13         some of which might be slow.
> > >  14         </para>
> > >  15         <para>
> > >  16         Note that if <smbconfoption name="winbind offline logon"/> is set to
> > >  17         <constant>Yes</constant>, then only one
> > >  18         DC connection is allowed per domain, regardless of this setting.
> > >
> > > But I'll have to look into why this is. Obviously there's a reason :-).
> >
> > Aha. Here it is:
> >
> > commit 9c2fcb689b647be60731ea8ce8abfe22c0e63dde
> >
> >     This implementation breaks offline logons, as the cached credentials are
> >     maintained in a child (this needs fixing). So, if the offline logons are
> >     active, only allow one DC connection.
> >
> >     Probably the offline logon and the scalable file server cases are
> >
> > So to make both work, we'll need to fix where the cached credentials
> > are maintained.
> >
> > If this use case is important to Amazon, I know of a couple of companies
> > who you could pay to get this fixed :-). Or we'd also be happy to receive
> > a patch from you that fixes this limitation !
> 
> The cached creds are pinned in memory in the child to ensure they're
> not put on disk anywhere. See:
> 
> winbindd_add_memory_creds()/winbindd_delete_memory_creds()
> 
> inside source3/winbindd/winbindd_cred_cache.c for details.
> 
> That would need to be updated to allow all winbindd children
> of talking to the domain to share this cached memory area
> without allowing it to be stored on disk anywhere.
> 


I see, that explains it. Thank you very much! And please disregard the email I sent earlier without reading the later responses.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.samba.org/pipermail/samba/attachments/20200413/6f8832b1/signature.sig>

More information about the samba mailing list