[Samba] Prevent `wbinfo -u` from making Winbind unresponsive
Alexey A Nikitin
nikitin at amazon.com
Mon Apr 13 17:06:06 UTC 2020
On Friday, 10 April 2020 14:37:45 PDT Jeremy Allison wrote:
> On Fri, Apr 03, 2020 at 03:26:42PM -0700, Alexey A Nikitin via samba wrote:
> > Well, looks like setting 'winbindf max domain connections' to a value above 1 makes 'wbinfo -u'
> > no longer a threat, but it is pretty much ignored if 'winbind offline logon' is enabled...
> > Can anyone explain why? Because when auth can be broken so easily--just run 'wbinfo -u',
> > for which you don't even need elevated privileges--despite offline logon enabled,
> > that makes one wonder what is even the point of having that option.
> Well it *is* in the man page :-) :
> 7 <para>This parameter specifies the maximum number of simultaneous
> 8 connections that the <citerefentry><refentrytitle>winbindd</refentrytitle>
> 9 <manvolnum>8</manvolnum></citerefentry> daemon should open to the
> 10 domain controller of one domain.
> 11 Setting this parameter to a value greater than 1 can improve
> 12 scalability with many simultaneous winbind requests,
> 13 some of which might be slow.
> 14 </para>
> 15 <para>
> 16 Note that if <smbconfoption name="winbind offline logon"/> is set to
> 17 <constant>Yes</constant>, then only one
> 18 DC connection is allowed per domain, regardless of this setting.
> But I'll have to look into why this is. Obviously there's a reason :-).
I did see this snippet when the config options were mentioned. In fact, the very first thing I did was locate them in the man page. But with all due respect, it only answers the question of "what", not "why", and my question is exactly the "why" - why is it that we cannot simultaneously have multiple connections to DC allowed and still use offline logon, is there a particular reason for that?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: This is a digitally signed message part.
More information about the samba