[Samba] Prevent `wbinfo -u` from making Winbind unresponsive

Alexey A Nikitin nikitin at amazon.com
Mon Apr 13 17:06:06 UTC 2020

On Friday, 10 April 2020 14:37:45 PDT Jeremy Allison wrote:
> On Fri, Apr 03, 2020 at 03:26:42PM -0700, Alexey A Nikitin via samba wrote:
> > Well, looks like setting 'winbindf max domain connections' to a value above 1 makes 'wbinfo -u'
> > no longer a threat, but it is pretty much ignored if 'winbind offline logon' is enabled...
> > Can anyone explain why? Because when auth can be broken so easily--just run 'wbinfo -u',
> > for which you don't even need elevated privileges--despite offline logon enabled,
> > that makes one wonder what is even the point of having that option.
> Well it *is* in the man page :-) :
> docs-xml/smbdotconf/winbind/winbindmaxdomainconnections.xml
>   7         <para>This parameter specifies the maximum number of simultaneous
>   8         connections that the <citerefentry><refentrytitle>winbindd</refentrytitle>
>   9         <manvolnum>8</manvolnum></citerefentry> daemon should open to the
>  10         domain controller of one domain.
>  11         Setting this parameter to a value greater than 1 can improve
>  12         scalability with many simultaneous winbind requests,
>  13         some of which might be slow.
>  14         </para>
>  15         <para>
>  16         Note that if <smbconfoption name="winbind offline logon"/> is set to
>  17         <constant>Yes</constant>, then only one
>  18         DC connection is allowed per domain, regardless of this setting.
> But I'll have to look into why this is. Obviously there's a reason :-).

I did see this snippet when the config options were mentioned. In fact, the very first thing I did was locate them in the man page. But with all due respect, it only answers the question of "what", not "why", and my question is exactly the "why" - why is it that we cannot simultaneously have multiple connections to DC allowed and still use offline logon, is there a particular reason for that?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.samba.org/pipermail/samba/attachments/20200413/5d25d517/signature.sig>

More information about the samba mailing list