On Fri, Aug 23, 2019 at 03:46:54PM +0200, Heiko Wundram wrote:
> Hello list,
>
> for a deployment I'm administering, I'm using winbind and sssd in parallel,
> both for different authentication sources (so it's not about their
> interoperability, but rather about using them in parallel). It seems that
> sssd has/had a bug which meant that winbind 4.8+ and sssd, if used together
> as NSS sources, would, for unavailable accounts in both authentication
> sources, lead to a DoS against winbind due to recursive calls of the NSS
> infrastructure. I'm deploying winbind (for a Windows Domain) and sssd (for
> an LDAP authentication source with client certificate authentication) on
> Debian 10.
>
> Samba tracked this as bug #13815
> (
https://bugzilla.samba.org/show_bug.cgi?id=13815), which contains a link to
> a corresponding issue in the RedHat bugtracker
> (
https://bugzilla.redhat.com/show_bug.cgi?id=1666819), which supposedly
> contains a patch for the behaviour; as the bug isn't open, I can neither see
> what the patch actually is, nor can I prepare the patch for the Debian
> packaging of sssd.
>
> Can anybody shed some light on what the patch is (and/or link to the commit
> in Pagure), specifically also which published version the patch is contained
> in, so that I might either decide to deploy updated sssd packages for
> Debian, or even try to backport the patch to the Debian built-in version? I
> can't find a means to search commits in Pagure, that's why I'm asking
here,
> but even just that would be helpful.
>
> Thanks in advance!
the corresponding upstream tickets are:
https://pagure.io/SSSD/sssd/issue/3963
and:
https://pagure.io/SSSD/sssd/issue/3964
If you do not want to backport so many patches
or upgrading to newer version is problem then the simplest change
will be to chage value of CONFDB_RESPONDER_LOCAL_NEG_TIMEOUT_DEFAULT
from 14400 -> 0
It was introduced in 1.16.2
I /think/ it might be possible to work around the bug by setting:
local_negative_timeout = 0
in the [nss] section.