[SSSD-users] Re: Patch for sssd to fix recursion problems with Winbind (Samba Bug #13815)

On Fri, Aug 23, 2019 at 03:46:54PM +0200, Heiko Wundram wrote: > Hello list, > > for a deployment I'm administering, I'm using winbind and sssd in parallel, > both for different authentication sources (so it's not about their > interoperability, but rather about using them in parallel). It seems that > sssd has/had a bug which meant that winbind 4.8+ and sssd, if used together > as NSS sources, would, for unavailable accounts in both authentication > sources, lead to a DoS against winbind due to recursive calls of the NSS > infrastructure. I'm deploying winbind (for a Windows Domain) and sssd (for > an LDAP authentication source with client certificate authentication) on > Debian 10. > > Samba tracked this as bug #13815 > (https://bugzilla.samba.org/show_bug.cgi?id=13815), which contains a link to > a corresponding issue in the RedHat bugtracker > (https://bugzilla.redhat.com/show_bug.cgi?id=1666819), which supposedly > contains a patch for the behaviour; as the bug isn't open, I can neither see > what the patch actually is, nor can I prepare the patch for the Debian > packaging of sssd. > > Can anybody shed some light on what the patch is (and/or link to the commit > in Pagure), specifically also which published version the patch is contained > in, so that I might either decide to deploy updated sssd packages for > Debian, or even try to backport the patch to the Debian built-in version? I > can't find a means to search commits in Pagure, that's why I'm asking here, > but even just that would be helpful. > > Thanks in advance! the corresponding upstream tickets are: https://pagure.io/SSSD/sssd/issue/3963 and: https://pagure.io/SSSD/sssd/issue/3964

I /think/ it might be possible to work around the bug by setting: local_negative_timeout = 0 in the [nss] section.