Hello list,
for a deployment I'm administering, I'm using winbind and sssd in
parallel, both for different authentication sources (so it's not about
their interoperability, but rather about using them in parallel). It
seems that sssd has/had a bug which meant that winbind 4.8+ and sssd, if
used together as NSS sources, would, for unavailable accounts in both
authentication sources, lead to a DoS against winbind due to recursive
calls of the NSS infrastructure. I'm deploying winbind (for a Windows
Domain) and sssd (for an LDAP authentication source with client
certificate authentication) on Debian 10.
Samba tracked this as bug #13815
(
https://bugzilla.samba.org/show_bug.cgi?id=13815), which contains a
link to a corresponding issue in the RedHat bugtracker
(
https://bugzilla.redhat.com/show_bug.cgi?id=1666819), which supposedly
contains a patch for the behaviour; as the bug isn't open, I can neither
see what the patch actually is, nor can I prepare the patch for the
Debian packaging of sssd.
Can anybody shed some light on what the patch is (and/or link to the
commit in Pagure), specifically also which published version the patch
is contained in, so that I might either decide to deploy updated sssd
packages for Debian, or even try to backport the patch to the Debian
built-in version? I can't find a means to search commits in Pagure,
that's why I'm asking here, but even just that would be helpful.
Thanks in advance!
--
--- Heiko Wundram.