On Fri, Aug 23, 2019 at 03:46:54PM +0200, Heiko Wundram wrote:
> Hello list,
>
> for a deployment I'm administering, I'm using winbind and sssd in parallel,
> both for different authentication sources (so it's not about their
> interoperability, but rather about using them in parallel). It seems that
> sssd has/had a bug which meant that winbind 4.8+ and sssd, if used together
> as NSS sources, would, for unavailable accounts in both authentication
> sources, lead to a DoS against winbind due to recursive calls of the NSS
> infrastructure. I'm deploying winbind (for a Windows Domain) and sssd (for
> an LDAP authentication source with client certificate authentication) on
> Debian 10.
>
> Samba tracked this as bug #13815
> (https://bugzilla.samba.org/show_bug.cgi?id=13815), which contains a link to
> a corresponding issue in the RedHat bugtracker
> (https://bugzilla.redhat.com/show_bug.cgi?id=1666819), which supposedly
> contains a patch for the behaviour; as the bug isn't open, I can neither see
> what the patch actually is, nor can I prepare the patch for the Debian
> packaging of sssd.
>
> Can anybody shed some light on what the patch is (and/or link to the commit
> in Pagure), specifically also which published version the patch is contained
> in, so that I might either decide to deploy updated sssd packages for
> Debian, or even try to backport the patch to the Debian built-in version? I
> can't find a means to search commits in Pagure, that's why I'm asking here,
> but even just that would be helpful.
>
> Thanks in advance!
the corresponding upstream tickets are:
https://pagure.io/SSSD/sssd/issue/3963
and:
https://pagure.io/SSSD/sssd/issue/3964
I /think/ it might be possible to work around the bug by setting:
local_negative_timeout = 0
in the [nss] section.
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
