On (23/08/19 15:56), Jakub Hrozek wrote: >On Fri, Aug 23, 2019 at 03:46:54PM +0200, Heiko Wundram wrote: >> Hello list, >> >> for a deployment I'm administering, I'm using winbind and sssd in parallel, >> both for different authentication sources (so it's not about their >> interoperability, but rather about using them in parallel). It seems that >> sssd has/had a bug which meant that winbind 4.8+ and sssd, if used together >> as NSS sources, would, for unavailable accounts in both authentication >> sources, lead to a DoS against winbind due to recursive calls of the NSS >> infrastructure. I'm deploying winbind (for a Windows Domain) and sssd (for >> an LDAP authentication source with client certificate authentication) on >> Debian 10. >> >> Samba tracked this as bug #13815 >> (https://bugzilla.samba.org/show_bug.cgi?id=13815), which contains a link to >> a corresponding issue in the RedHat bugtracker >> (https://bugzilla.redhat.com/show_bug.cgi?id=1666819), which supposedly >> contains a patch for the behaviour; as the bug isn't open, I can neither see >> what the patch actually is, nor can I prepare the patch for the Debian >> packaging of sssd. >> >> Can anybody shed some light on what the patch is (and/or link to the commit >> in Pagure), specifically also which published version the patch is contained >> in, so that I might either decide to deploy updated sssd packages for >> Debian, or even try to backport the patch to the Debian built-in version? I >> can't find a means to search commits in Pagure, that's why I'm asking here, >> but even just that would be helpful. >> >> Thanks in advance! > >the corresponding upstream tickets are: > https://pagure.io/SSSD/sssd/issue/3963 >and: > https://pagure.io/SSSD/sssd/issue/3964 >
If you do not want to backport so many patches or upgrading to newer version is problem then the simplest change will be to chage value of CONFDB_RESPONDER_LOCAL_NEG_TIMEOUT_DEFAULT from 14400 -> 0 It was introduced in 1.16.2 https://pagure.io/SSSD/sssd/issue/3619 >I /think/ it might be possible to work around the bug by setting: > local_negative_timeout = 0 >in the [nss] section. Yep, that's the workaround in sssd.conf. LS _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
