Hello list,
for a deployment I'm administering, I'm using winbind and sssd in parallel, both for different authentication sources (so it's not about their interoperability, but rather about using them in parallel). It seems that sssd has/had a bug which meant that winbind 4.8+ and sssd, if used together as NSS sources, would, for unavailable accounts in both authentication sources, lead to a DoS against winbind due to recursive calls of the NSS infrastructure. I'm deploying winbind (for a Windows Domain) and sssd (for an LDAP authentication source with client certificate authentication) on Debian 10.
Samba tracked this as bug #13815 (https://bugzilla.samba.org/show_bug.cgi?id=13815), which contains a link to a corresponding issue in the RedHat bugtracker (https://bugzilla.redhat.com/show_bug.cgi?id=1666819), which supposedly contains a patch for the behaviour; as the bug isn't open, I can neither see what the patch actually is, nor can I prepare the patch for the Debian packaging of sssd.
Can anybody shed some light on what the patch is (and/or link to the commit in Pagure), specifically also which published version the patch is contained in, so that I might either decide to deploy updated sssd packages for Debian, or even try to backport the patch to the Debian built-in version? I can't find a means to search commits in Pagure, that's why I'm asking here, but even just that would be helpful.
Thanks in advance!
On Fri, Aug 23, 2019 at 03:46:54PM +0200, Heiko Wundram wrote:
Hello list,
for a deployment I'm administering, I'm using winbind and sssd in parallel, both for different authentication sources (so it's not about their interoperability, but rather about using them in parallel). It seems that sssd has/had a bug which meant that winbind 4.8+ and sssd, if used together as NSS sources, would, for unavailable accounts in both authentication sources, lead to a DoS against winbind due to recursive calls of the NSS infrastructure. I'm deploying winbind (for a Windows Domain) and sssd (for an LDAP authentication source with client certificate authentication) on Debian 10.
Samba tracked this as bug #13815 (https://bugzilla.samba.org/show_bug.cgi?id=13815), which contains a link to a corresponding issue in the RedHat bugtracker (https://bugzilla.redhat.com/show_bug.cgi?id=1666819), which supposedly contains a patch for the behaviour; as the bug isn't open, I can neither see what the patch actually is, nor can I prepare the patch for the Debian packaging of sssd.
Can anybody shed some light on what the patch is (and/or link to the commit in Pagure), specifically also which published version the patch is contained in, so that I might either decide to deploy updated sssd packages for Debian, or even try to backport the patch to the Debian built-in version? I can't find a means to search commits in Pagure, that's why I'm asking here, but even just that would be helpful.
Thanks in advance!
the corresponding upstream tickets are: https://pagure.io/SSSD/sssd/issue/3963 and: https://pagure.io/SSSD/sssd/issue/3964
I /think/ it might be possible to work around the bug by setting: local_negative_timeout = 0 in the [nss] section.
On (23/08/19 15:56), Jakub Hrozek wrote:
On Fri, Aug 23, 2019 at 03:46:54PM +0200, Heiko Wundram wrote:
Hello list,
for a deployment I'm administering, I'm using winbind and sssd in parallel, both for different authentication sources (so it's not about their interoperability, but rather about using them in parallel). It seems that sssd has/had a bug which meant that winbind 4.8+ and sssd, if used together as NSS sources, would, for unavailable accounts in both authentication sources, lead to a DoS against winbind due to recursive calls of the NSS infrastructure. I'm deploying winbind (for a Windows Domain) and sssd (for an LDAP authentication source with client certificate authentication) on Debian 10.
Samba tracked this as bug #13815 (https://bugzilla.samba.org/show_bug.cgi?id=13815), which contains a link to a corresponding issue in the RedHat bugtracker (https://bugzilla.redhat.com/show_bug.cgi?id=1666819), which supposedly contains a patch for the behaviour; as the bug isn't open, I can neither see what the patch actually is, nor can I prepare the patch for the Debian packaging of sssd.
Can anybody shed some light on what the patch is (and/or link to the commit in Pagure), specifically also which published version the patch is contained in, so that I might either decide to deploy updated sssd packages for Debian, or even try to backport the patch to the Debian built-in version? I can't find a means to search commits in Pagure, that's why I'm asking here, but even just that would be helpful.
Thanks in advance!
the corresponding upstream tickets are: https://pagure.io/SSSD/sssd/issue/3963 and: https://pagure.io/SSSD/sssd/issue/3964
If you do not want to backport so many patches or upgrading to newer version is problem then the simplest change will be to chage value of CONFDB_RESPONDER_LOCAL_NEG_TIMEOUT_DEFAULT from 14400 -> 0
It was introduced in 1.16.2 https://pagure.io/SSSD/sssd/issue/3619
I /think/ it might be possible to work around the bug by setting: local_negative_timeout = 0 in the [nss] section.
Yep, that's the workaround in sssd.conf.
LS
sssd-users@lists.fedorahosted.org