Hello list,
for a deployment I'm administering, I'm using winbind and sssd in parallel,
both for different authentication sources (so it's not about their
interoperability, but rather about using them in parallel). It seems that
sssd has/had a bug which meant that winbind 4.8+ and sssd, if used together
as NSS sources, would, for unavailable accounts in both authentication
sources, lead to a DoS against winbind due to recursive calls of the NSS
infrastructure. I'm deploying winbind (for a Windows Domain) and sssd (for
an LDAP authentication source with client certificate authentication) on
Debian 10.
Samba tracked this as bug #13815
(
https://bugzilla.samba.org/show_bug.cgi?id=13815), which contains a link to
a corresponding issue in the RedHat bugtracker
(
https://bugzilla.redhat.com/show_bug.cgi?id=1666819), which supposedly
contains a patch for the behaviour; as the bug isn't open, I can neither see
what the patch actually is, nor can I prepare the patch for the Debian
packaging of sssd.
Can anybody shed some light on what the patch is (and/or link to the commit
in Pagure), specifically also which published version the patch is contained
in, so that I might either decide to deploy updated sssd packages for
Debian, or even try to backport the patch to the Debian built-in version? I
can't find a means to search commits in Pagure, that's why I'm asking here,
but even just that would be helpful.
Thanks in advance!
I /think/ it might be possible to work around the bug by setting:
local_negative_timeout = 0
in the [nss] section.