Bug 14710 - Problem with AD membership in an AD with more the 100.000 group (possible regression in 4.12?)
Summary: Problem with AD membership in an AD with more the 100.000 group (possible reg...
Status: ASSIGNED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.12.14
Hardware: All Linux
: P5 regression (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on: 14717
Blocks:
  Show dependency treegraph
 
Reported: 2021-05-19 05:54 UTC by maurer
Modified: 2021-06-02 04:47 UTC (History)
2 users (show)

See Also:


Attachments
gdb trace (4.12 KB, text/plain)
2021-05-19 05:54 UTC, maurer
no flags Details
full gdb backtrace (4.12.3) (7.58 KB, text/plain)
2021-05-19 05:54 UTC, maurer
no flags Details
full_gdb_backtrace_with_patched_winbind.idl (8.07 KB, text/plain)
2021-05-20 06:37 UTC, maurer
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description maurer 2021-05-19 05:54:21 UTC
Created attachment 16614 [details]
gdb trace

I am  trying to run a wbinfo -g on an AD memberserver in an  AD with more the 100.000 groups and it shows no output

The samba logs shows
  list_groups XXX
[2021/05/17 14:21:49.826967,  1] ../../librpc/ndr/ndr.c:632(_ndr_pull_error)
  ndr_pull_array_size: ndr_pull_error(Range Error): More than 65535 NDR tokens stored for array_size at ../../librpc/ndr/ndr.c:1093

the wbinfo -g is still working with samba-4.10 on CentOS-7.
I am wondering it thhe following change

https://github.com/samba-team/samba/commit/7a0ed44b0e65e742a778915d493e17f04c43b2ef#diff-6a1478caa948ca1d186a648c470ded02699da3705181b633232d582a7c73576d

/*
 * This value is arbitary, but designed to reduce the memory a client
 * can allocate and the work the client can force in processing a
 * malicious packet.
 *
 * In an ideal world this would be controlled by range() restrictions
 * on array sizes and careful IDL construction to avoid arbitary
 * linked lists, but this is a backstop for now.
 */
#define NDR_TOKEN_MAX_LIST_SIZE 65535


Increasing this value solves the problem
Comment 1 maurer 2021-05-19 05:54:49 UTC
Created attachment 16615 [details]
full gdb backtrace (4.12.3)
Comment 2 maurer 2021-05-20 06:37:19 UTC
Created attachment 16620 [details]
full_gdb_backtrace_with_patched_winbind.idl
Comment 3 Andrew Bartlett 2021-05-21 22:27:20 UTC
Yes, this is a regression from the DoS mitigation efforts in 7a0ed44b0e65e742a778915d493e17f04c43b2ef
Comment 4 Samba QA Contact 2021-06-02 04:47:03 UTC
This bug was referenced in samba master:

e583140e81bce9853ccb86370a2143c8b27b4984
0cc4478070b9c980d653adf31647dd541cf4be22
c35f4180a44eb3caecad0f2daab46574bc52be83
40aabcb5cf76ff076e04bff00f4ff0b4374f2354
139cca7c206efc6c6e9a93fd4045285f25117414
a7d4f93cfdee0a2005be11880f8dd31f55149369
3bc680c1e38bef75d5b212992e15f094c523923b