[sudo-users] sudo 1.6.8p9 making copious netgroup requests to Sun ONE LDAP server
Morgan, Chris
Chris.Morgan at rbccm.com
Wed Nov 8 04:29:49 EST 2006
I'm having a problem with every sudo command making hundreds of requests
to the LDAP server each time it is called. This is my configuration:
Solaris Sparc 8/9/10 & x86 10
Sudo version 1.6.8p9
Sun ONE LDAP server 5.2 p4
The problem is readily reproducible on ALL my Solaris servers
irrespective of OS version or architecture. The problem is NOT evident
on any HP or Redhat servers.
Each time I run sudo from any Solaris server, I register literally
hundreds of hits such as the following on the LDAP server:
[08/Nov/2006:08:55:52 +0000] conn=9132643 op=1 msgId=2 - SRCH
base="ou=netgroup,dc=mycompany,dc=mydomain,dc=com" scope=2
filter="(&(objectClass=nisNetGroup)(nisNetgroupTriple=netgroup_name_here
))" attrs="cn nisNetgroupTriple"
There is a hit for each netgroup in the LDAP database - it seems to be
looping through all the netgroups that exist (in this example, I've
substituted the string netgroup_name_here). The net result is not only
that sudo commands take forever to execute but there is a huge load on
the LDAP server too (we use sudo heavily on our Solaris servers).
The problem is compounded by the fact that nscd doesn't cache netgroup
hits.
Below are my configuration files. I'm at a loss as to explain why sudo
is behaving this way. I've tried to re-compile the latest version but I
continue to get the same results.
Any suggestions?
- CDM
/etc/nsswitch.conf:
passwd: compat
passwd_compat: ldap
group: files ldap
hosts: files dns
ipnodes: files
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: ldap
automount: files
aliases: files
services: files
sendmailvars: files
auth_attr: files
exec_attr: files
prof_attr: files
user_attr: files
audit_user: files
project: files
/etc/pam.conf:
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
cron account required pam_unix_account.so.1
other account requisite pam_roles.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1
other session required pam_unix_session.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy
/etc/passwd (relevant netgroup-related entries):
+ at netgroup1:x:::::
+ at netgroup2:x:::::
+:x:::::/bin/false
-:x:::::
/etc/nscd.conf:
logfile /var/adm/nscd.log
enable-cache hosts yes
enable-cache passwd yes
enable-cache group yes
debug-level 0
positive-time-to-live passwd 600
negative-time-to-live passwd 20
suggested-size passwd 2000
keep-hot-count passwd 200
old-data-ok passwd no
check-files passwd yes
positive-time-to-live group 3600
negative-time-to-live group 20
suggested-size group 2000
keep-hot-count group 200
old-data-ok group no
check-files group yes
positive-time-to-live hosts 3600
negative-time-to-live hosts 20
suggested-size hosts 2000
keep-hot-count hosts 200
old-data-ok hosts no
check-files hosts yes
positive-time-to-live ipnodes 3600
negative-time-to-live ipnodes 20
suggested-size ipnodes 2000
keep-hot-count ipnodes 200
old-data-ok ipnodes no
check-files ipnodes yes
positive-time-to-live exec_attr 3600
negative-time-to-live exec_attr 20
suggested-size exec_attr 2000
keep-hot-count exec_attr 200
old-data-ok exec_attr no
check-files exec_attr yes
positive-time-to-live prof_attr 3600
negative-time-to-live prof_attr 20
suggested-size prof_attr 2000
keep-hot-count prof_attr 200
old-data-ok prof_attr no
check-files prof_attr yes
positive-time-to-live user_attr 3600
negative-time-to-live user_attr 20
suggested-size user_attr 2000
keep-hot-count user_attr 200
old-data-ok user_attr no
check-files user_attr yes
_______________________________________________________________________
This E-Mail (including any attachments) may contain privileged or confidential information. It is intended only for the addressee(s) indicated above.
The sender does not waive any of its rights, privileges or other protections respecting this information.
Any distribution, copying or other use of this E-Mail or the information it contains, by other than an intended recipient, is not sanctioned and is prohibited.
If you received this E-Mail in error, please delete it and advise the sender (by return E-Mail or otherwise) immediately.
This E-Mail (including any attachments) has been scanned for viruses.
It is believed to be free of any virus or other defect that might affect any computer system into which it is received and opened.
However, it is the responsibility of the recipient to ensure that it is virus free.
The sender accepts no responsibility for any loss or damage arising in any way from its use.
E-Mail received by or sent from RBC Capital Markets is subject to review by Supervisory personnel.
Such communications are retained and may be produced to regulatory authorities or others with legal rights to the information.
More information about the sudo-users
mailing list