[sudo-users] sudo on Solaris 10 non global zone with Powerbroker Open 7

Martin, Jeff Jeff.Martin at tais.toshiba.com
Wed Jun 27 15:17:42 EDT 2012


Todd,
I disabled lsass in /etc/nsswitch.conf for groups and its now as fast as we are used to.
However, wouldn't it be bad to leave it disabled?

Jeff


-----Original Message-----
From: Todd C. Miller [mailto:Todd.Miller at courtesan.com] 
Sent: Wednesday, June 27, 2012 12:16 PM
To: Martin, Jeff; sudo-users at sudo.ws
Subject: Re: [sudo-users] sudo on Solaris 10 non global zone with Powerbroker Open 7

On Wed, 27 Jun 2012 15:03:48 EDT, "Todd C. Miller" wrote:

> It is possible that the problem is with the Powerbroken Open nss
> module when resolving groups.  You could try using local groups
> file in /etc/nsswitch.conf and see if sudo returns more quickly.

Alternately, you could create /etc/sudo.conf with a line like:

Debug sudo /var/log/sudo_debug nss at trace

then run a sudo command.  If you look in /var/log/sudo_debug
for the lines that contain:

    -> make_grlist_item

and

    <- make_grlist_item 

and compare the timestamps for the -> (function entered) and <-
(function exit) lines, if you see that function taking several
minutes then the problem is with group ID to name resolution in the
Powerbroken Open nss module.

 - todd


________________________________
This message may contain confidential information.  If you are not the intended recipient of this e-mail, do not disseminate, distribute or copy this e-mail and delete this e-mail from your system.




More information about the sudo-users mailing list