[sudo-users] sudo + sssd backend on FreeBSD 10.3 client

[Miller, Vincent (Rick)]

Hi,

I’m integrating a FreeBSD 10.3 client with FreeIPA using sssd. Everything works fine with the exception of sudo. Upon execution, sudo seems to iterate over /etc/netgroup introducing slow performance particularly with larger files. For example, tests illustrate a delay anywhere from 8 seconds to 2 minutes before a password prompt is returned [and the user is permitted to run sudo].

Host configuration is primarily based on my blog post[1], which is largely based on a FreeBSD forum post[2] where NSS configures the netgroup database sources without sss. Linux counterparts configure the netgroup database with sources “files sss” and do not exhibit slow performance. However, configuring the FreeBSD client likewise fails to yield similar results though still permits its use by the user.

The IPA service is not configured for sudoers ldap, but sssd is expected to return query results in the NIS triple structure for netgroups. This supports the lack of any delay on Linux where NSS configures database with sources “files sss”. Configuring the client without NSS’ netgroup database configured results in an immediate failure citing the user is not allowed to run sudo. Likewise, configuring the netgroup database with only source “sss” returns the same result. 

The desired result here is that sudo would query sss for netgroups and return a password prompt immediately without iterating local files that cause delays. Admittedly, the details of the interface and architecture between sudo and sssd are probably not well understood.

Does sudo use the netgroup database to reconcile HBAC rules and does sudo support using “sss” as a source here? Am I missing something that mitigates the delay?

[1] https://blog.hostileadmin.com/2016/03/24/integrating-freebsd-w-freeipasssd/
[2] https://forums.freebsd.org/threads/freebsd-freeipa-via-sssd.46526/

-- 
Vincent (Rick) Miller
UNIX Systems Engineer
vmiller at verisign.com