[sudo-users] sudo + sssd backend on FreeBSD 10.3 client

[Todd C. Miller]

On Mon, 12 Feb 2018 15:19:35 +0000, "Miller, Vincent \(Rick\) via sudo-users" w
rote:

> I'm integrating a FreeBSD 10.3 client with FreeIPA using sssd.
> Everything works fine with the exception of sudo. Upon execution,
> sudo seems to iterate over /etc/netgroup introducing slow performance
> particularly with larger files. For example, tests illustrate a
> delay anywhere from 8 seconds to 2 minutes be fore a password prompt
> is returned [and the user is permitted to run sudo].

You don't say whether or not your sudoers file uses netgroups.  If
you are using file-based sudoers (not the LDAP or sss backends),
sudo will only check netgroup membership if there are netgroups in
the sudoers file.  If no netgroups are listed in sudoers, sudo won't
perform any /etc/netgroup lookups directly.

Sudo uses the C library function innetgr() to determine whether or
not a user or host is a member of the netgroup listed in sudoers.
There is no API to fetch all the netgroups a specific user or host
is a member of so this may result in iterating over the netgroup
file, depending on how FreeBSD implements netgroups.  Unlike most
systems, FreeBSD implements netgroups as a flat file and not a
database file.  This means that it must parse the entire netgroup
file for each netgroup lookup.  For large netgroup files this can
be very slow.  This is a FreeBSD-specific problem.

> Host configuration is primarily based on my blog post[1], which is
> largely based on a FreeBSD forum post[2] where NSS configures the
> netgroup database sources without sss. Linux counterparts configure
> the netgroup database with sources "files sss" and do not exhibit
> slow performance. However, configuring the FreeBSD client likewise
> fails to yield similar results though still permits its use by the
> user.

So you have put host groups in the local /etc/netgroup file as in
that forum post?  That may be the source of the slowdown if the
netgroup file has grown to be large.

 - todd