[sudo-users] sudo + sssd backend on FreeBSD 10.3 client

Todd C. Miller Todd.Miller at sudo.ws
Tue Feb 13 10:34:28 MST 2018

On Tue, 13 Feb 2018 15:38:42 +0000, "Miller, Vincent (Rick)" wrote:

> Whoops, the sudoers files does not use netgroups and contains only two rules:
> root ALL=(ALL) ALL
> %wheel ALL=(ALL) ALL
> As described in the blog and forums posts, relevant bits of nsswitch.conf are
>  configured:
> # grep sss /etc/nsswitch.conf
> group: files sss
> passwd: files sss
> sudoers: sss files
> netgroup: files

Just to be clear, you have still get the slowdown with:

sudoers: files

as well?  You only need to list sss in the sudoers nsswitch.conf
entry if you are using LDAP-based sudoers with sss and it doesn't
sound like you are doing that.

When sudo starts up it does query all the groups for the invoking
user but I would not expect that to involve the netgroups file
unless sss stores AD groups as netgroups.

You can limit sudo to the group listed stored in the kernel for the
user with a line like the following in sudo.conf:

Set group_source static

It is also possible to log debugging info about what sudo is doing.
For example, in sudo.conf:

Debug sudo /var/log/sudo_debug all at debug
Debug sudoers.so /var/log/sudoers_debug all at debug

This will include logging of the internal sudo functions called.
When you see the pause before the password prompt, the last few
lines of those two log files should let me know where sudo is
spending its time.

 - todd

More information about the sudo-users mailing list