[sudo-users] sudo + sssd backend on FreeBSD 10.3 client

Miller, Vincent (Rick) vmiller at verisign.com
Tue Feb 13 12:53:51 MST 2018

Hi Todd,

-----Original Message-----
From: "Todd C. Miller" <Todd.Miller at sudo.ws>
Date: Tuesday, February 13, 2018 at 12:34 PM
To: Rick Miller <vmiller at verisign.com>
Cc: "sudo-users at sudo.ws" <sudo-users at sudo.ws>
Subject: [EXTERNAL] Re: [sudo-users] sudo + sssd backend on FreeBSD 10.3 client

    On Tue, 13 Feb 2018 15:38:42 +0000, "Miller, Vincent (Rick)" wrote:
    > Whoops, the sudoers files does not use netgroups and contains only two rules:
    > root ALL=(ALL) ALL
    > %wheel ALL=(ALL) ALL
    > As described in the blog and forums posts, relevant bits of nsswitch.conf are
    >  configured:
    > # grep sss /etc/nsswitch.conf
    > group: files sss
    > passwd: files sss
    > sudoers: sss files
    > netgroup: files
    Just to be clear, you have still get the slowdown with:
    sudoers: files
    as well?  You only need to list sss in the sudoers nsswitch.conf
    entry if you are using LDAP-based sudoers with sss and it doesn't
    sound like you are doing that.

There is no slowness when the sudoers line is configured this way. However, sudo errors citing the user is not allowed to run sudo. There is an LDAP-based backend which sssd is configured to communicate with. sudo is compiled and installed with the sssd backend enabled.

Removing /etc/netgroup and the netgroup entry from nsswitch.conf prior to executing sudo demonstrates the aforementioned error although another user has stated doing this has resolved their latency problems. This has me confused and I’ve asked for access to that environment to investigate.
    When sudo starts up it does query all the groups for the invoking
    user but I would not expect that to involve the netgroups file
    unless sss stores AD groups as netgroups.
    You can limit sudo to the group listed stored in the kernel for the
    user with a line like the following in sudo.conf:
    Set group_source static
    It is also possible to log debugging info about what sudo is doing.
    For example, in sudo.conf:
    Debug sudo /var/log/sudo_debug all at debug
    Debug sudoers.so /var/log/sudoers_debug all at debug
    This will include logging of the internal sudo functions called.
    When you see the pause before the password prompt, the last few
    lines of those two log files should let me know where sudo is
    spending its time.

There are copious amounts of debug output to sift through (sudo, sssd, and truss). My latest tests appear to show sssd returning rules from the LDAP server and my previous assertion regarding iterating over /etc/netgroup may be incorrect as it’s possible it was consulted once for each rule returned by the LDAP server.

Having said that, A larger system-wide problem that may significantly contribute here has been discovered. Admittedly, my most recent tests are at the lower bounds of the previously described slowness range. Due to this, it’s prudent to gather more data before wasting more of your time.

I appreciate your assistance.

Vincent (Rick) Miller
UNIX Systems Engineer
vmiller at verisign.com

More information about the sudo-users mailing list