[sudo-users] sudo + sssd backend on FreeBSD 10.3 client

Miller, Vincent (Rick) vmiller at verisign.com
Tue Feb 20 12:32:36 MST 2018 

Hi Todd,

Previously sent a mess to the list that is awaiting moderation due to size. Attached to this message is the sanitized sudo log included in the body of the message awaiting moderation.

-- 
Vincent (Rick) Miller
UNIX Systems Engineer
vmiller at verisign.com
 
t: 703-948-4395  c: 703-581-3068
12061 Bluemont Way, Reston, VA  20190

-----Original Message-----
From: sudo-users <sudo-users-bounces at sudo.ws> on behalf of "Miller, Vincent (Rick) via sudo-users" <sudo-users at sudo.ws>
Reply-To: Rick Miller <vmiller at verisign.com>
Date: Tuesday, February 13, 2018 at 4:35 PM
To: "Todd C. Miller" <Todd.Miller at sudo.ws>
Cc: "sudo-users at sudo.ws" <sudo-users at sudo.ws>
Subject: [EXTERNAL] Re: [sudo-users] sudo + sssd backend on FreeBSD 10.3 client

    Hi Todd,
    
    
    -----Original Message-----
    From: "Todd C. Miller" <Todd.Miller at sudo.ws>
    Date: Tuesday, February 13, 2018 at 12:34 PM
    To: Rick Miller <vmiller at verisign.com>
    Cc: "sudo-users at sudo.ws" <sudo-users at sudo.ws>
    Subject: [EXTERNAL] Re: [sudo-users] sudo + sssd backend on FreeBSD 10.3 client
    
        On Tue, 13 Feb 2018 15:38:42 +0000, "Miller, Vincent (Rick)" wrote:
        
        > Whoops, the sudoers files does not use netgroups and contains only two rules:
        >
        > root ALL=(ALL) ALL
        > %wheel ALL=(ALL) ALL
        >
        > As described in the blog and forums posts, relevant bits of nsswitch.conf are
        >  configured:
        >
        > # grep sss /etc/nsswitch.conf
        > group: files sss
        > passwd: files sss
        > sudoers: sss files
        > netgroup: files
        
        Just to be clear, you have still get the slowdown with:
        
        sudoers: files
        
        as well?  You only need to list sss in the sudoers nsswitch.conf
        entry if you are using LDAP-based sudoers with sss and it doesn't
        sound like you are doing that.
    
    There is no slowness when the sudoers line is configured this way. However, sudo errors citing the user is not allowed to run sudo. There is an LDAP-based backend which sssd is configured to communicate with. sudo is compiled and installed with the sssd backend enabled.
    
    Removing /etc/netgroup and the netgroup entry from nsswitch.conf prior to executing sudo demonstrates the aforementioned error although another user has stated doing this has resolved their latency problems. This has me confused and I’ve asked for access to that environment to investigate.
        
        When sudo starts up it does query all the groups for the invoking
        user but I would not expect that to involve the netgroups file
        unless sss stores AD groups as netgroups.
        
        You can limit sudo to the group listed stored in the kernel for the
        user with a line like the following in sudo.conf:
        
        Set group_source static
        
        It is also possible to log debugging info about what sudo is doing.
        For example, in sudo.conf:
        
        Debug sudo /var/log/sudo_debug all at debug
        Debug sudoers.so /var/log/sudoers_debug all at debug
        
        This will include logging of the internal sudo functions called.
        When you see the pause before the password prompt, the last few
        lines of those two log files should let me know where sudo is
        spending its time.
    
    There are copious amounts of debug output to sift through (sudo, sssd, and truss). My latest tests appear to show sssd returning rules from the LDAP server and my previous assertion regarding iterating over /etc/netgroup may be incorrect as it’s possible it was consulted once for each rule returned by the LDAP server.
    
    Having said that, A larger system-wide problem that may significantly contribute here has been discovered. Admittedly, my most recent tests are at the lower bounds of the previously described slowness range. Due to this, it’s prudent to gather more data before wasting more of your time.
    
    I appreciate your assistance.
    
    -- 
    Vincent (Rick) Miller
    UNIX Systems Engineer
    vmiller at verisign.com
    
    
    ____________________________________________________________
    sudo-users mailing list <sudo-users at sudo.ws>
    For list information, options, or to unsubscribe, visit:
    https://www.sudo.ws/mailman/listinfo/sudo-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: sudo1.log
Type: application/octet-stream
Size: 8386 bytes
Desc: sudo1.log
URL: <https://www.sudo.ws/pipermail/sudo-users/attachments/20180220/f4830aa5/attachment.obj>

More information about the sudo-users mailing list