[sudo-users] sudo + sssd backend on FreeBSD 10.3 client

[Todd C. Miller]

All the netgroup lookups appear to be for "netgroup" followed by a
number and they are used in a host context.  That leads me to believe
these are sss host groups being shadowed as netgroups by FreeIPA.

>From the debug output at least some of the netgroups are matching
so presumably they are required.  It is possible to disable netgroup
lookups in sudo via the "use_netgroups" setting in sudoers but I
suspect that would prevent things from working.

If you want to try anyway, a line like the following in /etc/sudoers
should do it:

Defaults !use_netgroups

For this to be effective, the sudoers entry in /etc/nsswitch.conf
will need to list "files" before "sss".

I'm afraid there's not much sudo can do about the slow netgroup
lookups.  FreeBSD's file-based netgroup lookup code appears to open
and close the file with each lookup.  Sudo is just using the innetgr()
C library function to check for netgroup membership and the FreeBSD
implementation parses the entire netgroup file for each lookup.
Sudo doesn't open or parse the netgroup file directly.  Ultimately,
this is a FreeBSD problem.

Putting the netgroup database in a local NIS server would probably
be quite a bit faster.

I think I can improve the group file situation slightly.  FreeBSD
has a way to hint to the group lookup functions that the group file
should be kept open instead of closing it after each lookup.
Unfortunately, there's no way to do that with netgroups.

 - todd