[sudo-users] sudo + sssd backend on FreeBSD 10.3 client

Todd C. Miller Todd.Miller at sudo.ws
Tue Feb 20 18:27:29 MST 2018

On Tue, 20 Feb 2018 14:09:09 -0700, "Todd C. Miller" wrote:

> All the netgroup lookups appear to be for "netgroup" followed by a
> number and they are used in a host context.  That leads me to believe
> these are sss host groups being shadowed as netgroups by FreeIPA.

I realized after I sent this that those are probably just the
santized names.  Either way, the sudoers policy in LDAP/sss does
seem to be relying on host netgroups.

> Putting the netgroup database in a local NIS server would probably
> be quite a bit faster.

I think running an NIS server on the local machine for netgroups
is probably your best bet.  Since under NIS netgroups are backed
by database files, not a flat file, lookups should be noticably

 - todd

More information about the sudo-users mailing list