Learn more about these different git repos.
Other Git URLs
https://bugzilla.redhat.com/show_bug.cgi?id=882221 (Red Hat Enterprise Linux 6)
Description of problem: Sudo denies access when the LDAP server is offline and entry_cache_timeout is expired. Additionally, the response time in this case is very long. Version-Release number of selected component (if applicable): sssd-1.9.2-21.el6.x86_64 sssd-client-1.9.2-21.el6.x86_64 libsss_idmap-1.9.2-21.el6.x86_64 sudo-1.8.6p3-5.el6.x86_64 libsss_sudo-1.9.2-21.el6.x86_64 How reproducible: always Steps to Reproduce: 1. Use the attached LDIF file to fill LDAP directory. 2. Use the attached sssd.conf as the base for SSSD configuration. 3. Execute the following as root: su -c 'sudo -u user2 true' user1 && echo allowed || echo denied iptables -I OUTPUT -d server.sss-test.test -p tcp --dport ldaps -j REJECT --reject-with icmp-host-unreachable su -c 'sudo -u user2 true' user1 && echo allowed || echo denied Actual results: allowed sudo: no tty present and no askpass program specified denied Expected results: allowed allowed Additional info: The online request takes about 1.5 seconds. The offline request takes about two minutes. Considering that "host unreacheable" response is received immediately that is a very long overall response time.
Fields changed
blockedby: => blocking: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => owner: somebody => pbrezina testsupdated: => 0
patch: 0 => 1
milestone: NEEDS_TRIAGE => SSSD 1.9.4
resolution: => fixed status: new => closed
Metadata Update from @jhrozek: - Issue assigned to pbrezina - Issue set to the milestone: SSSD 1.9.4
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2724
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.