#1682 Offline sudo denies access with expired entry_cache_timeout
Closed: Fixed None Opened 8 years ago by jhrozek.

https://bugzilla.redhat.com/show_bug.cgi?id=882221 (Red Hat Enterprise Linux 6)

Description of problem:
Sudo denies access when the LDAP server is offline and entry_cache_timeout is
expired. Additionally, the response time in this case is very long.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Use the attached LDIF file to fill LDAP directory.
2. Use the attached sssd.conf as the base for SSSD configuration.
3. Execute the following as root:
su -c 'sudo -u user2 true' user1 && echo allowed || echo denied
iptables -I OUTPUT -d server.sss-test.test -p tcp --dport ldaps -j REJECT
--reject-with icmp-host-unreachable
su -c 'sudo -u user2 true' user1 && echo allowed || echo denied

Actual results:
sudo: no tty present and no askpass program specified

Expected results:

Additional info:
The online request takes about 1.5 seconds. The offline request takes about two
minutes. Considering that "host unreacheable" response is received immediately
that is a very long overall response time.

Fields changed

blockedby: =>
blocking: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
owner: somebody => pbrezina
testsupdated: => 0

Fields changed

patch: 0 => 1

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.9.4

resolution: => fixed
status: new => closed

Metadata Update from @jhrozek:
- Issue assigned to pbrezina
- Issue set to the milestone: SSSD 1.9.4

4 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2724

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.