#1682 Offline sudo denies access with expired entry_cache_timeout
Closed: Fixed None Opened 6 years ago by jhrozek.

https://bugzilla.redhat.com/show_bug.cgi?id=882221 (Red Hat Enterprise Linux 6)

Description of problem:
Sudo denies access when the LDAP server is offline and entry_cache_timeout is
expired. Additionally, the response time in this case is very long.

Version-Release number of selected component (if applicable):
sssd-1.9.2-21.el6.x86_64
sssd-client-1.9.2-21.el6.x86_64
libsss_idmap-1.9.2-21.el6.x86_64
sudo-1.8.6p3-5.el6.x86_64
libsss_sudo-1.9.2-21.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. Use the attached LDIF file to fill LDAP directory.
2. Use the attached sssd.conf as the base for SSSD configuration.
3. Execute the following as root:
su -c 'sudo -u user2 true' user1 && echo allowed || echo denied
iptables -I OUTPUT -d server.sss-test.test -p tcp --dport ldaps -j REJECT
--reject-with icmp-host-unreachable
su -c 'sudo -u user2 true' user1 && echo allowed || echo denied

Actual results:
allowed
sudo: no tty present and no askpass program specified
denied

Expected results:
allowed
allowed

Additional info:
The online request takes about 1.5 seconds. The offline request takes about two
minutes. Considering that "host unreacheable" response is received immediately
that is a very long overall response time.

Fields changed

blockedby: =>
blocking: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
owner: somebody => pbrezina
testsupdated: => 0

Fields changed

patch: 0 => 1

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.9.4

resolution: => fixed
status: new => closed

Metadata Update from @jhrozek:
- Issue assigned to pbrezina
- Issue set to the milestone: SSSD 1.9.4

2 years ago

Login to comment on this ticket.

Metadata