#2127 sssd searches for random group when using sudo
Closed: Invalid None Opened 10 years ago by ptulpen.

when I use sudo without sssd integration, for some reason sssd seems to interact and asks for the user and group.(which is the first but minor issue)
But then, sssd requests information about some group the user is member of, and not even always the same group. We have set a msSFU30GidNumber, but this is not used. Instead I see this in a network dump:

Filter: (&(&(&(msSFU30GidNumber=10025)(objectclass=group))(msSFU30Name=))(&(msSFU30GidNumber=)(!(msSFU30GidNumber=0))))

(10025 is one of many group in the AD, where the user is a member of)
And you see as an an answer the people who are in that group. So depending which group was choosen, it takes different times to fulfill the request.

when using su, I see the expected behaviour with the Filter:
Filter: (&(msSFU30Name=user1)(objectclass=person)) and just getting the correct CN entry and the group names of the user

The AD is an Windows 2008 but with 2003 domain level.
I testen on openSuse 12.3 and 13.1 RC1
I attach the nsswitch and the sssd conf


I don't think that's a bug. Depending on what library calls sudo or su do, the sssd might is queried.

The only interface the sssd exposes is the standard Name Service Switch API. If the applications use the API in a weird way, that's another problem.

If you don't need the members of groups being resolved and saved, you can use the option "ignore_group_members" available in 1.10 and later. That would speed up group lookups drastically, at the cost of groups appearing empty.

resolution: => invalid
status: new => closed

Metadata Update from @ptulpen:
- Issue set to the milestone: NEEDS_TRIAGE

7 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3169

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata