Learn more about these different git repos.
Other Git URLs
I use this configuration on my system:
- I log in as a user from IPA (used to be from 389 LDAP until recently)
- this user is added to 'wheel' group in /etc/group: wheel:x :10:david,djasa (actually without spaces around x to prevent :x:)
- in sudo configuration, group wheel is allowed everything: %wheel ALL=(ALL) NOPASSWD: ALL
%wheel ALL=(ALL) NOPASSWD: ALL
with user & group information taken from sssd with and only local sudo information in /etc/nsswitch.conf:
passwd: sss files systemd
group: sss files systemd
Then sudo takes around 90 s to complete:
$ time sudo /bin/true
SSSD logs show that it's that sssd-ipa gathers information of several hundred (!) other users sequentially (!) in order to determine. (I can send the logs on request.) When sssd fetches the info from legacy 389 LDAP, the operation finishes within seconds. Similarly, when I add to IPA domain configuration this:
ignore_group_members = True
sudo takes 2-4 seconds, which is still slow, but reasonable:
time sudo /bin/true
Minutes-long sudo times could be considered outright security hole as it makes Gnome session right after logging in unresponsive for minutes which usually indicates crash in graphic stack so users can walk away from the system to get e.g. sip of coffee — but this time, the UI eventually thaws and unlocked computer presents an opportunity for unauthorized use.
System is Fedora 31 with sssd-2.2.2-1.fc31.x86_64.
As already sail, I'll provide any configuration or logs upon request.
to comment on this ticket.