#4093 sudo on sssd-ipa takes minutes to complete (sssd-ldap on the same data takes seconds)
Opened 4 months ago by djasa. Modified 4 months ago

I use this configuration on my system:
- I log in as a user from IPA (used to be from 389 LDAP until recently)
- this user is added to 'wheel' group in /etc/group: wheel:x :10:david,djasa (actually without spaces around x to prevent :x:)
- in sudo configuration, group wheel is allowed everything: %wheel ALL=(ALL) NOPASSWD: ALL

with user & group information taken from sssd with and only local sudo information in /etc/nsswitch.conf:

passwd:     sss files systemd
group:      sss files systemd
sudo:       files

Then sudo takes around 90 s to complete:

$ time sudo /bin/true

real    1m32.223s
user    0m0.013s
sys 0m0.017s

SSSD logs show that it's that sssd-ipa gathers information of several hundred (!) other users sequentially (!) in order to determine. (I can send the logs on request.) When sssd fetches the info from legacy 389 LDAP, the operation finishes within seconds. Similarly, when I add to IPA domain configuration this:

    ignore_group_members = True

sudo takes 2-4 seconds, which is still slow, but reasonable:

 time sudo /bin/true

real    0m2.193s
user    0m0.019s
sys 0m0.024s

Minutes-long sudo times could be considered outright security hole as it makes Gnome session right after logging in unresponsive for minutes which usually indicates crash in graphic stack so users can walk away from the system to get e.g. sip of coffee — but this time, the UI eventually thaws and unlocked computer presents an opportunity for unauthorized use.

System is Fedora 31 with sssd-2.2.2-1.fc31.x86_64.

As already sail, I'll provide any configuration or logs upon request.

Login to comment on this ticket.