#4093 sudo on sssd-ipa takes minutes to complete (sssd-ldap on the same data takes seconds)
Closed: worksforme 3 years ago by atikhonov. Opened 4 years ago by djasa.

I use this configuration on my system:
- I log in as a user from IPA (used to be from 389 LDAP until recently)
- this user is added to 'wheel' group in /etc/group: wheel:x :10:david,djasa (actually without spaces around x to prevent :x:)
- in sudo configuration, group wheel is allowed everything: %wheel ALL=(ALL) NOPASSWD: ALL

with user & group information taken from sssd with and only local sudo information in /etc/nsswitch.conf:

passwd:     sss files systemd
group:      sss files systemd
sudo:       files

Then sudo takes around 90 s to complete:

$ time sudo /bin/true

real    1m32.223s
user    0m0.013s
sys 0m0.017s

SSSD logs show that it's that sssd-ipa gathers information of several hundred (!) other users sequentially (!) in order to determine. (I can send the logs on request.) When sssd fetches the info from legacy 389 LDAP, the operation finishes within seconds. Similarly, when I add to IPA domain configuration this:

    ignore_group_members = True

sudo takes 2-4 seconds, which is still slow, but reasonable:

 time sudo /bin/true

real    0m2.193s
user    0m0.019s
sys 0m0.024s

Minutes-long sudo times could be considered outright security hole as it makes Gnome session right after logging in unresponsive for minutes which usually indicates crash in graphic stack so users can walk away from the system to get e.g. sip of coffee — but this time, the UI eventually thaws and unlocked computer presents an opportunity for unauthorized use.

System is Fedora 31 with sssd-2.2.2-1.fc31.x86_64.

As already sail, I'll provide any configuration or logs upon request.


Metadata Update from @atikhonov:
- Issue assigned to atikhonov

4 years ago

Hi,

(1) Are quoted timings (1m32.223s for ignore_group_members=false and 0m2.193s for ignore_group_members=true) the same for 2nd and subsequent calls?

(2)

When sssd fetches the info from legacy 389 LDAP, the operation finishes within seconds.

Is content of two sources the same?
Do you use nested groups in IPA? ldap and ipa providers use different ldap_schema by default.

SSSD logs show that it's that sssd-ipa gathers information of several hundred (!) other users

I don't know what does sudo do under the hood. But quick glance at the sources suggests that besides initgroups() it is using other NSS calls as well. Your description looks similar to what id does, i.e. it resolves all the groups user is member of. This is costly operation if hierarchy is large and group members are not ignored.

Metadata Update from @thalman:
- Issue tagged with: Future milestone

4 years ago

Closing as insufficient information.

Please feel free to re-open in case of new input.

Metadata Update from @atikhonov:
- Issue close_status updated to: worksforme
- Issue status updated to: Closed (was: Open)

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/5057

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata