Learn more about these different git repos.
Other Git URLs
I use this configuration on my system: - I log in as a user from IPA (used to be from 389 LDAP until recently) - this user is added to 'wheel' group in /etc/group: wheel:x :10:david,djasa (actually without spaces around x to prevent :x:) - in sudo configuration, group wheel is allowed everything: %wheel ALL=(ALL) NOPASSWD: ALL
wheel:x :10:david,djasa
%wheel ALL=(ALL) NOPASSWD: ALL
with user & group information taken from sssd with and only local sudo information in /etc/nsswitch.conf:
/etc/nsswitch.conf
passwd: sss files systemd group: sss files systemd sudo: files
Then sudo takes around 90 s to complete:
$ time sudo /bin/true real 1m32.223s user 0m0.013s sys 0m0.017s
SSSD logs show that it's that sssd-ipa gathers information of several hundred (!) other users sequentially (!) in order to determine. (I can send the logs on request.) When sssd fetches the info from legacy 389 LDAP, the operation finishes within seconds. Similarly, when I add to IPA domain configuration this:
ignore_group_members = True
sudo takes 2-4 seconds, which is still slow, but reasonable:
time sudo /bin/true real 0m2.193s user 0m0.019s sys 0m0.024s
Minutes-long sudo times could be considered outright security hole as it makes Gnome session right after logging in unresponsive for minutes which usually indicates crash in graphic stack so users can walk away from the system to get e.g. sip of coffee — but this time, the UI eventually thaws and unlocked computer presents an opportunity for unauthorized use.
System is Fedora 31 with sssd-2.2.2-1.fc31.x86_64.
sssd-2.2.2-1.fc31.x86_64
As already sail, I'll provide any configuration or logs upon request.
Metadata Update from @atikhonov: - Issue assigned to atikhonov
Hi,
(1) Are quoted timings (1m32.223s for ignore_group_members=false and 0m2.193s for ignore_group_members=true) the same for 2nd and subsequent calls?
(2)
When sssd fetches the info from legacy 389 LDAP, the operation finishes within seconds.
Is content of two sources the same? Do you use nested groups in IPA? ldap and ipa providers use different ldap_schema by default.
ldap
ipa
ldap_schema
SSSD logs show that it's that sssd-ipa gathers information of several hundred (!) other users
I don't know what does sudo do under the hood. But quick glance at the sources suggests that besides initgroups() it is using other NSS calls as well. Your description looks similar to what id does, i.e. it resolves all the groups user is member of. This is costly operation if hierarchy is large and group members are not ignored.
id
Metadata Update from @thalman: - Issue tagged with: Future milestone
Closing as insufficient information.
Please feel free to re-open in case of new input.
Metadata Update from @atikhonov: - Issue close_status updated to: worksforme - Issue status updated to: Closed (was: Open)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/5057
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.