On Fri, Dec 6, 2024 at 10:31 AM Alexey Tikhonov <[email protected]> wrote:
> Hi, > > what is the output of `groups $user`? > > If the list is large then try > ``` > ignore_group_members = true > subdomain_inherit = ignore_group_members > ``` > on the domain section of your sssd.conf > re: > I would like to report the user's group memberships, if requested (i.e., `id`), but I don't need that information cached, unless explicitly asked. -- when your user logs in it is required to resolve his groups membership for proper access control. > > > On Fri, Dec 6, 2024 at 1:14 AM Ice Man via sssd-users < > [email protected]> wrote: > >> I am seeing extreme slowness for all users, when they first login and >> when they first use sudo. They may be related, but I'm currently focusing >> on the sudo-slowness, because it is easier to repeat, and because the >> user's name is hard-coded in the sudoers file. I can reproduce the problem >> using: >> >> $ sudo sss_cache --groups && time sudo echo hello && time sudo echo >> hello >> Thu Dec 5 11:56:38 PM UTC 2024 >> hello >> >> real 5m3.852s >> user 0m0.007s >> sys 0m0.022s >> hello >> >> real 0m0.030s >> user 0m0.007s >> sys 0m0.010s >> >> I don't understand why this should take so long, since the user's name is >> hard-coded in sudoers. I expect an immediate response, similar to what I >> see after results are cached for subsequent sudo usage. >> >> $ grep -v -P '(^#|^$)' /etc/sudoers >> Defaults env_reset >> Defaults mail_badpass >> Defaults >> secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin" >> Defaults use_pty >> root ALL=(ALL:ALL) ALL >> %admin ALL=(ALL) ALL >> %sudo ALL=(ALL) NOPASSWD: ALL >> myuser ALL=(ALL) NOPASSWD: ALL >> >> I primarily need sssd/ldap for user authentication against an Active >> Directory server. I would like to report the user's group memberships, if >> requested (i.e., `id`), but I don't need that information cached, unless >> explicitly asked. >> >> Sudo access should be granted solely from /etc/sudoers. I don't want sssd >> to have any part in determining sudo restrictions. >> >> My /etc/nsswitch.conf file is: >> >> $ grep -v -P '(^#|^$)' /etc/nsswitch.conf >> passwd: files systemd sss >> group: files systemd sss >> shadow: files sss >> gshadow: files >> sudoers: files >> hosts: files mdns4_minimal [NOTFOUND=return] dns >> networks: files >> protocols: db files >> services: db files sss >> ethers: db files >> rpc: db files >> netgroup: nis sss >> automount: sss >> >> I have tried to impose timeouts to prevent these long sudo executions, >> but clearly, I'm missing something. >> >> My /etc/sss/ssd.conf file is: >> >> $ grep -v -P '(^#|^$)' /etc/sssd/sssd.conf >> [sssd] >> domains = corp.mycompany.com >> config_file_version = 2 >> debug_level = 1 >> override_space = _ >> [nss] >> enum_cache_timeout = 1 >> entry_cache_nowait_percentage = 75 >> filter_groups = root, admin, sudo >> filter_users = root >> reconnection_retries = 3 >> entry_cache_timeout = 300 >> entry_cache_nowait_percentage = 75 >> [pam] >> >> [domain/corp.mycompany.com] >> ldap_search_timeout = 3 >> ldap_network_timeout = 3 >> ldap_enumeration_search_timeout = 3 >> entry_cache_timeout = 600 >> entry_cache_nowait_percentage = 75 >> entry_cache_user_timeout = 5400 >> entry_cache_group_timeout = 5400 >> entry_cache_netgroup_timeout = 5400 >> ldap_sudo_full_refresh_interval = 0 >> ldap_sudo_smart_refresh_interval = 21600 >> ldap_sudo_use_host_filter = true >> ldap_sudo_include_netgroups = false >> ldap_sudo_include_regexp = false >> ldap_referrals = False >> enumerate = False >> cache_credentials = true >> override_shell = /bin/bash >> override_homedir = /home/%u >> id_provider = ldap >> access_provider = ldap >> auth_provider = ldap >> chpass_provider = ldap >> ldap_uri = ldaps://adldap.mycompany.com >> ldap_service_port = 636 >> ldap_search_base = dc=corp,dc=mycompany,dc=com >> ldap_tls_reqcert = allow >> ldap_id_use_start_tls = true >> ldap_id_mapping = true >> ldap_schema = ad >> ldap_user_search_base = ou=Accounts,dc=corp,dc=mycompany,dc=com >> ldap_group_search_base = dc=corp,dc=mycompany,dc=com >> ldap_user_object_class = user >> ldap_user_name = sAMAccountName >> ldap_user_fullname = displayName >> ldap_user_home_directory = unixHomeDirectory >> ldap_user_principal = userPrincipalName >> ldap_group_object_class = group >> ldap_group_name = cn >> ldap_access_order = expire >> ldap_account_expire_policy = ad >> ldap_default_bind_dn = cn=bindusername,ou=Service >> Accounts,ou=Accounts,dc=corp,dc=mycompany,dc=com >> ldap_default_authtok_type = password >> ldap_default_authtok = binduserpassword >> >> What am I missing? How can I speed up sudo access? >> >> Thanks in advance for any help you can provide. :) >> >> (BTW, if you see anything else that I'm configuring sub-optimally, feel >> free to chime in.) >> -- >> _______________________________________________ >> sssd-users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> >
-- _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
