I am seeing extreme slowness for all users, when they first login and when they first use sudo. They may be related, but I'm currently focusing on the sudo-slowness, because it is easier to repeat, and because the user's name is hard-coded in the sudoers file. I can reproduce the problem using:
$ sudo sss_cache --groups && time sudo echo hello && time sudo echo hello Thu Dec 5 11:56:38 PM UTC 2024 hello
real 5m3.852s user 0m0.007s sys 0m0.022s hello
real 0m0.030s user 0m0.007s sys 0m0.010s
I don't understand why this should take so long, since the user's name is hard-coded in sudoers. I expect an immediate response, similar to what I see after results are cached for subsequent sudo usage.
$ grep -v -P '(^#|^$)' /etc/sudoers Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin" Defaults use_pty root ALL=(ALL:ALL) ALL %admin ALL=(ALL) ALL %sudo ALL=(ALL) NOPASSWD: ALL myuser ALL=(ALL) NOPASSWD: ALL
I primarily need sssd/ldap for user authentication against an Active Directory server. I would like to report the user's group memberships, if requested (i.e., `id`), but I don't need that information cached, unless explicitly asked.
Sudo access should be granted solely from /etc/sudoers. I don't want sssd to have any part in determining sudo restrictions.
My /etc/nsswitch.conf file is:
$ grep -v -P '(^#|^$)' /etc/nsswitch.conf passwd: files systemd sss group: files systemd sss shadow: files sss gshadow: files sudoers: files hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files protocols: db files services: db files sss ethers: db files rpc: db files netgroup: nis sss automount: sss
I have tried to impose timeouts to prevent these long sudo executions, but clearly, I'm missing something.
My /etc/sss/ssd.conf file is:
$ grep -v -P '(^#|^$)' /etc/sssd/sssd.conf [sssd] domains = corp.mycompany.com config_file_version = 2 debug_level = 1 override_space = _ [nss] enum_cache_timeout = 1 entry_cache_nowait_percentage = 75 filter_groups = root, admin, sudo filter_users = root reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75 [pam]
[domain/corp.mycompany.com] ldap_search_timeout = 3 ldap_network_timeout = 3 ldap_enumeration_search_timeout = 3 entry_cache_timeout = 600 entry_cache_nowait_percentage = 75 entry_cache_user_timeout = 5400 entry_cache_group_timeout = 5400 entry_cache_netgroup_timeout = 5400 ldap_sudo_full_refresh_interval = 0 ldap_sudo_smart_refresh_interval = 21600 ldap_sudo_use_host_filter = true ldap_sudo_include_netgroups = false ldap_sudo_include_regexp = false ldap_referrals = False enumerate = False cache_credentials = true override_shell = /bin/bash override_homedir = /home/%u id_provider = ldap access_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://adldap.mycompany.com ldap_service_port = 636 ldap_search_base = dc=corp,dc=mycompany,dc=com ldap_tls_reqcert = allow ldap_id_use_start_tls = true ldap_id_mapping = true ldap_schema = ad ldap_user_search_base = ou=Accounts,dc=corp,dc=mycompany,dc=com ldap_group_search_base = dc=corp,dc=mycompany,dc=com ldap_user_object_class = user ldap_user_name = sAMAccountName ldap_user_fullname = displayName ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_group_object_class = group ldap_group_name = cn ldap_access_order = expire ldap_account_expire_policy = ad ldap_default_bind_dn = cn=bindusername,ou=Service Accounts,ou=Accounts,dc=corp,dc=mycompany,dc=com ldap_default_authtok_type = password ldap_default_authtok = binduserpassword
What am I missing? How can I speed up sudo access?
Thanks in advance for any help you can provide. :)
(BTW, if you see anything else that I'm configuring sub-optimally, feel free to chime in.)