You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
when I use sudo without sssd integration, for some reason sssd seems to interact and asks for the user and group.(which is the first but minor issue)
But then, sssd requests information about some group the user is member of, and not even always the same group. We have set a msSFU30GidNumber, but this is not used. Instead I see this in a network dump:
(10025 is one of many group in the AD, where the user is a member of)
And you see as an an answer the people who are in that group. So depending which group was choosen, it takes different times to fulfill the request.
when using su, I see the expected behaviour with the Filter:
Filter: (&(msSFU30Name=user1)(objectclass=person)) and just getting the correct CN entry and the group names of the user
The AD is an Windows 2008 but with 2003 domain level.
I testen on openSuse 12.3 and 13.1 RC1
I attach the nsswitch and the sssd conf
I don't think that's a bug. Depending on what library calls sudo or su do, the sssd might is queried.
The only interface the sssd exposes is the standard Name Service Switch API. If the applications use the API in a weird way, that's another problem.
If you don't need the members of groups being resolved and saved, you can use the option "ignore_group_members" available in 1.10 and later. That would speed up group lookups drastically, at the cost of groups appearing empty.
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/2127
when I use sudo without sssd integration, for some reason sssd seems to interact and asks for the user and group.(which is the first but minor issue)
But then, sssd requests information about some group the user is member of, and not even always the same group. We have set a msSFU30GidNumber, but this is not used. Instead I see this in a network dump:
Filter: (&(&(&(msSFU30GidNumber=10025)(objectclass=group))(msSFU30Name=))(&(msSFU30GidNumber=)(!(msSFU30GidNumber=0))))
(10025 is one of many group in the AD, where the user is a member of)
And you see as an an answer the people who are in that group. So depending which group was choosen, it takes different times to fulfill the request.
when using su, I see the expected behaviour with the Filter:
Filter: (&(msSFU30Name=user1)(objectclass=person)) and just getting the correct CN entry and the group names of the user
The AD is an Windows 2008 but with 2003 domain level.
I testen on openSuse 12.3 and 13.1 RC1
I attach the nsswitch and the sssd conf
Comments
Comment from ptulpen at 2013-10-22 17:26:49
sssd (of course censored)
sssd.conf
Comment from ptulpen at 2013-10-22 17:26:58
attachment
nsswitch.conf
Comment from jhrozek at 2013-10-24 13:43:08
I don't think that's a bug. Depending on what library calls sudo or su do, the sssd might is queried.
The only interface the sssd exposes is the standard Name Service Switch API. If the applications use the API in a weird way, that's another problem.
If you don't need the members of groups being resolved and saved, you can use the option "ignore_group_members" available in 1.10 and later. That would speed up group lookups drastically, at the cost of groups appearing empty.
resolution: => invalid
status: new => closed
Comment from ptulpen at 2017-02-24 14:33:38
Metadata Update from @ptulpen:
The text was updated successfully, but these errors were encountered: