Way to configure sudo to not need to lookup group names / or speed up sssd group name resolution


I've got a large number of Linux hosts that are connected using sssd to a Windows Active Directory (AD) domain for user/group lookup. That mostly works fine except for one problem; sudo.

From what I've been able to find in my testing anytime you run a sudo command sudo tries to resolve all names of all the groups the user is in. Since sssd only by default caches the gid's and has to do a slow lookup of the name (assuming something hasn't caused sssd to cache the group names recently on the host) this can cause the sudo command to pause for 45sec for accounts in a lot of groups before it will get to prompting the user for their password to continue with the sudo command.

From my testing this group name resolving happens irrespective of if there are any sudo rules that apply to the user that make use of their groups. I've tested changing group_source values in sudo.conf but that didn't seem to have much effect.

Removing all our users from most of the groups they are in isn't really an option (infrastructure security decision I have no control over) so I'm left with trying to find a way to stop sudo pausing for ages while all the group ids are looked up.

The only solution I've come up with so far is running a cronjob every 15min to do something like getent group to make sssd keep the group names cached in memory continually but that seems a hacky fix. So I'm hoping somebody on the net might have a better solution for speeding up sudo in this situation?

Best Answer

I would suggest to either set the ignore_group_members option to true, or symlink the cache to tmpfs or wait for the 1.14 upstream release.

The reason the group resolution is slow is that saving the group on cache update after the cache expiration always writes the full group object to the on-disk cache even if nothing had changed. In 1.14, we're changing the cache logic to only update the cache if something had actually changed, see One Fourteen Performance Improvements.

Setting ignore_group_members would make the groups appear empty, which reduces their size and speeds up the cache save times. Please note that this would not have any effect on sudo functionality, because sudo uses initgroups() to see what groups is the user a member of, not getent group and initgroups.

I also wrote up a blog post on sssd performance tuning some time ago, even though it's focused on IPA server case, many points apply to sssd-ad configuration as well.