linux - Winbind group lookup painfully slow
2014-04
I am running winbind on an RHEL 6 system. Everything works fine except group lookups, so many commands (including sudo
) are painfully slow. I did an strace
which shows that winbind looks up every group and every user within each group for the current user. Some of these groups have 20000+ users so a simple sudo
can take 60 seconds to complete.
I really only care about speeding up the sudo command. Ideal solutions would make it so either:
- groups with more than X number of users will not be looked up, or
- sudo bypasses group lookups altogether.
Here is my current "smb.conf" for winbind:
workgroup = EXAMPLE
password server = AD1.EXAMPLE.ORG
realm = EXAMPLE.ORG
security = ads
idmap uid = 10000-19999
idmap gid = 10000-19999
idmap config EXAMPLE:backend = rid
idmap config EXAMPLE:range = 10000000-19999999
winbind enum users = no
winbind enum groups = no
winbind separator = +
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = yes
winbind offline logon = false
I had this same problem after upgrading sudo and found out from Red Hat that sudo changed its group membership resolution algorithm when going from sudo-1.7.4p5-13.el6_3.x86_64 to sudo-1.8.6p3-7.el6.x86_64. In sudo-1.7.4, group membership was resolved for all groups listed in /etc/sudoers and if the username was found in the list, it was granted sudo privileges. In sudo-1.8.6, this was changed to be the other way around - sudo fetched a list of groups that the user is a member of, then checked if any of those groups were listed in sudoers.
This results in getgrgid() for every group the user is a member of, so if some groups are large, this will be quite slow. You can either downgrade sudo or put the large groups as empty groups in your local /etc/group file so that AD is not contacted for them (assuming the large groups aren't referenced by the Linux system for any access control).
disable nested groups
winbind nested groups = false
I have a bunch of batch applications that must run with a local linux user "batchjobs". Our team have AD users (eg: "COMPANY/user") to login to that machine. If we need to change current production state (editing a "batchjobs" script, reading log files, etc), we "sudo su" to that user. I want to find an easier way, specially because the old "root does all" structure worked a lot better (weird, but true).
I'm trying these approaches:
- Manually adding all users to "batchjobs". Works, but it's darn ugly, because there are N servers and M users, and both variables are really "variable"; or
- Map the "batchjobs" local group to "my-team" AD group. This seems to be the best solution, because with newgrp and umask on .bashrc, the team will work with "batchjobs" files without worrying about sudo or chown/chgrp. I don't know if it's possible. I tried with "net groupmap add" without success.
Currently, the only constraint I have is I cannot create AD users or groups. All team members are members of "my-team" AD group.
Answer was pretty simple, indeed. I can do usermod -g ad-group local-user