Categories
SysOps

How to configure System Security Services Daemon disable SUDO Smart Refresh task

Configure System Security Services Daemon to disable SUDO Smart Refresh task.

SUDO Smart Refresh task is executed periodically even if it is not used or configured.

[...]
(2021-09-22 22:10:24): [be[example.org]] [be_ptask_execute] (0x0400): Task [SUDO Smart Refresh]: executing task, timeout 900 seconds
(2021-09-22 22:10:24): [be[example.org]] [sdap_sudo_smart_refresh_send] (0x0400): Issuing a smart refresh of sudo rules (USN >= 7774)
[...]
2021-09-22 22:10:24): [be[example.org]] [sdap_sudo_refresh_connect_done] (0x0400): SUDO LDAP connection successful
(2021-09-22 22:10:24): [be[example.org]] [sdap_sudo_load_sudoers_send] (0x0400): About to fetch sudo rules
(2021-09-22 22:10:24): [be[example.org]] [sdap_search_bases_ex_next_base] (0x0400): Issuing LDAP lookup with base [DC=example,DC=org]
(2021-09-22 22:10:24): [be[example.org]] [sdap_print_server] (0x2000): Searching 172.16.0.110:389
(2021-09-22 22:10:24): [be[example.org]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(&(objectCategory=sudoRole)(uSNChanged>=7774))(|(&(!(sudoHost=*))(cn=defaults))(sudoHost=ALL)(sudoHost=dc)(sudoHost=dc.example.org)(sudoHost=10.0.2.15)(sudoHost=10.0.2.0/24)(sudoHost=172.16.0.110)(sudoHost=172.16.0.0/24)(sudoHost=fe80::a00:27ff:fe8d:c04d)(sudoHost=fe80::/64)(sudoHost=fe80::a00:27ff:fecf:cc27)(sudoHost=fe80::/64)(sudoHost=+*)))][DC=example,DC=org].
(2021-09-22 22:10:24): [be[example.org]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(2021-09-22 22:10:24): [be[example.org]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectCategory]
(2021-09-22 22:10:24): [be[example.org]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(2021-09-22 22:10:24): [be[example.org]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoCommand]
(2021-09-22 22:10:24): [be[example.org]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoHost]
(2021-09-22 22:10:24): [be[example.org]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoUser]
(2021-09-22 22:10:24): [be[example.org]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOption]
(2021-09-22 22:10:24): [be[example.org]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAs]
(2021-09-22 22:10:24): [be[example.org]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsUser]
(2021-09-22 22:10:24): [be[example.org]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsGroup]
(2021-09-22 22:10:24): [be[example.org]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotBefore]
(2021-09-22 22:10:24): [be[example.org]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotAfter]
(2021-09-22 22:10:24): [be[example.org]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOrder]
(2021-09-22 22:10:24): [be[example.org]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
(2021-09-22 22:10:24): [be[example.org]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 3
[...]
(2021-09-22 22:10:24): [be[example.org]] [sdap_sudo_load_sudoers_done] (0x0200): Received 0 sudo rules
(2021-09-22 22:10:24): [be[example.org]] [sdap_id_op_done] (0x4000): releasing operation connection
(2021-09-22 22:10:24): [be[example.org]] [sdap_sudo_refresh_done] (0x0400): Received 0 rules
(2021-09-22 22:10:24): [be[example.org]] [ldb] (0x10000): start ldb transaction (nesting: 0)
(2021-09-22 22:10:24): [be[example.org]] [ldb] (0x10000): start ldb transaction (nesting: 1)
(2021-09-22 22:10:24): [be[example.org]] [sysdb_sudo_purge_byrules] (0x0400): About to remove rules from sudo cache
(2021-09-22 22:10:24): [be[example.org]] [ldb] (0x10000): commit ldb transaction (nesting: 1)
(2021-09-22 22:10:24): [be[example.org]] [ldb] (0x10000): commit ldb transaction (nesting: 0)
(2021-09-22 22:10:24): [be[example.org]] [sdap_sudo_refresh_done] (0x0400): Sudoers is successfully stored in cache
(2021-09-22 22:10:24): [be[example.org]] [sdap_sudo_set_usn] (0x0200): SUDO higher USN value: [7782]
(2021-09-22 22:10:24): [be[example.org]] [sdap_sudo_smart_refresh_done] (0x0400): Successful smart refresh of sudo rules
(2021-09-22 22:10:24): [be[example.org]] [be_ptask_done] (0x0400): Task [SUDO Smart Refresh]: finished successfully
(2021-09-22 22:10:24): [be[example.org]] [be_ptask_schedule] (0x0400): Task [SUDO Smart Refresh]: scheduling task 900 seconds from last execution time [1632349524]
[...]

The solution is to set sudo_provider to none to disable all sudo-related activity.

$ sudo cat /etc/sssd/sssd.conf 

[sssd]
domains = example.org
config_file_version = 2
services = nss, pam

[domain/example.org]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = EXAMPLE.ORG
realmd_tags = manages-system joined-with-samba 
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = example.org
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = ad

sudo_provider = none

Restart sssd service.

$ sudo systemctl restart sssd

Done.