Configure System Security Services Daemon to disable SUDO Smart Refresh task.
SUDO Smart Refresh task is executed periodically even if it is not used or configured.
[...] (2021-09-22 22:10:24): [be[example.org]] [be_ptask_execute] (0x0400): Task [SUDO Smart Refresh]: executing task, timeout 900 seconds (2021-09-22 22:10:24): [be[example.org]] [sdap_sudo_smart_refresh_send] (0x0400): Issuing a smart refresh of sudo rules (USN >= 7774) [...] 2021-09-22 22:10:24): [be[example.org]] [sdap_sudo_refresh_connect_done] (0x0400): SUDO LDAP connection successful (2021-09-22 22:10:24): [be[example.org]] [sdap_sudo_load_sudoers_send] (0x0400): About to fetch sudo rules (2021-09-22 22:10:24): [be[example.org]] [sdap_search_bases_ex_next_base] (0x0400): Issuing LDAP lookup with base [DC=example,DC=org] (2021-09-22 22:10:24): [be[example.org]] [sdap_print_server] (0x2000): Searching 172.16.0.110:389 (2021-09-22 22:10:24): [be[example.org]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(&(objectCategory=sudoRole)(uSNChanged>=7774))(|(&(!(sudoHost=*))(cn=defaults))(sudoHost=ALL)(sudoHost=dc)(sudoHost=dc.example.org)(sudoHost=10.0.2.15)(sudoHost=10.0.2.0/24)(sudoHost=172.16.0.110)(sudoHost=172.16.0.0/24)(sudoHost=fe80::a00:27ff:fe8d:c04d)(sudoHost=fe80::/64)(sudoHost=fe80::a00:27ff:fecf:cc27)(sudoHost=fe80::/64)(sudoHost=+*)))][DC=example,DC=org]. (2021-09-22 22:10:24): [be[example.org]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (2021-09-22 22:10:24): [be[example.org]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectCategory] (2021-09-22 22:10:24): [be[example.org]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (2021-09-22 22:10:24): [be[example.org]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoCommand] (2021-09-22 22:10:24): [be[example.org]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoHost] (2021-09-22 22:10:24): [be[example.org]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoUser] (2021-09-22 22:10:24): [be[example.org]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOption] (2021-09-22 22:10:24): [be[example.org]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAs] (2021-09-22 22:10:24): [be[example.org]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsUser] (2021-09-22 22:10:24): [be[example.org]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsGroup] (2021-09-22 22:10:24): [be[example.org]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotBefore] (2021-09-22 22:10:24): [be[example.org]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotAfter] (2021-09-22 22:10:24): [be[example.org]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOrder] (2021-09-22 22:10:24): [be[example.org]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (2021-09-22 22:10:24): [be[example.org]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 3 [...] (2021-09-22 22:10:24): [be[example.org]] [sdap_sudo_load_sudoers_done] (0x0200): Received 0 sudo rules (2021-09-22 22:10:24): [be[example.org]] [sdap_id_op_done] (0x4000): releasing operation connection (2021-09-22 22:10:24): [be[example.org]] [sdap_sudo_refresh_done] (0x0400): Received 0 rules (2021-09-22 22:10:24): [be[example.org]] [ldb] (0x10000): start ldb transaction (nesting: 0) (2021-09-22 22:10:24): [be[example.org]] [ldb] (0x10000): start ldb transaction (nesting: 1) (2021-09-22 22:10:24): [be[example.org]] [sysdb_sudo_purge_byrules] (0x0400): About to remove rules from sudo cache (2021-09-22 22:10:24): [be[example.org]] [ldb] (0x10000): commit ldb transaction (nesting: 1) (2021-09-22 22:10:24): [be[example.org]] [ldb] (0x10000): commit ldb transaction (nesting: 0) (2021-09-22 22:10:24): [be[example.org]] [sdap_sudo_refresh_done] (0x0400): Sudoers is successfully stored in cache (2021-09-22 22:10:24): [be[example.org]] [sdap_sudo_set_usn] (0x0200): SUDO higher USN value: [7782] (2021-09-22 22:10:24): [be[example.org]] [sdap_sudo_smart_refresh_done] (0x0400): Successful smart refresh of sudo rules (2021-09-22 22:10:24): [be[example.org]] [be_ptask_done] (0x0400): Task [SUDO Smart Refresh]: finished successfully (2021-09-22 22:10:24): [be[example.org]] [be_ptask_schedule] (0x0400): Task [SUDO Smart Refresh]: scheduling task 900 seconds from last execution time [1632349524] [...]
The solution is to set sudo_provider
to none
to disable all sudo-related activity.
$ sudo cat /etc/sssd/sssd.conf
[sssd] domains = example.org config_file_version = 2 services = nss, pam [domain/example.org] default_shell = /bin/bash krb5_store_password_if_offline = True cache_credentials = True krb5_realm = EXAMPLE.ORG realmd_tags = manages-system joined-with-samba id_provider = ad fallback_homedir = /home/%u@%d ad_domain = example.org use_fully_qualified_names = True ldap_id_mapping = True access_provider = ad sudo_provider = none
Restart sssd
service.
$ sudo systemctl restart sssd
Done.