[Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
Lukas Slebodnik
lslebodn at redhat.com
Fri Oct 17 11:39:32 UTC 2014
On (17/10/14 16:28), Orkhan Gasimov wrote:
>Of course! But for now I'm in process of checking my integration and there
>are some things I don't like.
>First and foremost, any change on the IPA server is not automatically
>reflected on the BSD client.
sssd uses few levels of caches. If you want to have up-to-date data
you need to invalidate sssd cache (sss_cache -UG).
Details are in man sss_cache. It is not related to FreeBSD. The same behaviour
is on LInux.
If user authenticates to machine with sssd then fresh data is downloaded from
server. That's the only exception.
>Only after SSSD is manually restarted on the client, something like it's
>cache is cleared happens and new rules apply.
>For now I'm not even checking something complex like sudo rule groups with
>host groups, it's just a simple sudo rule for a single user.
sudo is much more tricky about up-to-date data. sssd uses peridic tasks for
refreshing rules. It is not possible to invalidate sudo rules with tool
sss_cache. Detail description of sudo rules caching mechanism is in manual page
man sssd-sudo -> "THE SUDO RULE CACHING MECHANISM"
LS
More information about the Freeipa-users
mailing list