[Freeipa-users] Is there any delay after applied rules to user?

[Jakub Hrozek]

On Fri, Jul 31, 2015 at 09:19:30AM +0700, Dewangga Bachrul Alam wrote:
> Hello!
> 
> Sorry for making you confused.
> 
> The main problem is the cache on ipa server/client. How long the cache
> remain active and refresh with correct policy/rules.

See man sssd-sudo for explanation of the sudo lookups.

> 
> Whenever I set the sudo rules, modify another configuration (policy,
> etc), it's always have delay.

The best would be to run one such example with logs to see what queries
did exactly sssd run and to also rule out sssd going offline later in
the process.

> 
> And until now, the global_policy still didn't use correct configuration.
> It's still using min 0, max 0 configuration (I set this policy
> yesterday, and was revert it back to min 1 max 90 on yesterday too)
> 
> Any hints?
> 
> On 07/31/2015 01:47 AM, Jakub Hrozek wrote:
> > On Thu, Jul 30, 2015 at 09:50:23PM +0700, Dewangga Bachrul Alam wrote:
> >> Hello!
> >>
> >> I don't know start from where to tracking down this issue. I found
> >> another something interesting.
> >>
> >> 1. Set `global_policy` password expired (both min and max) to 0 (zero)
> >> 2. Add user called `dummy`
> >> 3. Set global_policy password expired min (1) and max (90).
> >> 4. Add user called `dummy2`
> >>
> >> Both user dummy and dummy2 have same password expiration :D
> >> This problem is same with assign sudo/group to user.
> >>
> >> I was set debug_level = 7 to following section in sssd.conf :
> >>
> >> [domain/mydomain.co.id]
> >> .. debug_level = 7 ..
> >>
> >> [sssd]
> >> .. debug_level = 7 ..
> >>
> >> [sudo]
> >> .. debug_level = 7 ..
> >>
> >> I didn't find any related information about the 4 step above.
> > 
> > I'm sorry, but I'm getting a bit confused about what is and what is not
> > the problem. Can we take a step back and see what works in your
> > environment and what does not?
> > 
> > Can you describe the workflow?
> >