[Freeipa-users] Trusted Domain Users - entry_cache_timeout
Jakub Hrozek
jhrozek at redhat.com
Thu Dec 10 16:21:30 UTC 2015
On Thu, Dec 10, 2015 at 11:43:48AM +0100, Jakub Hrozek wrote:
> On Thu, Dec 10, 2015 at 11:25:57AM +0100, Martin Kosek wrote:
> > On 12/09/2015 12:58 PM, Winfried de Heiden wrote:
> > > Hi all,
> > >
> > > Using entry_cache_timeout to set different cache timeout for sssd works well.
> > > However, it doesn't seem to work for Trusted Domain Users (using AD trust)
> > >
> > > I made some changes, cleaned the cache but expiry will stay on a (too long) 10
> > > (ten!) hours!
> > >
> > > How can I change the sssd cache timeout for Trusted AD users ? (using IPA 4.1)
> > >
> > > Kind regards!
> >
> > I assume the option has to be specified in the respective AD domain section.
> > Can you share your anonymized sssd.conf so that we can verify your settings?
>
> Looks like I'm having issues replying to the freeipa-users list or maybe
> the mails are stuck in moderation.
>
> Let me paste the mail I sent yesterday:
>
> ~~~~~~~~~~~~~~~
> Since it's the IPA master that fetches the identity data from the AD
> server, you also need to change the cache timeouts on the server. In
> addition, the cache time lifetime is stored in the cache entry itself,
> so you might want to invalidate the cache with sss_cache on both the
> server and the client.
> ~~~~~~~~~~~~~~~
I'm sorry, I should test stuff before replying next time :-(
Unfortunately you're right:
1736 static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
1737 struct req_input *req_input,
1738 struct resp_attrs *attrs,
1739 struct resp_attrs *simple_attrs,
1740 const char *view_name,
1741 struct sysdb_attrs *override_attrs,
1742 bool update_initgr_timeout)
1743 {
1744 int ret;
1745 time_t now;
1746 uint64_t timeout = 10*60*60; /* FIXME: find a better timeout ! */
Please work with support (the support engineers tell me you already
opened a support case) to open a bug. One idea might be to temporarily
extend the list of values we allow to be overriden by subdomains so that
also entry_cache_timeout works for subdomain objects. But details should
be decided later..
More information about the Freeipa-users
mailing list