[Freeipa-users] Trusted Domain Users - entry_cache_timeout

Thu Dec 10 16:21:30 UTC 2015

On Thu, Dec 10, 2015 at 11:43:48AM +0100, Jakub Hrozek wrote:
> On Thu, Dec 10, 2015 at 11:25:57AM +0100, Martin Kosek wrote:
> > On 12/09/2015 12:58 PM, Winfried de Heiden wrote:
> > > Hi all,
> > > 
> > > Using entry_cache_timeout to set different cache timeout for sssd works well. 
> > > However, it doesn't seem to work for Trusted Domain Users (using AD trust)
> > > 
> > > I made some changes, cleaned the cache but expiry will stay on a (too long) 10 
> > > (ten!) hours!
> > > 
> > > How can I change the sssd cache timeout for Trusted AD users ? (using IPA 4.1)
> > > 
> > > Kind regards!
> > 
> > I assume the option has to be specified in the respective AD domain section.
> > Can you share your anonymized sssd.conf so that we can verify your settings?
> 
> Looks like I'm having issues replying to the freeipa-users list or maybe
> the mails are stuck in moderation.
> 
> Let me paste the mail I sent yesterday:
> 
> ~~~~~~~~~~~~~~~
> Since it's the IPA master that fetches the identity data from the AD
> server, you also need to change the cache timeouts on the server. In
> addition, the cache time lifetime is stored in the cache entry itself,
> so you might want to invalidate the cache with sss_cache on both the
> server and the client.
> ~~~~~~~~~~~~~~~

I'm sorry, I should test stuff before replying next time :-(
Unfortunately you're right:

1736 static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
1737                                     struct req_input *req_input,
1738                                     struct resp_attrs *attrs,
1739                                     struct resp_attrs *simple_attrs,
1740                                     const char *view_name,
1741                                     struct sysdb_attrs *override_attrs,
1742                                     bool update_initgr_timeout)
1743 {
1744     int ret;
1745     time_t now;
1746     uint64_t timeout = 10*60*60; /* FIXME: find a better timeout !  */

Please work with support (the support engineers tell me you already
opened a support case) to open a bug. One idea might be to temporarily
extend the list of values we allow to be overriden by subdomains so that
also entry_cache_timeout works for subdomain objects. But details should
be decided later..