[Freeipa-users] Is there any delay after applied rules to user?

Jakub Hrozek jhrozek at redhat.com
Thu Jul 30 13:54:51 UTC 2015 

On Thu, Jul 30, 2015 at 07:09:47PM +0700, Dewangga Bachrul Alam wrote:
> Hello Jakub!
> 
> Sorry for delayed email,
> My bad, I disabled cache_credentials, not sssd_cache.

Then I think it's completely unrelated to the sudo rules problem.

> 
> I tried modified my user `dewangga` to remove sudo rules, the cache
> still active even I restart the sssd service and delete all ccache* files.

Yes, cache can't be completely disabled with sssd. See:
    https://jhrozek.wordpress.com/2015/03/11/anatomy-of-sssd-user-lookup/

> 
> There's no information on sssd log folder.
> 
> -rw-------.  1 root root    0 Jul 29 19:26 krb5_child.log
> -rw-------.  1 root root 105K Jul 30 04:49 ldap_child.log
> -rw-------.  1 root root    0 Jul 29 19:26 sssd.log
> -rw-------.  1 root root    0 Jul 29 19:26 sssd_merahciptamedia.co.id.log
> -rw-------.  1 root root    0 Jul 29 19:26 sssd_nss.log
> -rw-------.  1 root root    0 Jul 29 19:26 sssd_pac.log
> -rw-------.  1 root root    0 Jul 29 19:26 sssd_pam.log
> -rw-------.  1 root root    0 Jul 29 19:26 sssd_ssh.log
> -rw-------.  1 root root    0 Jul 29 19:26 sssd_sudo.log
> 
> 
> On 07/30/2015 02:33 PM, Jakub Hrozek wrote:
> > On Thu, Jul 30, 2015 at 02:26:03PM +0700, NitrouZ wrote:
> >> Hello!
> >>
> >> I set the cache value to False on sssd.conf. (On IPA server and client).
> > 
> > Can you show me the exact config directive you used?
> > 
> >>
> >> On Thursday, July 30, 2015, Jakub Hrozek <jhrozek at redhat.com> wrote:
> >>
> >>> On Wed, Jul 29, 2015 at 10:03:14PM +0700, Dewangga wrote:
> >>>> -----BEGIN PGP SIGNED MESSAGE-----
> >>>> Hash: SHA1
> >>>>
> >>>> Hello!
> >>>>
> >>>> Thanks for the hints both of you, yes the sssd_cache is in play.
> >>>> I've set the cache to false, is it have any impact to ipa
> >>>> server/client (performance, security or another issue)?
> >>>
> >>> How exactly did you 'disable' the cache? The sssd cache can't be
> >>> disabled, it can either be removed manually or the cache lifetime can be
> >>> set short..
> >>>
> >>> --
> >>> Manage your subscription for the Freeipa-users mailing list:
> >>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>> Go to http://freeipa.org for more info on the project
> >>>
> >>
> >>
> >> -- 
> >> Sent from iDewangga Device

More information about the Freeipa-users mailing list