[Freeipa-users] Is there any delay after applied rules to user?
Dewangga Bachrul Alam
dewanggaba at xtremenitro.org
Thu Jul 30 14:50:23 UTC 2015
Hello!
I don't know start from where to tracking down this issue. I found
another something interesting.
1. Set `global_policy` password expired (both min and max) to 0 (zero)
2. Add user called `dummy`
3. Set global_policy password expired min (1) and max (90).
4. Add user called `dummy2`
Both user dummy and dummy2 have same password expiration :D
This problem is same with assign sudo/group to user.
I was set debug_level = 7 to following section in sssd.conf :
[domain/mydomain.co.id]
.. debug_level = 7 ..
[sssd]
.. debug_level = 7 ..
[sudo]
.. debug_level = 7 ..
I didn't find any related information about the 4 step above.
On 07/30/2015 08:54 PM, Jakub Hrozek wrote:
> On Thu, Jul 30, 2015 at 07:09:47PM +0700, Dewangga Bachrul Alam wrote:
>> Hello Jakub!
>>
>> Sorry for delayed email,
>> My bad, I disabled cache_credentials, not sssd_cache.
>
> Then I think it's completely unrelated to the sudo rules problem.
>
>>
>> I tried modified my user `dewangga` to remove sudo rules, the cache
>> still active even I restart the sssd service and delete all ccache* files.
>
> Yes, cache can't be completely disabled with sssd. See:
> https://jhrozek.wordpress.com/2015/03/11/anatomy-of-sssd-user-lookup/
>
>>
>> There's no information on sssd log folder.
>>
>> -rw-------. 1 root root 0 Jul 29 19:26 krb5_child.log
>> -rw-------. 1 root root 105K Jul 30 04:49 ldap_child.log
>> -rw-------. 1 root root 0 Jul 29 19:26 sssd.log
>> -rw-------. 1 root root 0 Jul 29 19:26 sssd_merahciptamedia.co.id.log
>> -rw-------. 1 root root 0 Jul 29 19:26 sssd_nss.log
>> -rw-------. 1 root root 0 Jul 29 19:26 sssd_pac.log
>> -rw-------. 1 root root 0 Jul 29 19:26 sssd_pam.log
>> -rw-------. 1 root root 0 Jul 29 19:26 sssd_ssh.log
>> -rw-------. 1 root root 0 Jul 29 19:26 sssd_sudo.log
>>
>>
>> On 07/30/2015 02:33 PM, Jakub Hrozek wrote:
>>> On Thu, Jul 30, 2015 at 02:26:03PM +0700, NitrouZ wrote:
>>>> Hello!
>>>>
>>>> I set the cache value to False on sssd.conf. (On IPA server and client).
>>>
>>> Can you show me the exact config directive you used?
>>>
>>>>
>>>> On Thursday, July 30, 2015, Jakub Hrozek <jhrozek at redhat.com> wrote:
>>>>
>>>>> On Wed, Jul 29, 2015 at 10:03:14PM +0700, Dewangga wrote:
>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>> Hash: SHA1
>>>>>>
>>>>>> Hello!
>>>>>>
>>>>>> Thanks for the hints both of you, yes the sssd_cache is in play.
>>>>>> I've set the cache to false, is it have any impact to ipa
>>>>>> server/client (performance, security or another issue)?
>>>>>
>>>>> How exactly did you 'disable' the cache? The sssd cache can't be
>>>>> disabled, it can either be removed manually or the cache lifetime can be
>>>>> set short..
>>>>>
>>>>> --
>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>> Go to http://freeipa.org for more info on the project
>>>>>
>>>>
>>>>
>>>> --
>>>> Sent from iDewangga Device
More information about the Freeipa-users
mailing list