[Freeipa-users] AD Integration change propagation timing
Jakub Hrozek
jhrozek at redhat.com
Fri Apr 8 07:50:11 UTC 2016
On Fri, Apr 08, 2016 at 09:36:11AM +0200, Sumit Bose wrote:
> On Thu, Apr 07, 2016 at 10:28:22PM -0400, Michael ORourke wrote:
> > I have a question regarding AD Integration with FreeIPA (CentOS 7.1/freeipa
> > 4.2.0) and Windows Server 2008 R2 with a Functional Level forest of 2008 R2.
> > Given a simple scenario of a group in active directory that is mapped to a
> > POSIX group in FreeIPA, if a change is made on the AD side such as adding a
> > user to an AD group, how long should it take on the FreeIPA side before the
> > change would show up? What would the maximum time it could take before the
> > change propagates to a server joined to FreeIPA? What if a user was logged
> > into the server and was waiting on the change (assuming the MS PAC was
> > cached by sssd)? This would be for a simple forest trust with FreeIPA and a
> > medium/small AD environment. Also, assuming that sssd was not restarted
> > and/or the cache flushed.
> > I'm not looking for exact timing, just some estimates.
>
> By default SSSD has a cache timeout of 5400s aka 1.5h, see then
> entry_cache_timeout and following entries in man sssd.conf for details.
> In the worst case on a client you have to add the timeout of the client
> and the server.
Yes, just please be aware of https://fedorahosted.org/sssd/ticket/2899
which was fixed only recently and we haven't released sssd-1.13.4 yet
upstream.
More information about the Freeipa-users
mailing list