[Freeipa-users] sssd shows deleted users as well
Lukas Slebodnik
lslebodn at redhat.com
Fri Jul 22 08:28:30 UTC 2016
On (22/07/16 13:25), Rakesh Rajasekharan wrote:
>Hi,
>
>I am running freeipa version 4.2.0 and sssd version 1.13.0
>
>I have set "enumerate=True" to show IPA users as well in getent passwd.
>
>However, the getent passwd continues to show users that have got deleted as
>well.
>
>Heres my sssd config file
>[domain/xyz.com]
>enumerate = TRUE
>krb5_auth_timeout = 30
>
>cache_credentials = True
>krb5_store_password_if_offline = True
>ipa_domain = xyz.com
>id_provider = ipa
>auth_provider = ipa
>access_provider = ipa
>ldap_tls_cacert = /etc/ipa/ca.crt
>ipa_hostname = 10.16.11.134
>chpass_provider = ipa
>ipa_server = _srv_, ipa-master-int.xyz.com
>dns_discovery_domain = xyz.com
>[sssd]
>services = nss, sudo, pam, ssh
>config_file_version = 2
>
>domains = xyz.com
>[nss]
>homedir_substring = /home
>
>[pam]
>
>[sudo]
>
>[autofs]
>
>[ssh]
>
>[pac]
>
>[ifp]
>
>Is this an expected behaviour or am i missing something in my config
>
When user is removed from IPA then it is not automatically removed from sssd.
SSSD has few levels of caches which are indirectly used by "getent passwd".
The user or group will be removed after next look-up in IPA which
is usually after extpiration of entry in sssd cache.
Another way how to force removing entries from sssd cache is
to authenticate with user. SSSD fetch latest data from LDAP/IPA
with each authentication for security reasons.
You can also invalidate user in sssd cache "sss_cache -u someuser"
and SSSD will detect removed user in IPA after attempt to refresh data
in sssd cache.
LS
More information about the Freeipa-users
mailing list