[Freeipa-users] sssd shows deleted users as well
Jakub Hrozek
jhrozek at redhat.com
Fri Jul 22 08:41:48 UTC 2016
On Fri, Jul 22, 2016 at 10:28:30AM +0200, Lukas Slebodnik wrote:
> On (22/07/16 13:25), Rakesh Rajasekharan wrote:
> >Hi,
> >
> >I am running freeipa version 4.2.0 and sssd version 1.13.0
> >
> >I have set "enumerate=True" to show IPA users as well in getent passwd.
> >
> >However, the getent passwd continues to show users that have got deleted as
> >well.
> >
> >Heres my sssd config file
> >[domain/xyz.com]
> >enumerate = TRUE
> >krb5_auth_timeout = 30
> >
> >cache_credentials = True
> >krb5_store_password_if_offline = True
> >ipa_domain = xyz.com
> >id_provider = ipa
> >auth_provider = ipa
> >access_provider = ipa
> >ldap_tls_cacert = /etc/ipa/ca.crt
> >ipa_hostname = 10.16.11.134
> >chpass_provider = ipa
> >ipa_server = _srv_, ipa-master-int.xyz.com
> >dns_discovery_domain = xyz.com
> >[sssd]
> >services = nss, sudo, pam, ssh
> >config_file_version = 2
> >
> >domains = xyz.com
> >[nss]
> >homedir_substring = /home
> >
> >[pam]
> >
> >[sudo]
> >
> >[autofs]
> >
> >[ssh]
> >
> >[pac]
> >
> >[ifp]
> >
> >Is this an expected behaviour or am i missing something in my config
> >
> When user is removed from IPA then it is not automatically removed from sssd.
> SSSD has few levels of caches which are indirectly used by "getent passwd".
> The user or group will be removed after next look-up in IPA which
> is usually after extpiration of entry in sssd cache.
Deleted users are only detected when they are looked up directly or when
a cleanup task is ran, because in order to avoid fetching the whole
directory all the time, enumeration tries to only download entries with
higher lastUSN than seen last time. So as Lukas said, it can be expected
that entries show up.
I think the most important lesson here should be don't use
enumerate=true" :-)
>
> Another way how to force removing entries from sssd cache is
> to authenticate with user. SSSD fetch latest data from LDAP/IPA
> with each authentication for security reasons.
>
> You can also invalidate user in sssd cache "sss_cache -u someuser"
> and SSSD will detect removed user in IPA after attempt to refresh data
> in sssd cache.
>
> LS
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list