[Freeipa-users] get freeipa to update ad users and groups more often

Rob Verduijn rob.verduijn at gmail.com
Wed May 4 20:51:37 UTC 2016 

Hi,

I avoided the slow filling group by using the AD-Group with spaces
(was a tad more challenging for scipting)

But here's the releases (some of them)

ipa 4.2 and sssd 1.13

ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
sssd-common-1.13.0-40.el7_2.2.x86_64
sssd-client-1.13.0-40.el7_2.2.x86_64
sssd-ad-1.13.0-40.el7_2.2.x86_64

Cheers
Rob Verduijn

2016-05-04 18:06 GMT+02:00 Jakub Hrozek <jhrozek at redhat.com>:
> On Wed, May 04, 2016 at 05:00:50PM +0200, Rob Verduijn wrote:
>> to make sure I did the following on the ipa host
>>
>> systemctl stop sssd.service
>> rm -f /var/lib/sss/db/*
>> systemctl start sssd.service
>>
>> now there is no cheating from cach
>> getent passwd user at AD-DOMAIN.COM works and gives userid
>> id user at AD-DOMAIN.COM works fine and show all goups the user is a
>> member of including ad_linux_administrators (ipa group) and 'linux
>> administrators at AD-DOMAIN.COM'
>> getent group ad_linux_administrators only shows the group ad, no
>> members, these pop up after a very long time
>> getent group 'linux administrators at AD-DOMAIN.COM' imediatly show all members
>
> Please note that getent group only works with very recent versions of
> ipa and sssd. What version are you running.
>
>>
>> weird....
>>
>> Rob Verduijn
>>
>> 2016-05-04 16:41 GMT+02:00 Jakub Hrozek <jhrozek at redhat.com>:
>> > On Wed, May 04, 2016 at 04:20:19PM +0200, Rob Verduijn wrote:
>> >> This goes especially for ad groups that are bested in ipa_groups
>> >>
>> >> ie :
>> >> microsft group is defined as an external group,
>> >> and that external group is member of an ipa group
>> >> and that ipa group takes forever.
>> >>
>> >> Regards
>> >> Rob Verduijn
>> >
>> > All the work in this area is done by sssd on the server. The sssd there
>> > runs a periodical task to re-fetch new external groups memberships every
>> > 10 seconds. So I would expect the group memberships to turn up after 10
>> > seconds at worst.
>> >
>> > Are you sure (from sssd logs) that maybe sssd is not going into offline
>> > state and just consults its cache?
>> >
>> >>
>> >>
>> >> 2016-05-04 16:10 GMT+02:00 Rob Verduijn <rob.verduijn at gmail.com>:
>> >> > Hello,
>> >> >
>> >> > I'm using a trust to microsoft active directory to allow users access
>> >> > to linux servers.
>> >> >
>> >> > But when a user is added it takes a very long time for ipa to register this.
>> >> > And even more time for the ipa clients since they have to wait for the
>> >> > ipa servers.
>> >> >
>> >> > Since I hate to tell the users to wait for a couple hours, and also I
>> >> > do not like to clean up the sssd cache folder each time a new user
>> >> > appears.
>> >> >
>> >> > Is there a way to tell ipa and all clients to refresh their cache ?
>> >> >
>> >> > Regards
>> >> > Rob Verduijn
>> >>
>> >> --
>> >> Manage your subscription for the Freeipa-users mailing list:
>> >> https://www.redhat.com/mailman/listinfo/freeipa-users
>> >> Go to http://freeipa.org for more info on the project
>> >
>> > --
>> > Manage your subscription for the Freeipa-users mailing list:
>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>> > Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list