[Freeipa-users] get freeipa to update ad users and groups more often

Thu May 5 05:58:15 UTC 2016

On Wed, May 04, 2016 at 10:51:37PM +0200, Rob Verduijn wrote:
> Hi,
> 
> I avoided the slow filling group by using the AD-Group with spaces
> (was a tad more challenging for scipting)
> 
> But here's the releases (some of them)
> 
> ipa 4.2 and sssd 1.13
> 
> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64

The IPA packages haven't been released yet (those will be
at least ipa-4.2.0-15.el7_2.15) but even with older packages, I would
have expected id to return the groups, "just" not getent group.

> sssd-common-1.13.0-40.el7_2.2.x86_64
> sssd-client-1.13.0-40.el7_2.2.x86_64
> sssd-ad-1.13.0-40.el7_2.2.x86_64
> 
> Cheers
> Rob Verduijn
> 
> 2016-05-04 18:06 GMT+02:00 Jakub Hrozek <jhrozek at redhat.com>:
> > On Wed, May 04, 2016 at 05:00:50PM +0200, Rob Verduijn wrote:
> >> to make sure I did the following on the ipa host
> >>
> >> systemctl stop sssd.service
> >> rm -f /var/lib/sss/db/*
> >> systemctl start sssd.service
> >>
> >> now there is no cheating from cach
> >> getent passwd user at AD-DOMAIN.COM works and gives userid
> >> id user at AD-DOMAIN.COM works fine and show all goups the user is a
> >> member of including ad_linux_administrators (ipa group) and 'linux
> >> administrators at AD-DOMAIN.COM'
> >> getent group ad_linux_administrators only shows the group ad, no
> >> members, these pop up after a very long time
> >> getent group 'linux administrators at AD-DOMAIN.COM' imediatly show all members
> >
> > Please note that getent group only works with very recent versions of
> > ipa and sssd. What version are you running.
> >
> >>
> >> weird....
> >>
> >> Rob Verduijn
> >>
> >> 2016-05-04 16:41 GMT+02:00 Jakub Hrozek <jhrozek at redhat.com>:
> >> > On Wed, May 04, 2016 at 04:20:19PM +0200, Rob Verduijn wrote:
> >> >> This goes especially for ad groups that are bested in ipa_groups
> >> >>
> >> >> ie :
> >> >> microsft group is defined as an external group,
> >> >> and that external group is member of an ipa group
> >> >> and that ipa group takes forever.
> >> >>
> >> >> Regards
> >> >> Rob Verduijn
> >> >
> >> > All the work in this area is done by sssd on the server. The sssd there
> >> > runs a periodical task to re-fetch new external groups memberships every
> >> > 10 seconds. So I would expect the group memberships to turn up after 10
> >> > seconds at worst.
> >> >
> >> > Are you sure (from sssd logs) that maybe sssd is not going into offline
> >> > state and just consults its cache?
> >> >
> >> >>
> >> >>
> >> >> 2016-05-04 16:10 GMT+02:00 Rob Verduijn <rob.verduijn at gmail.com>:
> >> >> > Hello,
> >> >> >
> >> >> > I'm using a trust to microsoft active directory to allow users access
> >> >> > to linux servers.
> >> >> >
> >> >> > But when a user is added it takes a very long time for ipa to register this.
> >> >> > And even more time for the ipa clients since they have to wait for the
> >> >> > ipa servers.
> >> >> >
> >> >> > Since I hate to tell the users to wait for a couple hours, and also I
> >> >> > do not like to clean up the sssd cache folder each time a new user
> >> >> > appears.
> >> >> >
> >> >> > Is there a way to tell ipa and all clients to refresh their cache ?
> >> >> >
> >> >> > Regards
> >> >> > Rob Verduijn
> >> >>
> >> >> --
> >> >> Manage your subscription for the Freeipa-users mailing list:
> >> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >> >> Go to http://freeipa.org for more info on the project
> >> >
> >> > --
> >> > Manage your subscription for the Freeipa-users mailing list:
> >> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >> > Go to http://freeipa.org for more info on the project