[Freeipa-users] How long should it take to propagate user role changes?
Jakub Hrozek
jhrozek at redhat.com
Thu Apr 6 08:01:18 UTC 2017
On Thu, Apr 06, 2017 at 09:11:32AM +0200, Martin Bašti wrote:
>
>
> On 06.04.2017 01:57, Greg Gilbert wrote:
> > Hey. I'm a bit new to FreeIPA, so apologies if this has already been
> > addressed. For reference, I'm running FreeIPA 4.4 server on CentOS 7,
> > and FreeIPA client 4.3.1 on Ubuntu nodes.
> >
> > I've noticed that when I make changes to policies, it either takes a
> > long time to propagate out to the client nodes, or requires a manual
> > restart of the sssd service. In this case, I'm testing adding and
> > removing a user from a sudo rule. Is this the correct behavior, or is
> > there a misconfiguration on my part somewhere?
> >
> > - greg
> >
>
> Hello,
>
> it is caused by SSSD caches, to refresh particular objects in cache see `man
> sss_cache`.
>
> You can lower TTL for records in cache, but the lower TTL, the higher load
> on server (`man sssd.conf` search for cache).
btw the sudo caching is a bit more complex, but man sssd-sudo hopefully
explains it well.
Also please check in the sssd debug logs if the sssd client is 'online'.
More information about the Freeipa-users
mailing list