[Freeipa-users] sudo rules are not active immediatly
Nathanaël Blanchet
blanchet at abes.fr
Wed Feb 8 15:03:54 UTC 2017
Le 08/02/2017 à 13:00, Pavel Březina a écrit :
> On 02/08/2017 11:59 AM, Nathanaël Blanchet wrote:
>> Hello,
>> on latest IPA, when adding a command to a rule or a sudo option for
>> example, the change is not active on the user session.
>> For example, after removing !authenticate option, I still can execute
>> sudo commands without password.
>> I tried to logout and relogin, but nothing changes, but on a new vm
>> where never logeed in before it wroks.
>> Is there a cache or somting to do so as to commands to be immediatly
>> available?
>>
>
> Hi,
> sudo rules are cache on the client and refresh happens periodically.
> We have several update mechanisms that deals with finding new rules,
> deleting non-existent ones and updating expired but it cannot be
> performed on desired at the moment. We have a ticket for that [1].
> Please see 'man sssd-sudo' to get better understanding how it works.
>
it's said that sssd-sudo has been created to be near of the local
sudoers functionnment. So I suppose the three described mechanisms are
intended to converge to a near realtime rule change.
It's true that waiting for an undefinied time, rules become available...
but is there an estimated time of availibility? Is it rather 15min or
one hour (I suppose beyond is not usable)
> It is possible to expired cached rules with sss_cache. This won't find
> you newly added rules but it will fetch updated rules and removed
> deleted ones.
>
> [1] https://fedorahosted.org/sssd/ticket/2884
>
More information about the Freeipa-users
mailing list