Jakub/Sumit, I'm using /usr/bin/sss_ssh_authorizedkeys to check keys as ssh access is my primary concern. In my recent tests I changed the key listed on the local upstream server from the server line in /etc/ipa/default.conf and the ssh-key showed up after 8 minutes, remote servers (replica ipa servers) took another 30 minutes.
Same process to delete the key, took 45 minutes from local change to remote server via replica (deleted at 9:52, refreshed at 10:30) which makes me think it's more the ldap replication over sss cache. entry_cache_timeout is the default 5400 seconds (and it's children follow that value) I assume if I want/need this to expire/replicate faster, I would want to set entry_cache_user_timeout to a value closer to a few minutes (300-900), can you see any drawbacks to this? Is this value required on Server, Clients, Both. As always, you guys are excellent and I really appreciate all the help! Thanks, -Jacob ----- Original Message ----- From: "freeipa-users" <freeipa-users@lists.fedorahosted.org> To: "freeipa-users" <freeipa-users@lists.fedorahosted.org> Cc: "Sumit Bose" <sb...@redhat.com> Sent: Wednesday, May 31, 2017 5:01:22 AM Subject: [Freeipa-users]Re: [Freeipa-users]SSH Key replication time/issues On Tue, May 30, 2017 at 02:18:18PM -0400, Jake via FreeIPA-users wrote: > Looks like this is applied immediately, but required a service sssd restart; > sss_cache -E > > Do these attributes have a TTL set? > > I know these are all SSSD Specific questions, and not directly related to > FreeIPA. The keys are stored in the SSSD cache and the cache objects have a lifetime. Please check entry_cache_timeout or entry_cache_user_timeout in man sssd.conf for details. HTH bye, Sumit > > Thanks, > Jake > > > From: "freeipa-users" <freeipa-users@lists.fedorahosted.org> > To: "freeipa-users" <freeipa-users@lists.fedorahosted.org> > Cc: "Jake" <em...@ml.jacobdevans.com> > Sent: Tuesday, May 30, 2017 1:15:32 PM > Subject: [Freeipa-users]SSH Key replication time/issues > > Hey again, > I'm trying to track down how to ensure ssh keys are added AND removed > quickly. > > Right now it seems I must restart ipa services or sss_cache -E to force them > to update, and there doesn't seem to be a determinate amount of time to allow > replication. > > Note, SSH keys are stored in the "Default View" for external users (external > one-way trust with AD). > > Thanks, > -Jake > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org