> On Fri, Jul 14, 2017 at 10:00:20AM -0000, bogusmaster--- via FreeIPA-users > wrote: > > yes, but I think this is only a side effect. SSSD cannot resolve a > global catalog server. Does > > dig SRV _gc._tcp.td.mydomain.com > > return anything when called on the IPA server?
It didn't. I've added a DNS entry and now it works like this: dig +short SRV _gc._tcp.td.mydomain.com 0 100 389 dc.td.mydomain.com. Now when I clear server's cache by removing the files in /var/lib/sss/db/ and restart sssd daemon it apparently behaves as it should - ad_users group that I use for HBAC for AD users gets updated. sss_cache -E doesn't work for me and I have to delete cache files manually. I will test group membership propagation a little bit more to be 100% sure, though. Is there any other way for these changes to propagate without a restart? I have this entry in sssd.conf: entry_cache_timeout = 60 but it doesn't seem to work. Best, Bart > > It is most probably the GID of the 'Domain Users' group of the AD > domain. > > > Please remove the entry again, it might cause all kind of irritations. I've removed that, it was just for the testing purpose. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
