On Fri, Jul 14, 2017 at 03:19:57PM -0000, bogusmaster--- via FreeIPA-users wrote: > > On Fri, Jul 14, 2017 at 10:00:20AM -0000, bogusmaster--- via FreeIPA-users > > wrote: > > > > yes, but I think this is only a side effect. SSSD cannot resolve a > > global catalog server. Does > > > > dig SRV _gc._tcp.td.mydomain.com > > > > return anything when called on the IPA server? > > It didn't. I've added a DNS entry and now it works like this: > dig +short SRV _gc._tcp.td.mydomain.com > 0 100 389 dc.td.mydomain.com.
What DNS server are you using? Typically the AD DNS servers will have set this automatically. > > Now when I clear server's cache by removing the files in /var/lib/sss/db/ and > restart sssd daemon it apparently behaves as it should - ad_users group that > I use for HBAC for AD users gets updated. sss_cache -E doesn't work for me > and I have to delete cache files manually. I will test group membership > propagation a little bit more to be 100% sure, though. > > Is there any other way for these changes to propagate without a restart? I > have this entry in sssd.conf: entry_cache_timeout = 60 but it doesn't seem to > work. This might be a side effect of the timestamp cache. If there is no change in the related object on the server-side the update might be skipped. Does it work if you remove only the timestamp cache from /var/lib/sss/db/ ? bye, Sumit > > Best, > Bart > > > > > It is most probably the GID of the 'Domain Users' group of the AD > > domain. > > > > > > Please remove the entry again, it might cause all kind of irritations. > I've removed that, it was just for the testing purpose. > _______________________________________________ > FreeIPA-users mailing list -- email@example.com > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org