On Fri, Jul 14, 2017 at 03:19:57PM -0000, bogusmaster--- via FreeIPA-users
> > On Fri, Jul 14, 2017 at 10:00:20AM -0000, bogusmaster--- via FreeIPA-users
> > wrote:
> > yes, but I think this is only a side effect. SSSD cannot resolve a
> > global catalog server. Does
> > dig SRV _gc._tcp.td.mydomain.com
> > return anything when called on the IPA server?
> It didn't. I've added a DNS entry and now it works like this:
> dig +short SRV _gc._tcp.td.mydomain.com
> 0 100 389 dc.td.mydomain.com.
What DNS server are you using? Typically the AD DNS servers will have
set this automatically.
> Now when I clear server's cache by removing the files in /var/lib/sss/db/ and
> restart sssd daemon it apparently behaves as it should - ad_users group that
> I use for HBAC for AD users gets updated. sss_cache -E doesn't work for me
> and I have to delete cache files manually. I will test group membership
> propagation a little bit more to be 100% sure, though.
> Is there any other way for these changes to propagate without a restart? I
> have this entry in sssd.conf: entry_cache_timeout = 60 but it doesn't seem to
This might be a side effect of the timestamp cache. If there is no
change in the related object on the server-side the update might be
Does it work if you remove only the timestamp cache from
> > It is most probably the GID of the 'Domain Users' group of the AD
> > domain.
> > Please remove the entry again, it might cause all kind of irritations.
> I've removed that, it was just for the testing purpose.
> FreeIPA-users mailing list -- email@example.com
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
FreeIPA-users mailing list -- firstname.lastname@example.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org