Hi, On Fri, Jun 25, 2021 at 5:27 PM iulian roman via FreeIPA-users <[email protected]> wrote: > > Hello, > > I tried for some time to understand how the cache invalidation works on the > clients, and I have to admit that I am even more confused that when I > started, therefore I would like to ask if there is someone who can either > explain or point me to the relevant documentation. > I'll describe bellow the situation I am currently facing: > > PHASE 1 > - RedHat Idm with AD trust configured (non-posix) > - override the UID of AD users in Idm > - on the clients run the id <username> ; the correct (overwritten ) UID and > an auto-generated GID is displayed > > PHASE 2 > - overwrite the GID as well on Idm > - on the clients still the old auto-generated GID is displayed (after > sss_cache -E and restart of sssd) when I run id <username>
There are cases where you need to run "sss_cache -E" on the server as well. That might be it. > - remove everything in /var/lib/sss/db , restart sssd and run id <username> - > no user found This could be a timeout. The client requests the information from the server which does not reply within the timeout value. Since there is no entry in the SSSD cache, the only possible outcome is "no user found". Set SSSD in debug mode, level 9: https://docs.pagure.org/sssd.sssd/users/troubleshooting.html on both IDM server and IDM client, restart sssd on both and you will see what happens more clearly. You might want to adjust timeouts so that this does not happen, but do not set them too high either. > - getent group <username> - new overwritten GID is displayed > - id <username> displays the correct UID and GID > > For the users who are not in cache, restarting sssd seems to be enough > (although I did not test if thoroughly). > > My question is : > What do I have to do on the client in order to have the latest information > from the Idm Override ? Apparently sss_cache -E and restart ssssd is not > enough . > Do we always need to remove everything in /var/lib/sss/db in order to have > the latest information from the server ? From the man page, this should help: sss_cache -u <user> HTH François > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
