Am Mon, Sep 23, 2024 at 11:45:56AM +0200 schrieb Harald Dunkel via FreeIPA-users: > Hi folks, > > is there some way to disable sssd's password cache? Everytime > a colleague changes his password, he has problems with our > dovecot server, because it runs into a permission denied, until > some privileged user runs "sss_cache -u name" or "sss_cache -E" > or similar. > > AFAIU the password is stored for 5400 seconds. Apparently thats > too long. Caching passwords while sssd is connected to LDAP and > Kerberos might be considered a bad idea, anyway. There is an > undocumented option krb5_store_password_if_offline in sssd.conf. > Maybe there are other undocumented options as well?
Hi, by default SSSD tries to do online authentication as long as SSSD is online, i.e. can reach the server. This behavior can be changed with the `cached_auth_timeout` option which allows SSSD to used the stored password hash for authentication for the time given with the option, see man sssd.conf for details. Did you, by chance, use this option in sssd.conf? HTH bye, Sumit > > > Regards > > Harri > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
