On Thu, 22 Jul 2010 11:10:25 -0400
Scott Duckworth <sduc...@clemson.edu> wrote:

> I removed all files from /var/lib/sss/db/ and restarted sssd.  Same
> behavior.  nscd is disabled, so I don't think it's caching at any
> level.
> Here is what I ran:
> [r...@duck2 ~]# getent passwd sduckwo
> sduckwo:*:45265:10000:Scott Duckworth:/home/sduckwo:/bin/bash
> [r...@duck2 ~]# groups sduckwo
> sduckwo : cuuser
> [r...@duck2 ~]# getent group coes_socunix
> coes_socunix:*:120105:sduckwo

When enumeration is disabled this is the normal behavior.
You will see only users/groups that have been fetched. Generally at
login time because of the initgroups call.
Ie a users will always have correct memmberships, but groups may not
should all user members they truly have in the ldap server.

If you require perfect representation you will have to turn on
enumeration. This will eventually show up all the memberships although
on the first startup it may take a while to show all groups, until they
have all been downloaded and cached.
Changes to group memberships may also take some time to show as
enumerations are scheduled periodically and results cached.

Of cours when a user logs in its information (including its group
membership) is refreshed and validated, so at login time the membership
is correctly updated for that user across all its groups.


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to