On Fri, Apr 08, 2016 at 09:36:11AM +0200, Sumit Bose wrote: > On Thu, Apr 07, 2016 at 10:28:22PM -0400, Michael ORourke wrote: > > I have a question regarding AD Integration with FreeIPA (CentOS 7.1/freeipa > > 4.2.0) and Windows Server 2008 R2 with a Functional Level forest of 2008 R2. > > Given a simple scenario of a group in active directory that is mapped to a > > POSIX group in FreeIPA, if a change is made on the AD side such as adding a > > user to an AD group, how long should it take on the FreeIPA side before the > > change would show up? What would the maximum time it could take before the > > change propagates to a server joined to FreeIPA? What if a user was logged > > into the server and was waiting on the change (assuming the MS PAC was > > cached by sssd)? This would be for a simple forest trust with FreeIPA and a > > medium/small AD environment. Also, assuming that sssd was not restarted > > and/or the cache flushed. > > I'm not looking for exact timing, just some estimates. > > By default SSSD has a cache timeout of 5400s aka 1.5h, see then > entry_cache_timeout and following entries in man sssd.conf for details. > In the worst case on a client you have to add the timeout of the client > and the server.
Yes, just please be aware of https://fedorahosted.org/sssd/ticket/2899 which was fixed only recently and we haven't released sssd-1.13.4 yet upstream. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
