to make sure I did the following on the ipa host systemctl stop sssd.service rm -f /var/lib/sss/db/* systemctl start sssd.service
now there is no cheating from cach getent passwd u...@ad-domain.com works and gives userid id u...@ad-domain.com works fine and show all goups the user is a member of including ad_linux_administrators (ipa group) and 'linux administrat...@ad-domain.com' getent group ad_linux_administrators only shows the group ad, no members, these pop up after a very long time getent group 'linux administrat...@ad-domain.com' imediatly show all members weird.... Rob Verduijn 2016-05-04 16:41 GMT+02:00 Jakub Hrozek <jhro...@redhat.com>: > On Wed, May 04, 2016 at 04:20:19PM +0200, Rob Verduijn wrote: >> This goes especially for ad groups that are bested in ipa_groups >> >> ie : >> microsft group is defined as an external group, >> and that external group is member of an ipa group >> and that ipa group takes forever. >> >> Regards >> Rob Verduijn > > All the work in this area is done by sssd on the server. The sssd there > runs a periodical task to re-fetch new external groups memberships every > 10 seconds. So I would expect the group memberships to turn up after 10 > seconds at worst. > > Are you sure (from sssd logs) that maybe sssd is not going into offline > state and just consults its cache? > >> >> >> 2016-05-04 16:10 GMT+02:00 Rob Verduijn <rob.verdu...@gmail.com>: >> > Hello, >> > >> > I'm using a trust to microsoft active directory to allow users access >> > to linux servers. >> > >> > But when a user is added it takes a very long time for ipa to register >> > this. >> > And even more time for the ipa clients since they have to wait for the >> > ipa servers. >> > >> > Since I hate to tell the users to wait for a couple hours, and also I >> > do not like to clean up the sssd cache folder each time a new user >> > appears. >> > >> > Is there a way to tell ipa and all clients to refresh their cache ? >> > >> > Regards >> > Rob Verduijn >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project