to make sure I did the following on the ipa host
systemctl stop sssd.service
rm -f /var/lib/sss/db/*
systemctl start sssd.service
now there is no cheating from cach
getent passwd u...@ad-domain.com works and gives userid
id u...@ad-domain.com works fine and show all goups the user is a
member of including ad_linux_administrators (ipa group) and 'linux
getent group ad_linux_administrators only shows the group ad, no
members, these pop up after a very long time
getent group 'linux administrat...@ad-domain.com' imediatly show all members
2016-05-04 16:41 GMT+02:00 Jakub Hrozek <jhro...@redhat.com>:
> On Wed, May 04, 2016 at 04:20:19PM +0200, Rob Verduijn wrote:
>> This goes especially for ad groups that are bested in ipa_groups
>> ie :
>> microsft group is defined as an external group,
>> and that external group is member of an ipa group
>> and that ipa group takes forever.
>> Rob Verduijn
> All the work in this area is done by sssd on the server. The sssd there
> runs a periodical task to re-fetch new external groups memberships every
> 10 seconds. So I would expect the group memberships to turn up after 10
> seconds at worst.
> Are you sure (from sssd logs) that maybe sssd is not going into offline
> state and just consults its cache?
>> 2016-05-04 16:10 GMT+02:00 Rob Verduijn <rob.verdu...@gmail.com>:
>> > Hello,
>> > I'm using a trust to microsoft active directory to allow users access
>> > to linux servers.
>> > But when a user is added it takes a very long time for ipa to register
>> > this.
>> > And even more time for the ipa clients since they have to wait for the
>> > ipa servers.
>> > Since I hate to tell the users to wait for a couple hours, and also I
>> > do not like to clean up the sssd cache folder each time a new user
>> > appears.
>> > Is there a way to tell ipa and all clients to refresh their cache ?
>> > Regards
>> > Rob Verduijn
>> Manage your subscription for the Freeipa-users mailing list:
>> Go to http://freeipa.org for more info on the project
> Manage your subscription for the Freeipa-users mailing list:
> Go to http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project