On Wed, May 04, 2016 at 05:00:50PM +0200, Rob Verduijn wrote: > to make sure I did the following on the ipa host > > systemctl stop sssd.service > rm -f /var/lib/sss/db/* > systemctl start sssd.service > > now there is no cheating from cach > getent passwd u...@ad-domain.com works and gives userid > id u...@ad-domain.com works fine and show all goups the user is a > member of including ad_linux_administrators (ipa group) and 'linux > administrat...@ad-domain.com' > getent group ad_linux_administrators only shows the group ad, no > members, these pop up after a very long time > getent group 'linux administrat...@ad-domain.com' imediatly show all members
Please note that getent group only works with very recent versions of ipa and sssd. What version are you running. > > weird.... > > Rob Verduijn > > 2016-05-04 16:41 GMT+02:00 Jakub Hrozek <jhro...@redhat.com>: > > On Wed, May 04, 2016 at 04:20:19PM +0200, Rob Verduijn wrote: > >> This goes especially for ad groups that are bested in ipa_groups > >> > >> ie : > >> microsft group is defined as an external group, > >> and that external group is member of an ipa group > >> and that ipa group takes forever. > >> > >> Regards > >> Rob Verduijn > > > > All the work in this area is done by sssd on the server. The sssd there > > runs a periodical task to re-fetch new external groups memberships every > > 10 seconds. So I would expect the group memberships to turn up after 10 > > seconds at worst. > > > > Are you sure (from sssd logs) that maybe sssd is not going into offline > > state and just consults its cache? > > > >> > >> > >> 2016-05-04 16:10 GMT+02:00 Rob Verduijn <rob.verdu...@gmail.com>: > >> > Hello, > >> > > >> > I'm using a trust to microsoft active directory to allow users access > >> > to linux servers. > >> > > >> > But when a user is added it takes a very long time for ipa to register > >> > this. > >> > And even more time for the ipa clients since they have to wait for the > >> > ipa servers. > >> > > >> > Since I hate to tell the users to wait for a couple hours, and also I > >> > do not like to clean up the sssd cache folder each time a new user > >> > appears. > >> > > >> > Is there a way to tell ipa and all clients to refresh their cache ? > >> > > >> > Regards > >> > Rob Verduijn > >> > >> -- > >> Manage your subscription for the Freeipa-users mailing list: > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> Go to http://freeipa.org for more info on the project > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project