On Wed, May 04, 2016 at 10:51:37PM +0200, Rob Verduijn wrote: > Hi, > > I avoided the slow filling group by using the AD-Group with spaces > (was a tad more challenging for scipting) > > But here's the releases (some of them) > > ipa 4.2 and sssd 1.13 > > ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
The IPA packages haven't been released yet (those will be at least ipa-4.2.0-15.el7_2.15) but even with older packages, I would have expected id to return the groups, "just" not getent group. > sssd-common-1.13.0-40.el7_2.2.x86_64 > sssd-client-1.13.0-40.el7_2.2.x86_64 > sssd-ad-1.13.0-40.el7_2.2.x86_64 > > Cheers > Rob Verduijn > > 2016-05-04 18:06 GMT+02:00 Jakub Hrozek <[email protected]>: > > On Wed, May 04, 2016 at 05:00:50PM +0200, Rob Verduijn wrote: > >> to make sure I did the following on the ipa host > >> > >> systemctl stop sssd.service > >> rm -f /var/lib/sss/db/* > >> systemctl start sssd.service > >> > >> now there is no cheating from cach > >> getent passwd [email protected] works and gives userid > >> id [email protected] works fine and show all goups the user is a > >> member of including ad_linux_administrators (ipa group) and 'linux > >> [email protected]' > >> getent group ad_linux_administrators only shows the group ad, no > >> members, these pop up after a very long time > >> getent group 'linux [email protected]' imediatly show all > >> members > > > > Please note that getent group only works with very recent versions of > > ipa and sssd. What version are you running. > > > >> > >> weird.... > >> > >> Rob Verduijn > >> > >> 2016-05-04 16:41 GMT+02:00 Jakub Hrozek <[email protected]>: > >> > On Wed, May 04, 2016 at 04:20:19PM +0200, Rob Verduijn wrote: > >> >> This goes especially for ad groups that are bested in ipa_groups > >> >> > >> >> ie : > >> >> microsft group is defined as an external group, > >> >> and that external group is member of an ipa group > >> >> and that ipa group takes forever. > >> >> > >> >> Regards > >> >> Rob Verduijn > >> > > >> > All the work in this area is done by sssd on the server. The sssd there > >> > runs a periodical task to re-fetch new external groups memberships every > >> > 10 seconds. So I would expect the group memberships to turn up after 10 > >> > seconds at worst. > >> > > >> > Are you sure (from sssd logs) that maybe sssd is not going into offline > >> > state and just consults its cache? > >> > > >> >> > >> >> > >> >> 2016-05-04 16:10 GMT+02:00 Rob Verduijn <[email protected]>: > >> >> > Hello, > >> >> > > >> >> > I'm using a trust to microsoft active directory to allow users access > >> >> > to linux servers. > >> >> > > >> >> > But when a user is added it takes a very long time for ipa to > >> >> > register this. > >> >> > And even more time for the ipa clients since they have to wait for the > >> >> > ipa servers. > >> >> > > >> >> > Since I hate to tell the users to wait for a couple hours, and also I > >> >> > do not like to clean up the sssd cache folder each time a new user > >> >> > appears. > >> >> > > >> >> > Is there a way to tell ipa and all clients to refresh their cache ? > >> >> > > >> >> > Regards > >> >> > Rob Verduijn > >> >> > >> >> -- > >> >> Manage your subscription for the Freeipa-users mailing list: > >> >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> >> Go to http://freeipa.org for more info on the project > >> > > >> > -- > >> > Manage your subscription for the Freeipa-users mailing list: > >> > https://www.redhat.com/mailman/listinfo/freeipa-users > >> > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
