On (22/07/16 13:25), Rakesh Rajasekharan wrote:
>I am running freeipa version 4.2.0 and sssd version 1.13.0
>I have set "enumerate=True" to show IPA users as well in getent passwd.
>However, the getent passwd continues to show users that have got deleted as
>Heres my sssd config file
>enumerate = TRUE
>krb5_auth_timeout = 30
>cache_credentials = True
>krb5_store_password_if_offline = True
>ipa_domain = xyz.com
>id_provider = ipa
>auth_provider = ipa
>access_provider = ipa
>ldap_tls_cacert = /etc/ipa/ca.crt
>ipa_hostname =
>chpass_provider = ipa
>ipa_server = _srv_, ipa-master-int.xyz.com
>dns_discovery_domain = xyz.com
>services = nss, sudo, pam, ssh
>config_file_version = 2
>domains = xyz.com
>homedir_substring = /home
>Is this an expected behaviour or am i missing something in my config
When user is removed from IPA then it is not automatically removed from sssd.
SSSD has few levels of caches which are indirectly used by "getent passwd".
The user or group will be removed after next look-up in IPA which
is usually after extpiration of entry in sssd cache.

Another way how to force removing entries from sssd cache is
to authenticate with user. SSSD fetch latest data from LDAP/IPA
with each authentication for security reasons.

You can also invalidate user in sssd cache "sss_cache -u someuser"
and SSSD will detect removed user in IPA after attempt to refresh data
in sssd cache.


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to