On (22/07/16 13:25), Rakesh Rajasekharan wrote: >Hi, > >I am running freeipa version 4.2.0 and sssd version 1.13.0 > >I have set "enumerate=True" to show IPA users as well in getent passwd. > >However, the getent passwd continues to show users that have got deleted as >well. > >Heres my sssd config file >[domain/xyz.com] >enumerate = TRUE >krb5_auth_timeout = 30 > >cache_credentials = True >krb5_store_password_if_offline = True >ipa_domain = xyz.com >id_provider = ipa >auth_provider = ipa >access_provider = ipa >ldap_tls_cacert = /etc/ipa/ca.crt >ipa_hostname = 10.16.11.134 >chpass_provider = ipa >ipa_server = _srv_, ipa-master-int.xyz.com >dns_discovery_domain = xyz.com >[sssd] >services = nss, sudo, pam, ssh >config_file_version = 2 > >domains = xyz.com >[nss] >homedir_substring = /home > >[pam] > >[sudo] > >[autofs] > >[ssh] > >[pac] > >[ifp] > >Is this an expected behaviour or am i missing something in my config > When user is removed from IPA then it is not automatically removed from sssd. SSSD has few levels of caches which are indirectly used by "getent passwd". The user or group will be removed after next look-up in IPA which is usually after extpiration of entry in sssd cache.
Another way how to force removing entries from sssd cache is to authenticate with user. SSSD fetch latest data from LDAP/IPA with each authentication for security reasons. You can also invalidate user in sssd cache "sss_cache -u someuser" and SSSD will detect removed user in IPA after attempt to refresh data in sssd cache. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
