On Tue, Jan 31, 2017 at 08:05:18PM +0000, Sullivan, Daniel [CRI] wrote:
> Hi,
> I figured out what was going on with this issue.  Basically cache timeouts 
> were causing a large number of uid numbers in an arbitrarily-timed directory 
> listing to have expired cache records, which causes those records to be 
> looked up again by the data provider (and thus blocking ‘ls -l’).  To work 
> around this issue now we currently setting the entry_cache_timeout to 
> something arbitrarily high, i.e. 999999, I’m questioning whether or not this 
> is the best approach.  I’d like to use something like 
> refresh_expired_interval, although based on my testing it appears that this 
> does not update records for a trusted AD domain.  I’ve also tried using 
> enumeration, and that doesn’t seem to work either.
> I suppose my question is this; is there a preferred method to keep cache 
> records up-to-date for a trusted AD domain?  Right now I am thinking about 
> cron-tabbing an ‘ls -l’ of /home and allowing entry_cache_nowait_percentage 
> to fill this function, although that seems hacky to me.
> Any advisement that could be provided would be greatly appreciated.


If the entries are requested reasonably often (typically at least once
per cache lifetime), then maybe just lowering the
'entry_cache_nowait_percentage' value so that the background check is
performed more often might help.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to