On Tue, Jan 31, 2017 at 08:05:18PM +0000, Sullivan, Daniel [CRI] wrote:
> I figured out what was going on with this issue. Basically cache timeouts
> were causing a large number of uid numbers in an arbitrarily-timed directory
> listing to have expired cache records, which causes those records to be
> looked up again by the data provider (and thus blocking ‘ls -l’). To work
> around this issue now we currently setting the entry_cache_timeout to
> something arbitrarily high, i.e. 999999, I’m questioning whether or not this
> is the best approach. I’d like to use something like
> refresh_expired_interval, although based on my testing it appears that this
> does not update records for a trusted AD domain. I’ve also tried using
> enumeration, and that doesn’t seem to work either.
> I suppose my question is this; is there a preferred method to keep cache
> records up-to-date for a trusted AD domain? Right now I am thinking about
> cron-tabbing an ‘ls -l’ of /home and allowing entry_cache_nowait_percentage
> to fill this function, although that seems hacky to me.
> Any advisement that could be provided would be greatly appreciated.
If the entries are requested reasonably often (typically at least once
per cache lifetime), then maybe just lowering the
'entry_cache_nowait_percentage' value so that the background check is
performed more often might help.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project