On Tue, Jan 31, 2017 at 08:05:18PM +0000, Sullivan, Daniel [CRI] wrote: > Hi, > > I figured out what was going on with this issue. Basically cache timeouts > were causing a large number of uid numbers in an arbitrarily-timed directory > listing to have expired cache records, which causes those records to be > looked up again by the data provider (and thus blocking ‘ls -l’). To work > around this issue now we currently setting the entry_cache_timeout to > something arbitrarily high, i.e. 999999, I’m questioning whether or not this > is the best approach. I’d like to use something like > refresh_expired_interval, although based on my testing it appears that this > does not update records for a trusted AD domain. I’ve also tried using > enumeration, and that doesn’t seem to work either. > > I suppose my question is this; is there a preferred method to keep cache > records up-to-date for a trusted AD domain? Right now I am thinking about > cron-tabbing an ‘ls -l’ of /home and allowing entry_cache_nowait_percentage > to fill this function, although that seems hacky to me. > > Any advisement that could be provided would be greatly appreciated.
Hi, If the entries are requested reasonably often (typically at least once per cache lifetime), then maybe just lowering the 'entry_cache_nowait_percentage' value so that the background check is performed more often might help. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project