Le 08/02/2017 à 13:00, Pavel Březina a écrit :
On 02/08/2017 11:59 AM, Nathanaël Blanchet wrote:
Hello,
on latest IPA, when adding a command to a rule or a sudo option for
example, the change is not active on the user session.
For example, after removing !authenticate option, I still can execute
sudo commands without password.
I tried to logout and relogin, but nothing changes, but on a new vm
where never logeed in before it wroks.
Is there a cache or somting to do so as to commands to be immediatly
available?


Hi,
sudo rules are cache on the client and refresh happens periodically. We have several update mechanisms that deals with finding new rules, deleting non-existent ones and updating expired but it cannot be performed on desired at the moment. We have a ticket for that [1]. Please see 'man sssd-sudo' to get better understanding how it works.

it's said that sssd-sudo has been created to be near of the local sudoers functionnment. So I suppose the three described mechanisms are intended to converge to a near realtime rule change. It's true that waiting for an undefinied time, rules become available... but is there an estimated time of availibility? Is it rather 15min or one hour (I suppose beyond is not usable)
It is possible to expired cached rules with sss_cache. This won't find you newly added rules but it will fetch updated rules and removed deleted ones.

[1] https://fedorahosted.org/sssd/ticket/2884



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to