Re: [Freeipa-users] Trusted Domain Users - entry_cache_timeout
On Wed, Dec 09, 2015 at 12:58:23PM +0100, Winfried de Heiden wrote: >Hi all, > >Using entry_cache_timeout to set different cache timeout for sssd works >well. However, it doesn't seem to work for Trusted Domain Users (using AD >trust) > >I made some changes, cleaned the cache but expiry will stay on a (too >long) 10 (ten!) hours! > >How can I change the sssd cache timeout for Trusted AD users ? (using IPA >4.1) > >Kind regards! Did you change the expiry on a client only or also on the server? Keep in mind that for identity lookups, only the IPA masters are connected to AD, the clients fetch data from IPA masters. (Authentication, however, is done against AD DCs directly) Another point to keep in mind is that the cache expiry is stored in the objects themselves, so you might want to refresh the cache. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Trusted Domain Users - entry_cache_timeout
On Wed, Dec 09, 2015 at 12:58:23PM +0100, Winfried de Heiden wrote: >Hi all, > >Using entry_cache_timeout to set different cache timeout for sssd works >well. However, it doesn't seem to work for Trusted Domain Users (using AD >trust) > >I made some changes, cleaned the cache but expiry will stay on a (too >long) 10 (ten!) hours! > >How can I change the sssd cache timeout for Trusted AD users ? (using IPA >4.1) > >Kind regards! (I thought I already replied but I don't see the reply on the list and neither in my Sent folder. Apologies if this is a duplicate). Since it's the IPA master that fetches the identity data from the AD server, you also need to change the cache timeouts on the server. In addition, the cache time lifetime is stored in the cache entry itself, so you might want to invalidate the cache with sss_cache on both the server and the client. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Trusted Domain Users - entry_cache_timeout
On Thu, Dec 10, 2015 at 11:25:57AM +0100, Martin Kosek wrote: > On 12/09/2015 12:58 PM, Winfried de Heiden wrote: > > Hi all, > > > > Using entry_cache_timeout to set different cache timeout for sssd works > > well. > > However, it doesn't seem to work for Trusted Domain Users (using AD trust) > > > > I made some changes, cleaned the cache but expiry will stay on a (too long) > > 10 > > (ten!) hours! > > > > How can I change the sssd cache timeout for Trusted AD users ? (using IPA > > 4.1) > > > > Kind regards! > > I assume the option has to be specified in the respective AD domain section. > Can you share your anonymized sssd.conf so that we can verify your settings? Looks like I'm having issues replying to the freeipa-users list or maybe the mails are stuck in moderation. Let me paste the mail I sent yesterday: ~~~ Since it's the IPA master that fetches the identity data from the AD server, you also need to change the cache timeouts on the server. In addition, the cache time lifetime is stored in the cache entry itself, so you might want to invalidate the cache with sss_cache on both the server and the client. ~~~ -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Trusted Domain Users - entry_cache_timeout
Hi all, There is no specific AD domain section. AD is used by using a Trust between IPA and AD. ThereÅ› no need for a seperate AD domain section, is there? Kind regards, Winny Op 10-12-15 om 11:25 schreef Martin Kosek: On 12/09/2015 12:58 PM, Winfried de Heiden wrote: Hi all, Using entry_cache_timeout to set different cache timeout for sssd works well. However, it doesn't seem to work for Trusted Domain Users (using AD trust) I made some changes, cleaned the cache but expiry will stay on a (too long) 10 (ten!) hours! How can I change the sssd cache timeout for Trusted AD users ? (using IPA 4.1) Kind regards! I assume the option has to be specified in the respective AD domain section. Can you share your anonymized sssd.conf so that we can verify your settings? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Trusted Domain Users - entry_cache_timeout
Hi all, Using entry_cache_timeout to set different cache timeout for sssd works well. However, it doesn't seem to work for Trusted Domain Users (using AD trust) I made some changes, cleaned the cache but expiry will stay on a (too long) 10 (ten!) hours! How can I change the sssd cache timeout for Trusted AD users ? (using IPA 4.1) Kind regards! Winny -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
