Re: [Freeipa-users] get freeipa to update ad users and groups more often

2016-05-05 Thread Jakub Hrozek 
On Wed, May 04, 2016 at 10:51:37PM +0200, Rob Verduijn wrote:
> Hi,
> 
> I avoided the slow filling group by using the AD-Group with spaces
> (was a tad more challenging for scipting)
> 
> But here's the releases (some of them)
> 
> ipa 4.2 and sssd 1.13
> 
> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64

The IPA packages haven't been released yet (those will be
at least ipa-4.2.0-15.el7_2.15) but even with older packages, I would
have expected id to return the groups, "just" not getent group.

> sssd-common-1.13.0-40.el7_2.2.x86_64
> sssd-client-1.13.0-40.el7_2.2.x86_64
> sssd-ad-1.13.0-40.el7_2.2.x86_64
> 
> Cheers
> Rob Verduijn
> 
> 2016-05-04 18:06 GMT+02:00 Jakub Hrozek :
> > On Wed, May 04, 2016 at 05:00:50PM +0200, Rob Verduijn wrote:
> >> to make sure I did the following on the ipa host
> >>
> >> systemctl stop sssd.service
> >> rm -f /var/lib/sss/db/*
> >> systemctl start sssd.service
> >>
> >> now there is no cheating from cach
> >> getent passwd u...@ad-domain.com works and gives userid
> >> id u...@ad-domain.com works fine and show all goups the user is a
> >> member of including ad_linux_administrators (ipa group) and 'linux
> >> administrat...@ad-domain.com'
> >> getent group ad_linux_administrators only shows the group ad, no
> >> members, these pop up after a very long time
> >> getent group 'linux administrat...@ad-domain.com' imediatly show all 
> >> members
> >
> > Please note that getent group only works with very recent versions of
> > ipa and sssd. What version are you running.
> >
> >>
> >> weird
> >>
> >> Rob Verduijn
> >>
> >> 2016-05-04 16:41 GMT+02:00 Jakub Hrozek :
> >> > On Wed, May 04, 2016 at 04:20:19PM +0200, Rob Verduijn wrote:
> >> >> This goes especially for ad groups that are bested in ipa_groups
> >> >>
> >> >> ie :
> >> >> microsft group is defined as an external group,
> >> >> and that external group is member of an ipa group
> >> >> and that ipa group takes forever.
> >> >>
> >> >> Regards
> >> >> Rob Verduijn
> >> >
> >> > All the work in this area is done by sssd on the server. The sssd there
> >> > runs a periodical task to re-fetch new external groups memberships every
> >> > 10 seconds. So I would expect the group memberships to turn up after 10
> >> > seconds at worst.
> >> >
> >> > Are you sure (from sssd logs) that maybe sssd is not going into offline
> >> > state and just consults its cache?
> >> >
> >> >>
> >> >>
> >> >> 2016-05-04 16:10 GMT+02:00 Rob Verduijn :
> >> >> > Hello,
> >> >> >
> >> >> > I'm using a trust to microsoft active directory to allow users access
> >> >> > to linux servers.
> >> >> >
> >> >> > But when a user is added it takes a very long time for ipa to 
> >> >> > register this.
> >> >> > And even more time for the ipa clients since they have to wait for the
> >> >> > ipa servers.
> >> >> >
> >> >> > Since I hate to tell the users to wait for a couple hours, and also I
> >> >> > do not like to clean up the sssd cache folder each time a new user
> >> >> > appears.
> >> >> >
> >> >> > Is there a way to tell ipa and all clients to refresh their cache ?
> >> >> >
> >> >> > Regards
> >> >> > Rob Verduijn
> >> >>
> >> >> --
> >> >> Manage your subscription for the Freeipa-users mailing list:
> >> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >> >> Go to http://freeipa.org for more info on the project
> >> >
> >> > --
> >> > Manage your subscription for the Freeipa-users mailing list:
> >> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >> > Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] get freeipa to update ad users and groups more often

2016-05-04 Thread Rob Verduijn 
Hi,

I avoided the slow filling group by using the AD-Group with spaces
(was a tad more challenging for scipting)

But here's the releases (some of them)

ipa 4.2 and sssd 1.13

ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
sssd-common-1.13.0-40.el7_2.2.x86_64
sssd-client-1.13.0-40.el7_2.2.x86_64
sssd-ad-1.13.0-40.el7_2.2.x86_64

Cheers
Rob Verduijn

2016-05-04 18:06 GMT+02:00 Jakub Hrozek :
> On Wed, May 04, 2016 at 05:00:50PM +0200, Rob Verduijn wrote:
>> to make sure I did the following on the ipa host
>>
>> systemctl stop sssd.service
>> rm -f /var/lib/sss/db/*
>> systemctl start sssd.service
>>
>> now there is no cheating from cach
>> getent passwd u...@ad-domain.com works and gives userid
>> id u...@ad-domain.com works fine and show all goups the user is a
>> member of including ad_linux_administrators (ipa group) and 'linux
>> administrat...@ad-domain.com'
>> getent group ad_linux_administrators only shows the group ad, no
>> members, these pop up after a very long time
>> getent group 'linux administrat...@ad-domain.com' imediatly show all members
>
> Please note that getent group only works with very recent versions of
> ipa and sssd. What version are you running.
>
>>
>> weird
>>
>> Rob Verduijn
>>
>> 2016-05-04 16:41 GMT+02:00 Jakub Hrozek :
>> > On Wed, May 04, 2016 at 04:20:19PM +0200, Rob Verduijn wrote:
>> >> This goes especially for ad groups that are bested in ipa_groups
>> >>
>> >> ie :
>> >> microsft group is defined as an external group,
>> >> and that external group is member of an ipa group
>> >> and that ipa group takes forever.
>> >>
>> >> Regards
>> >> Rob Verduijn
>> >
>> > All the work in this area is done by sssd on the server. The sssd there
>> > runs a periodical task to re-fetch new external groups memberships every
>> > 10 seconds. So I would expect the group memberships to turn up after 10
>> > seconds at worst.
>> >
>> > Are you sure (from sssd logs) that maybe sssd is not going into offline
>> > state and just consults its cache?
>> >
>> >>
>> >>
>> >> 2016-05-04 16:10 GMT+02:00 Rob Verduijn :
>> >> > Hello,
>> >> >
>> >> > I'm using a trust to microsoft active directory to allow users access
>> >> > to linux servers.
>> >> >
>> >> > But when a user is added it takes a very long time for ipa to register 
>> >> > this.
>> >> > And even more time for the ipa clients since they have to wait for the
>> >> > ipa servers.
>> >> >
>> >> > Since I hate to tell the users to wait for a couple hours, and also I
>> >> > do not like to clean up the sssd cache folder each time a new user
>> >> > appears.
>> >> >
>> >> > Is there a way to tell ipa and all clients to refresh their cache ?
>> >> >
>> >> > Regards
>> >> > Rob Verduijn
>> >>
>> >> --
>> >> Manage your subscription for the Freeipa-users mailing list:
>> >> https://www.redhat.com/mailman/listinfo/freeipa-users
>> >> Go to http://freeipa.org for more info on the project
>> >
>> > --
>> > Manage your subscription for the Freeipa-users mailing list:
>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>> > Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] get freeipa to update ad users and groups more often

2016-05-04 Thread Jakub Hrozek 
On Wed, May 04, 2016 at 05:00:50PM +0200, Rob Verduijn wrote:
> to make sure I did the following on the ipa host
> 
> systemctl stop sssd.service
> rm -f /var/lib/sss/db/*
> systemctl start sssd.service
> 
> now there is no cheating from cach
> getent passwd u...@ad-domain.com works and gives userid
> id u...@ad-domain.com works fine and show all goups the user is a
> member of including ad_linux_administrators (ipa group) and 'linux
> administrat...@ad-domain.com'
> getent group ad_linux_administrators only shows the group ad, no
> members, these pop up after a very long time
> getent group 'linux administrat...@ad-domain.com' imediatly show all members

Please note that getent group only works with very recent versions of
ipa and sssd. What version are you running.

> 
> weird
> 
> Rob Verduijn
> 
> 2016-05-04 16:41 GMT+02:00 Jakub Hrozek :
> > On Wed, May 04, 2016 at 04:20:19PM +0200, Rob Verduijn wrote:
> >> This goes especially for ad groups that are bested in ipa_groups
> >>
> >> ie :
> >> microsft group is defined as an external group,
> >> and that external group is member of an ipa group
> >> and that ipa group takes forever.
> >>
> >> Regards
> >> Rob Verduijn
> >
> > All the work in this area is done by sssd on the server. The sssd there
> > runs a periodical task to re-fetch new external groups memberships every
> > 10 seconds. So I would expect the group memberships to turn up after 10
> > seconds at worst.
> >
> > Are you sure (from sssd logs) that maybe sssd is not going into offline
> > state and just consults its cache?
> >
> >>
> >>
> >> 2016-05-04 16:10 GMT+02:00 Rob Verduijn :
> >> > Hello,
> >> >
> >> > I'm using a trust to microsoft active directory to allow users access
> >> > to linux servers.
> >> >
> >> > But when a user is added it takes a very long time for ipa to register 
> >> > this.
> >> > And even more time for the ipa clients since they have to wait for the
> >> > ipa servers.
> >> >
> >> > Since I hate to tell the users to wait for a couple hours, and also I
> >> > do not like to clean up the sssd cache folder each time a new user
> >> > appears.
> >> >
> >> > Is there a way to tell ipa and all clients to refresh their cache ?
> >> >
> >> > Regards
> >> > Rob Verduijn
> >>
> >> --
> >> Manage your subscription for the Freeipa-users mailing list:
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >> Go to http://freeipa.org for more info on the project
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] get freeipa to update ad users and groups more often

2016-05-04 Thread Rob Verduijn 
to make sure I did the following on the ipa host

systemctl stop sssd.service
rm -f /var/lib/sss/db/*
systemctl start sssd.service

now there is no cheating from cach
getent passwd u...@ad-domain.com works and gives userid
id u...@ad-domain.com works fine and show all goups the user is a
member of including ad_linux_administrators (ipa group) and 'linux
administrat...@ad-domain.com'
getent group ad_linux_administrators only shows the group ad, no
members, these pop up after a very long time
getent group 'linux administrat...@ad-domain.com' imediatly show all members

weird

Rob Verduijn

2016-05-04 16:41 GMT+02:00 Jakub Hrozek :
> On Wed, May 04, 2016 at 04:20:19PM +0200, Rob Verduijn wrote:
>> This goes especially for ad groups that are bested in ipa_groups
>>
>> ie :
>> microsft group is defined as an external group,
>> and that external group is member of an ipa group
>> and that ipa group takes forever.
>>
>> Regards
>> Rob Verduijn
>
> All the work in this area is done by sssd on the server. The sssd there
> runs a periodical task to re-fetch new external groups memberships every
> 10 seconds. So I would expect the group memberships to turn up after 10
> seconds at worst.
>
> Are you sure (from sssd logs) that maybe sssd is not going into offline
> state and just consults its cache?
>
>>
>>
>> 2016-05-04 16:10 GMT+02:00 Rob Verduijn :
>> > Hello,
>> >
>> > I'm using a trust to microsoft active directory to allow users access
>> > to linux servers.
>> >
>> > But when a user is added it takes a very long time for ipa to register 
>> > this.
>> > And even more time for the ipa clients since they have to wait for the
>> > ipa servers.
>> >
>> > Since I hate to tell the users to wait for a couple hours, and also I
>> > do not like to clean up the sssd cache folder each time a new user
>> > appears.
>> >
>> > Is there a way to tell ipa and all clients to refresh their cache ?
>> >
>> > Regards
>> > Rob Verduijn
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] get freeipa to update ad users and groups more often

2016-05-04 Thread Jakub Hrozek 
On Wed, May 04, 2016 at 04:20:19PM +0200, Rob Verduijn wrote:
> This goes especially for ad groups that are bested in ipa_groups
> 
> ie :
> microsft group is defined as an external group,
> and that external group is member of an ipa group
> and that ipa group takes forever.
> 
> Regards
> Rob Verduijn

All the work in this area is done by sssd on the server. The sssd there
runs a periodical task to re-fetch new external groups memberships every
10 seconds. So I would expect the group memberships to turn up after 10
seconds at worst.

Are you sure (from sssd logs) that maybe sssd is not going into offline
state and just consults its cache?

> 
> 
> 2016-05-04 16:10 GMT+02:00 Rob Verduijn :
> > Hello,
> >
> > I'm using a trust to microsoft active directory to allow users access
> > to linux servers.
> >
> > But when a user is added it takes a very long time for ipa to register this.
> > And even more time for the ipa clients since they have to wait for the
> > ipa servers.
> >
> > Since I hate to tell the users to wait for a couple hours, and also I
> > do not like to clean up the sssd cache folder each time a new user
> > appears.
> >
> > Is there a way to tell ipa and all clients to refresh their cache ?
> >
> > Regards
> > Rob Verduijn
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] get freeipa to update ad users and groups more often

2016-05-04 Thread Rob Verduijn 
This goes especially for ad groups that are bested in ipa_groups

ie :
microsft group is defined as an external group,
and that external group is member of an ipa group
and that ipa group takes forever.

Regards
Rob Verduijn


2016-05-04 16:10 GMT+02:00 Rob Verduijn :
> Hello,
>
> I'm using a trust to microsoft active directory to allow users access
> to linux servers.
>
> But when a user is added it takes a very long time for ipa to register this.
> And even more time for the ipa clients since they have to wait for the
> ipa servers.
>
> Since I hate to tell the users to wait for a couple hours, and also I
> do not like to clean up the sssd cache folder each time a new user
> appears.
>
> Is there a way to tell ipa and all clients to refresh their cache ?
>
> Regards
> Rob Verduijn

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] get freeipa to update ad users and groups more often

2016-05-04 Thread Rob Verduijn 
Hello,

I'm using a trust to microsoft active directory to allow users access
to linux servers.

But when a user is added it takes a very long time for ipa to register this.
And even more time for the ipa clients since they have to wait for the
ipa servers.

Since I hate to tell the users to wait for a couple hours, and also I
do not like to clean up the sssd cache folder each time a new user
appears.

Is there a way to tell ipa and all clients to refresh their cache ?

Regards
Rob Verduijn

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project