Re: [Freeipa-users] get freeipa to update ad users and groups more often
On Wed, May 04, 2016 at 10:51:37PM +0200, Rob Verduijn wrote: > Hi, > > I avoided the slow filling group by using the AD-Group with spaces > (was a tad more challenging for scipting) > > But here's the releases (some of them) > > ipa 4.2 and sssd 1.13 > > ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 The IPA packages haven't been released yet (those will be at least ipa-4.2.0-15.el7_2.15) but even with older packages, I would have expected id to return the groups, "just" not getent group. > sssd-common-1.13.0-40.el7_2.2.x86_64 > sssd-client-1.13.0-40.el7_2.2.x86_64 > sssd-ad-1.13.0-40.el7_2.2.x86_64 > > Cheers > Rob Verduijn > > 2016-05-04 18:06 GMT+02:00 Jakub Hrozek: > > On Wed, May 04, 2016 at 05:00:50PM +0200, Rob Verduijn wrote: > >> to make sure I did the following on the ipa host > >> > >> systemctl stop sssd.service > >> rm -f /var/lib/sss/db/* > >> systemctl start sssd.service > >> > >> now there is no cheating from cach > >> getent passwd u...@ad-domain.com works and gives userid > >> id u...@ad-domain.com works fine and show all goups the user is a > >> member of including ad_linux_administrators (ipa group) and 'linux > >> administrat...@ad-domain.com' > >> getent group ad_linux_administrators only shows the group ad, no > >> members, these pop up after a very long time > >> getent group 'linux administrat...@ad-domain.com' imediatly show all > >> members > > > > Please note that getent group only works with very recent versions of > > ipa and sssd. What version are you running. > > > >> > >> weird > >> > >> Rob Verduijn > >> > >> 2016-05-04 16:41 GMT+02:00 Jakub Hrozek : > >> > On Wed, May 04, 2016 at 04:20:19PM +0200, Rob Verduijn wrote: > >> >> This goes especially for ad groups that are bested in ipa_groups > >> >> > >> >> ie : > >> >> microsft group is defined as an external group, > >> >> and that external group is member of an ipa group > >> >> and that ipa group takes forever. > >> >> > >> >> Regards > >> >> Rob Verduijn > >> > > >> > All the work in this area is done by sssd on the server. The sssd there > >> > runs a periodical task to re-fetch new external groups memberships every > >> > 10 seconds. So I would expect the group memberships to turn up after 10 > >> > seconds at worst. > >> > > >> > Are you sure (from sssd logs) that maybe sssd is not going into offline > >> > state and just consults its cache? > >> > > >> >> > >> >> > >> >> 2016-05-04 16:10 GMT+02:00 Rob Verduijn : > >> >> > Hello, > >> >> > > >> >> > I'm using a trust to microsoft active directory to allow users access > >> >> > to linux servers. > >> >> > > >> >> > But when a user is added it takes a very long time for ipa to > >> >> > register this. > >> >> > And even more time for the ipa clients since they have to wait for the > >> >> > ipa servers. > >> >> > > >> >> > Since I hate to tell the users to wait for a couple hours, and also I > >> >> > do not like to clean up the sssd cache folder each time a new user > >> >> > appears. > >> >> > > >> >> > Is there a way to tell ipa and all clients to refresh their cache ? > >> >> > > >> >> > Regards > >> >> > Rob Verduijn > >> >> > >> >> -- > >> >> Manage your subscription for the Freeipa-users mailing list: > >> >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> >> Go to http://freeipa.org for more info on the project > >> > > >> > -- > >> > Manage your subscription for the Freeipa-users mailing list: > >> > https://www.redhat.com/mailman/listinfo/freeipa-users > >> > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] get freeipa to update ad users and groups more often
Hi, I avoided the slow filling group by using the AD-Group with spaces (was a tad more challenging for scipting) But here's the releases (some of them) ipa 4.2 and sssd 1.13 ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 sssd-common-1.13.0-40.el7_2.2.x86_64 sssd-client-1.13.0-40.el7_2.2.x86_64 sssd-ad-1.13.0-40.el7_2.2.x86_64 Cheers Rob Verduijn 2016-05-04 18:06 GMT+02:00 Jakub Hrozek: > On Wed, May 04, 2016 at 05:00:50PM +0200, Rob Verduijn wrote: >> to make sure I did the following on the ipa host >> >> systemctl stop sssd.service >> rm -f /var/lib/sss/db/* >> systemctl start sssd.service >> >> now there is no cheating from cach >> getent passwd u...@ad-domain.com works and gives userid >> id u...@ad-domain.com works fine and show all goups the user is a >> member of including ad_linux_administrators (ipa group) and 'linux >> administrat...@ad-domain.com' >> getent group ad_linux_administrators only shows the group ad, no >> members, these pop up after a very long time >> getent group 'linux administrat...@ad-domain.com' imediatly show all members > > Please note that getent group only works with very recent versions of > ipa and sssd. What version are you running. > >> >> weird >> >> Rob Verduijn >> >> 2016-05-04 16:41 GMT+02:00 Jakub Hrozek : >> > On Wed, May 04, 2016 at 04:20:19PM +0200, Rob Verduijn wrote: >> >> This goes especially for ad groups that are bested in ipa_groups >> >> >> >> ie : >> >> microsft group is defined as an external group, >> >> and that external group is member of an ipa group >> >> and that ipa group takes forever. >> >> >> >> Regards >> >> Rob Verduijn >> > >> > All the work in this area is done by sssd on the server. The sssd there >> > runs a periodical task to re-fetch new external groups memberships every >> > 10 seconds. So I would expect the group memberships to turn up after 10 >> > seconds at worst. >> > >> > Are you sure (from sssd logs) that maybe sssd is not going into offline >> > state and just consults its cache? >> > >> >> >> >> >> >> 2016-05-04 16:10 GMT+02:00 Rob Verduijn : >> >> > Hello, >> >> > >> >> > I'm using a trust to microsoft active directory to allow users access >> >> > to linux servers. >> >> > >> >> > But when a user is added it takes a very long time for ipa to register >> >> > this. >> >> > And even more time for the ipa clients since they have to wait for the >> >> > ipa servers. >> >> > >> >> > Since I hate to tell the users to wait for a couple hours, and also I >> >> > do not like to clean up the sssd cache folder each time a new user >> >> > appears. >> >> > >> >> > Is there a way to tell ipa and all clients to refresh their cache ? >> >> > >> >> > Regards >> >> > Rob Verduijn >> >> >> >> -- >> >> Manage your subscription for the Freeipa-users mailing list: >> >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> Go to http://freeipa.org for more info on the project >> > >> > -- >> > Manage your subscription for the Freeipa-users mailing list: >> > https://www.redhat.com/mailman/listinfo/freeipa-users >> > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] get freeipa to update ad users and groups more often
On Wed, May 04, 2016 at 05:00:50PM +0200, Rob Verduijn wrote: > to make sure I did the following on the ipa host > > systemctl stop sssd.service > rm -f /var/lib/sss/db/* > systemctl start sssd.service > > now there is no cheating from cach > getent passwd u...@ad-domain.com works and gives userid > id u...@ad-domain.com works fine and show all goups the user is a > member of including ad_linux_administrators (ipa group) and 'linux > administrat...@ad-domain.com' > getent group ad_linux_administrators only shows the group ad, no > members, these pop up after a very long time > getent group 'linux administrat...@ad-domain.com' imediatly show all members Please note that getent group only works with very recent versions of ipa and sssd. What version are you running. > > weird > > Rob Verduijn > > 2016-05-04 16:41 GMT+02:00 Jakub Hrozek: > > On Wed, May 04, 2016 at 04:20:19PM +0200, Rob Verduijn wrote: > >> This goes especially for ad groups that are bested in ipa_groups > >> > >> ie : > >> microsft group is defined as an external group, > >> and that external group is member of an ipa group > >> and that ipa group takes forever. > >> > >> Regards > >> Rob Verduijn > > > > All the work in this area is done by sssd on the server. The sssd there > > runs a periodical task to re-fetch new external groups memberships every > > 10 seconds. So I would expect the group memberships to turn up after 10 > > seconds at worst. > > > > Are you sure (from sssd logs) that maybe sssd is not going into offline > > state and just consults its cache? > > > >> > >> > >> 2016-05-04 16:10 GMT+02:00 Rob Verduijn : > >> > Hello, > >> > > >> > I'm using a trust to microsoft active directory to allow users access > >> > to linux servers. > >> > > >> > But when a user is added it takes a very long time for ipa to register > >> > this. > >> > And even more time for the ipa clients since they have to wait for the > >> > ipa servers. > >> > > >> > Since I hate to tell the users to wait for a couple hours, and also I > >> > do not like to clean up the sssd cache folder each time a new user > >> > appears. > >> > > >> > Is there a way to tell ipa and all clients to refresh their cache ? > >> > > >> > Regards > >> > Rob Verduijn > >> > >> -- > >> Manage your subscription for the Freeipa-users mailing list: > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> Go to http://freeipa.org for more info on the project > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] get freeipa to update ad users and groups more often
to make sure I did the following on the ipa host systemctl stop sssd.service rm -f /var/lib/sss/db/* systemctl start sssd.service now there is no cheating from cach getent passwd u...@ad-domain.com works and gives userid id u...@ad-domain.com works fine and show all goups the user is a member of including ad_linux_administrators (ipa group) and 'linux administrat...@ad-domain.com' getent group ad_linux_administrators only shows the group ad, no members, these pop up after a very long time getent group 'linux administrat...@ad-domain.com' imediatly show all members weird Rob Verduijn 2016-05-04 16:41 GMT+02:00 Jakub Hrozek: > On Wed, May 04, 2016 at 04:20:19PM +0200, Rob Verduijn wrote: >> This goes especially for ad groups that are bested in ipa_groups >> >> ie : >> microsft group is defined as an external group, >> and that external group is member of an ipa group >> and that ipa group takes forever. >> >> Regards >> Rob Verduijn > > All the work in this area is done by sssd on the server. The sssd there > runs a periodical task to re-fetch new external groups memberships every > 10 seconds. So I would expect the group memberships to turn up after 10 > seconds at worst. > > Are you sure (from sssd logs) that maybe sssd is not going into offline > state and just consults its cache? > >> >> >> 2016-05-04 16:10 GMT+02:00 Rob Verduijn : >> > Hello, >> > >> > I'm using a trust to microsoft active directory to allow users access >> > to linux servers. >> > >> > But when a user is added it takes a very long time for ipa to register >> > this. >> > And even more time for the ipa clients since they have to wait for the >> > ipa servers. >> > >> > Since I hate to tell the users to wait for a couple hours, and also I >> > do not like to clean up the sssd cache folder each time a new user >> > appears. >> > >> > Is there a way to tell ipa and all clients to refresh their cache ? >> > >> > Regards >> > Rob Verduijn >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] get freeipa to update ad users and groups more often
On Wed, May 04, 2016 at 04:20:19PM +0200, Rob Verduijn wrote: > This goes especially for ad groups that are bested in ipa_groups > > ie : > microsft group is defined as an external group, > and that external group is member of an ipa group > and that ipa group takes forever. > > Regards > Rob Verduijn All the work in this area is done by sssd on the server. The sssd there runs a periodical task to re-fetch new external groups memberships every 10 seconds. So I would expect the group memberships to turn up after 10 seconds at worst. Are you sure (from sssd logs) that maybe sssd is not going into offline state and just consults its cache? > > > 2016-05-04 16:10 GMT+02:00 Rob Verduijn: > > Hello, > > > > I'm using a trust to microsoft active directory to allow users access > > to linux servers. > > > > But when a user is added it takes a very long time for ipa to register this. > > And even more time for the ipa clients since they have to wait for the > > ipa servers. > > > > Since I hate to tell the users to wait for a couple hours, and also I > > do not like to clean up the sssd cache folder each time a new user > > appears. > > > > Is there a way to tell ipa and all clients to refresh their cache ? > > > > Regards > > Rob Verduijn > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] get freeipa to update ad users and groups more often
This goes especially for ad groups that are bested in ipa_groups ie : microsft group is defined as an external group, and that external group is member of an ipa group and that ipa group takes forever. Regards Rob Verduijn 2016-05-04 16:10 GMT+02:00 Rob Verduijn: > Hello, > > I'm using a trust to microsoft active directory to allow users access > to linux servers. > > But when a user is added it takes a very long time for ipa to register this. > And even more time for the ipa clients since they have to wait for the > ipa servers. > > Since I hate to tell the users to wait for a couple hours, and also I > do not like to clean up the sssd cache folder each time a new user > appears. > > Is there a way to tell ipa and all clients to refresh their cache ? > > Regards > Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] get freeipa to update ad users and groups more often
Hello, I'm using a trust to microsoft active directory to allow users access to linux servers. But when a user is added it takes a very long time for ipa to register this. And even more time for the ipa clients since they have to wait for the ipa servers. Since I hate to tell the users to wait for a couple hours, and also I do not like to clean up the sssd cache folder each time a new user appears. Is there a way to tell ipa and all clients to refresh their cache ? Regards Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project