On 04/18/2013 09:50 AM, John Hodrien wrote:
On Thu, 18 Apr 2013, steve wrote:
Hi
Unfortunately that only works for the first login after the change e.g.
Change uidNumber for steve2
steve2 logs in and id shows his new uid
log out
change the number back to what it was
steve2 logs in again but the uidNumber has not changed
Also, for groups:
sss_cache -g group
does not flush when primaryGroupID has been changed in AD
/var/lib/sss/db/* must be removed for this to happen
Eh? Would you expect to need to clear user not group information to
force
primaryGroupID changes to get noticed?
Having the user login has no effect. getent still shows him as memberOf
(he appears alongside his now primary group and not, as should happen,
alongside his secondary group).
I have workarounds for all this but they involve going to each
client, logging in as root and either issuing the sss_cache commands
or removing the db and starting again.
Can I just query one thing? Why on earth are you changing user
attributes for
users so frequently?
Yes. Thanks. We have to justify from winbind, nslcd or sssd for a
situation where 600 users can login to any one of around 80 machines in
a Samba4 domain. Adding/removing a user to a group is quite common. This
is not recognised on the clients unless root intervenes: Impossible!
Less common, but common enough in our environment is moving a user's
home directory.
We've eliminated winbind and are left with nslcd which is time consuming
to implement (but which passes all the tests), and sssd with it's point
and click configuration. We'd really like to go with sssd but we have to
prove in a test lab that what we do will be covered. We simply have to
maintain the domain centrally. We cannot visit 80 clients everytime a
change is made.
Forget the effect sssd has, you're completely hanging out to dry any
running
processes of these users everytime you do this.
As I say, nslcd copes with this. I'm trying to get to the stage where we
can configure sssd to do it too. sssd is like nslcd running with nscd:
sssd = nslcd + nscd?
Cheers,
Steve
jh
__
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
