On Thu, Apr 18, 2013 at 01:13:17PM +0200, steve wrote:
> On 04/18/2013 11:30 AM, John Hodrien wrote:
> >On Thu, 18 Apr 2013, steve wrote:
> >
> >>Having the user login has no effect. getent still shows him as
> >>memberOf (he appears alongside his now primary group and not, as
> >>should happen, alongside his secondary group).
> >
> >Perhaps I was misunderstanding. I thought you were changing a
> >user's primary
> >group, and weren't seeing that updated. I'd expect you to have to
> >wait to the
> >cache to clear, or do:
> >
> >sss_cache -u thatuser
> >
> >Maybe I was misunderstanding what you're trying to do.
> >
> >>>Can I just query one thing? Why on earth are you changing
> >>>user attributes
> >>>for users so frequently?
> >
> >>Yes. Thanks. We have to justify from winbind, nslcd or sssd for
> >>a situation where 600 users can login to any one of around 80
> >>machines in a Samba4 domain. Adding/removing a user to a group
> >>is quite common. This is not recognised on the clients unless
> >>root intervenes: Impossible! Less common, but common enough in
> >>our environment is moving a user's home directory.
> >
> >It's not recognised on the clients until the cache expires, but I
> >don't see
> >how that can not be the case. This'd also be the case with
> >windows, where the
> >user's PAC will be used to verify group membership, which often
> >means forcing
> >a user to log off and back on again to update group membership.
> >
> >>We've eliminated winbind and are left with nslcd which is time
> >>consuming to implement (but which passes all the tests), and
> >>sssd with it's point and click configuration. We'd really like
> >>to go with sssd but we have to prove in a test lab that what we
> >>do will be covered. We simply have to maintain the domain
> >>centrally. We cannot visit 80 clients everytime a change is
> >>made.
> >
> >Group membership changes propogate in our environment just fine within a
> >reasonable period of time. What should we be talking by default,
> >5 minutes?
> Hi
> OK. I've just removed a user from a group and logged in as that
> user. After 30 minutes id, getent and tests on what he can access
> still show him to be a member. That's too long.
>
From man sssd.conf:
entry_cache_timeout (integer)
How many seconds should nss_sss consider entries valid
before asking the backend again
Default: 5400
So the default cache lifetime is 5400 seconds, you can set a shorter one
if you need the entries to be updated more frequently.
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
