[SSSD-users] How to kindly, gently expire bogus cached auto-discovered AD domains?

Spike White Mon, 06 Dec 2021 12:54:36 -0800

All,

This new sssd version for RHEL7  (sssd-1.16.5-10.el7_9.11)  fixes a bug
we’ve seen in sssd.  This bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1984591  .   (Thanks, Sumit!)


We’ve verified this bugfix – that it only auto-discovers the expected
domains now, not the extra domains that it shouldn’t discover.   So how
best to roll out this new bugfixed sssd version?   (We do “no downtime” OS
patching + kernel splicing monthly, so we try to be gentle in our monthly
patching.)

Right now,  the following domains have been auto-discovered:



[root@spikeol73canbo yum.repos.d]# sssctl domain-list

amer.company.com

company.com

emea.company.com

apac.company.com

japn.company.com

EMEAICMD.geodll.company.com

geocompany.company.com

EMEAICM.GEOCOMPANY.COMPANY.COM

alienware.com

corp.svcs

perotsystems.net

companyservices.dmz

Beer.Town

production.online.company.com

jp-poclab.companypoc.com

emea-poclab.companypoc.com

oldev.preol.company.com

olqa.preol.company.com

ap-poclab.companypoc.com

[root@spikeol73canbo yum.repos.d]#



Only the top 5 AD domains are good domains that should be discovered.



When I yum upgrade to this new good sssd version all the above domains are
still cached.   Even if I do ‘sssctl cache-expire -E’, these cached bogus
domains still are not cleaned up.  If I aggressively clear the sssd cache
as so:



systemctl stop sssd

cd /var/lib/sss

rm -rf db/*

rm -f /mc/*

systemctl start sssd



that clears the cache.  But that’s pretty invasive to push out as part of
monthly patching.

1.        Is there a kinder, gentler way to expire these bogus cached AD
domains?  Along the lines of sssctl cache-expire -E or sssctl cache-expire
-d <bogus domain>?

2.       If we let this new sssd version sit for 1-2 days, will these bogus
auto-discovered AD domains auto-expire from cache on their own?

Spike

_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD-users] How to kindly, gently expire bogus cached auto-discovered AD domains?

Reply via email to