Vivianne, Is this with a simple AD forest (single domain)?
We see lost memberships for accounts sporadically too, but only for cross-domain accounts. (another domain, same forest). And it does not occur nearly as frequently as you -- might be a single account once every 5 hrs. Like you, invalidating it clears the error for the account temporarily. Are you using tokengroups to ascertain your AD group memberships? Initially we weren't but we found tokengroups are dependable and great performance win (over recursive LDAP searches). Spike On Wed, Jun 28, 2023 at 10:14 AM <[email protected]> wrote: > Hello, > > I'm using SSSD with LDAP and NSS enabled for user/group information. > Originally, groups besides the primary group would be "forgotten"/no longer > be present. Invalidating the cache with sss_cache -u (username) temporarily > fixes it, and through testing I found it'd reoccur 5 minutes after forced > cache invalidation. I realized NIS was mistakenly in our nsswitch.conf and > removed it, and now it seems to happen about every 45 minutes consistently. > If you leave the machine for a while and come back then they'll be present > again. I've set debug_log=10 under all our conf sections but don't really > see anything relevant in the logs watching them with tail while checking > group presence. I'm not experienced with SSSD administration, so I'd > appreciate any tips on triaging this further. Thanks all. > > Vivianne > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
