10:14 a.m.
Hello,
I'm using SSSD with LDAP and NSS enabled for user/group information. Originally,
groups besides the primary group would be "forgotten"/no longer be present.
Invalidating the cache with sss_cache -u (username) temporarily fixes it, and through
testing I found it'd reoccur 5 minutes after forced cache invalidation. I realized NIS
was mistakenly in our nsswitch.conf and removed it, and now it seems to happen about every
45 minutes consistently. If you leave the machine for a while and come back then
they'll be present again. I've set debug_log=10 under all our conf sections but
don't really see anything relevant in the logs watching them with tail while checking
group presence. I'm not experienced with SSSD administration, so I'd appreciate
any tips on triaging this further. Thanks all.
Vivianne
10:59 a.m.
Vivianne,
Is this with a simple AD forest (single domain)?
We see lost memberships for accounts sporadically too, but only for
cross-domain accounts. (another domain, same forest). And it does not
occur nearly as frequently as you -- might be a single account once every 5
hrs. Like you, invalidating it clears the error for the account
temporarily.
Are you using tokengroups to ascertain your AD group memberships?
Initially we weren't but we found tokengroups are dependable and great
performance win (over recursive LDAP searches).
Spike
On Wed, Jun 28, 2023 at 10:14 AM <vivianne(a)chinstrap.org> wrote:
Hello,
I'm using SSSD with LDAP and NSS enabled for user/group information.
Originally, groups besides the primary group would be "forgotten"/no longer
be present. Invalidating the cache with sss_cache -u (username) temporarily
fixes it, and through testing I found it'd reoccur 5 minutes after forced
cache invalidation. I realized NIS was mistakenly in our nsswitch.conf and
removed it, and now it seems to happen about every 45 minutes consistently.
If you leave the machine for a while and come back then they'll be present
again. I've set debug_log=10 under all our conf sections but don't really
see anything relevant in the logs watching them with tail while checking
group presence. I'm not experienced with SSSD administration, so I'd
appreciate any tips on triaging this further. Thanks all.
Vivianne
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
324
days inactive
324
days old
sssd-users@lists.fedorahosted.org
1 comments
2 participants
participants (2)
-
Spike White -
vivianne@chinstrap.org