On Fri, Jul 14, 2017 at 03:19:57PM -0000, bogusmaster--- via FreeIPA-users wrote:
On Fri, Jul 14, 2017 at 10:00:20AM -0000, bogusmaster--- via FreeIPA-users wrote:
yes, but I think this is only a side effect. SSSD cannot resolve a global catalog server. Does
dig SRV _gc._tcp.td.mydomain.com
return anything when called on the IPA server?
It didn't. I've added a DNS entry and now it works like this: dig +short SRV _gc._tcp.td.mydomain.com 0 100 389 dc.td.mydomain.com.
What DNS server are you using? Typically the AD DNS servers will have set this automatically.
Now when I clear server's cache by removing the files in /var/lib/sss/db/ and restart sssd daemon it apparently behaves as it should - ad_users group that I use for HBAC for AD users gets updated. sss_cache -E doesn't work for me and I have to delete cache files manually. I will test group membership propagation a little bit more to be 100% sure, though.
Is there any other way for these changes to propagate without a restart? I have this entry in sssd.conf: entry_cache_timeout = 60 but it doesn't seem to work.
This might be a side effect of the timestamp cache. If there is no change in the related object on the server-side the update might be skipped.
Does it work if you remove only the timestamp cache from /var/lib/sss/db/ ?
bye, Sumit
Best, Bart
It is most probably the GID of the 'Domain Users' group of the AD domain.
Please remove the entry again, it might cause all kind of irritations.
I've removed that, it was just for the testing purpose. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org