On Fri, Jul 14, 2017 at 10:00:20AM -0000, bogusmaster--- via FreeIPA-users wrote:
yes, but I think this is only a side effect. SSSD cannot resolve a global catalog server. Does
dig SRV _gc._tcp.td.mydomain.com
return anything when called on the IPA server?
It didn't. I've added a DNS entry and now it works like this: dig +short SRV _gc._tcp.td.mydomain.com 0 100 389 dc.td.mydomain.com.
Now when I clear server's cache by removing the files in /var/lib/sss/db/ and restart sssd daemon it apparently behaves as it should - ad_users group that I use for HBAC for AD users gets updated. sss_cache -E doesn't work for me and I have to delete cache files manually. I will test group membership propagation a little bit more to be 100% sure, though.
Is there any other way for these changes to propagate without a restart? I have this entry in sssd.conf: entry_cache_timeout = 60 but it doesn't seem to work.
Best, Bart
It is most probably the GID of the 'Domain Users' group of the AD domain.
Please remove the entry again, it might cause all kind of irritations.
I've removed that, it was just for the testing purpose.