Hey again, I'm trying to track down how to ensure ssh keys are added AND removed quickly.
Right now it seems I must restart ipa services or sss_cache -E to force them to update, and there doesn't seem to be a determinate amount of time to allow replication.
Note, SSH keys are stored in the "Default View" for external users (external one-way trust with AD).
Thanks, -Jake
Looks like this is applied immediately, but required a service sssd restart; sss_cache -E
Do these attributes have a TTL set?
I know these are all SSSD Specific questions, and not directly related to FreeIPA.
Thanks, Jake
From: "freeipa-users" freeipa-users@lists.fedorahosted.org To: "freeipa-users" freeipa-users@lists.fedorahosted.org Cc: "Jake" email@ml.jacobdevans.com Sent: Tuesday, May 30, 2017 1:15:32 PM Subject: [Freeipa-users]SSH Key replication time/issues
Hey again, I'm trying to track down how to ensure ssh keys are added AND removed quickly.
Right now it seems I must restart ipa services or sss_cache -E to force them to update, and there doesn't seem to be a determinate amount of time to allow replication.
Note, SSH keys are stored in the "Default View" for external users (external one-way trust with AD).
Thanks, -Jake
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On Tue, May 30, 2017 at 02:18:18PM -0400, Jake via FreeIPA-users wrote:
Looks like this is applied immediately, but required a service sssd restart; sss_cache -E
This shouldn't be the case, can you describe step-by-step what exactly are you doing, what are the unexpected results and what do you expect to see?
Do these attributes have a TTL set?
I know these are all SSSD Specific questions, and not directly related to FreeIPA.
Thanks, Jake
From: "freeipa-users" freeipa-users@lists.fedorahosted.org To: "freeipa-users" freeipa-users@lists.fedorahosted.org Cc: "Jake" email@ml.jacobdevans.com Sent: Tuesday, May 30, 2017 1:15:32 PM Subject: [Freeipa-users]SSH Key replication time/issues
Hey again, I'm trying to track down how to ensure ssh keys are added AND removed quickly.
Right now it seems I must restart ipa services or sss_cache -E to force them to update, and there doesn't seem to be a determinate amount of time to allow replication.
Note, SSH keys are stored in the "Default View" for external users (external one-way trust with AD).
Thanks, -Jake
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On Tue, May 30, 2017 at 02:18:18PM -0400, Jake via FreeIPA-users wrote:
Looks like this is applied immediately, but required a service sssd restart; sss_cache -E
Do these attributes have a TTL set?
I know these are all SSSD Specific questions, and not directly related to FreeIPA.
The keys are stored in the SSSD cache and the cache objects have a lifetime. Please check entry_cache_timeout or entry_cache_user_timeout in man sssd.conf for details.
HTH
bye, Sumit
Thanks, Jake
From: "freeipa-users" freeipa-users@lists.fedorahosted.org To: "freeipa-users" freeipa-users@lists.fedorahosted.org Cc: "Jake" email@ml.jacobdevans.com Sent: Tuesday, May 30, 2017 1:15:32 PM Subject: [Freeipa-users]SSH Key replication time/issues
Hey again, I'm trying to track down how to ensure ssh keys are added AND removed quickly.
Right now it seems I must restart ipa services or sss_cache -E to force them to update, and there doesn't seem to be a determinate amount of time to allow replication.
Note, SSH keys are stored in the "Default View" for external users (external one-way trust with AD).
Thanks, -Jake
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Jakub/Sumit,
I'm using /usr/bin/sss_ssh_authorizedkeys to check keys as ssh access is my primary concern. In my recent tests I changed the key listed on the local upstream server from the server line in /etc/ipa/default.conf and the ssh-key showed up after 8 minutes, remote servers (replica ipa servers) took another 30 minutes.
Same process to delete the key, took 45 minutes from local change to remote server via replica (deleted at 9:52, refreshed at 10:30) which makes me think it's more the ldap replication over sss cache.
entry_cache_timeout is the default 5400 seconds (and it's children follow that value)
I assume if I want/need this to expire/replicate faster, I would want to set entry_cache_user_timeout to a value closer to a few minutes (300-900), can you see any drawbacks to this?
Is this value required on Server, Clients, Both.
As always, you guys are excellent and I really appreciate all the help!
Thanks, -Jacob
----- Original Message ----- From: "freeipa-users" freeipa-users@lists.fedorahosted.org To: "freeipa-users" freeipa-users@lists.fedorahosted.org Cc: "Sumit Bose" sbose@redhat.com Sent: Wednesday, May 31, 2017 5:01:22 AM Subject: [Freeipa-users]Re: [Freeipa-users]SSH Key replication time/issues
On Tue, May 30, 2017 at 02:18:18PM -0400, Jake via FreeIPA-users wrote:
Looks like this is applied immediately, but required a service sssd restart; sss_cache -E
Do these attributes have a TTL set?
I know these are all SSSD Specific questions, and not directly related to FreeIPA.
The keys are stored in the SSSD cache and the cache objects have a lifetime. Please check entry_cache_timeout or entry_cache_user_timeout in man sssd.conf for details.
HTH
bye, Sumit
Thanks, Jake
From: "freeipa-users" freeipa-users@lists.fedorahosted.org To: "freeipa-users" freeipa-users@lists.fedorahosted.org Cc: "Jake" email@ml.jacobdevans.com Sent: Tuesday, May 30, 2017 1:15:32 PM Subject: [Freeipa-users]SSH Key replication time/issues
Hey again, I'm trying to track down how to ensure ssh keys are added AND removed quickly.
Right now it seems I must restart ipa services or sss_cache -E to force them to update, and there doesn't seem to be a determinate amount of time to allow replication.
Note, SSH keys are stored in the "Default View" for external users (external one-way trust with AD).
Thanks, -Jake
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On Wed, May 31, 2017 at 10:32:32AM -0400, Jake via FreeIPA-users wrote:
Jakub/Sumit,
I'm using /usr/bin/sss_ssh_authorizedkeys to check keys as ssh access is my primary concern. In my recent tests I changed the key listed on the local upstream server from the server line in /etc/ipa/default.conf and the ssh-key showed up after 8 minutes, remote servers (replica ipa servers) took another 30 minutes.
Same process to delete the key, took 45 minutes from local change to remote server via replica (deleted at 9:52, refreshed at 10:30) which makes me think it's more the ldap replication over sss cache.
entry_cache_timeout is the default 5400 seconds (and it's children follow that value)
Please note that since the cache expiration times are stored in the cache, you should call sss_cache -E after changing the timeouts or nuke the .ldb files completely.
I assume if I want/need this to expire/replicate faster, I would want to set entry_cache_user_timeout to a value closer to a few minutes (300-900), can you see any drawbacks to this?
Just more frequent LDAP lookups.
Is this value required on Server, Clients, Both.
As always, you guys are excellent and I really appreciate all the help!
Thanks, -Jacob
----- Original Message ----- From: "freeipa-users" freeipa-users@lists.fedorahosted.org To: "freeipa-users" freeipa-users@lists.fedorahosted.org Cc: "Sumit Bose" sbose@redhat.com Sent: Wednesday, May 31, 2017 5:01:22 AM Subject: [Freeipa-users]Re: [Freeipa-users]SSH Key replication time/issues
On Tue, May 30, 2017 at 02:18:18PM -0400, Jake via FreeIPA-users wrote:
Looks like this is applied immediately, but required a service sssd restart; sss_cache -E
Do these attributes have a TTL set?
I know these are all SSSD Specific questions, and not directly related to FreeIPA.
The keys are stored in the SSSD cache and the cache objects have a lifetime. Please check entry_cache_timeout or entry_cache_user_timeout in man sssd.conf for details.
HTH
bye, Sumit
Thanks, Jake
From: "freeipa-users" freeipa-users@lists.fedorahosted.org To: "freeipa-users" freeipa-users@lists.fedorahosted.org Cc: "Jake" email@ml.jacobdevans.com Sent: Tuesday, May 30, 2017 1:15:32 PM Subject: [Freeipa-users]SSH Key replication time/issues
Hey again, I'm trying to track down how to ensure ssh keys are added AND removed quickly.
Right now it seems I must restart ipa services or sss_cache -E to force them to update, and there doesn't seem to be a determinate amount of time to allow replication.
Note, SSH keys are stored in the "Default View" for external users (external one-way trust with AD).
Thanks, -Jake
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org