On 04/18/2013 11:30 AM, John Hodrien wrote:
On Thu, 18 Apr 2013, steve wrote:
Having the user login has no effect. getent still shows him as memberOf (he appears alongside his now primary group and not, as should happen, alongside his secondary group).
Perhaps I was misunderstanding. I thought you were changing a user's primary group, and weren't seeing that updated. I'd expect you to have to wait to the cache to clear, or do:
sss_cache -u thatuser
Maybe I was misunderstanding what you're trying to do.
Can I just query one thing? Why on earth are you changing user attributes for users so frequently?
Yes. Thanks. We have to justify from winbind, nslcd or sssd for a situation where 600 users can login to any one of around 80 machines in a Samba4 domain. Adding/removing a user to a group is quite common. This is not recognised on the clients unless root intervenes: Impossible! Less common, but common enough in our environment is moving a user's home directory.
It's not recognised on the clients until the cache expires, but I don't see how that can not be the case. This'd also be the case with windows, where the user's PAC will be used to verify group membership, which often means forcing a user to log off and back on again to update group membership.
We've eliminated winbind and are left with nslcd which is time consuming to implement (but which passes all the tests), and sssd with it's point and click configuration. We'd really like to go with sssd but we have to prove in a test lab that what we do will be covered. We simply have to maintain the domain centrally. We cannot visit 80 clients everytime a change is made.
Group membership changes propogate in our environment just fine within a reasonable period of time. What should we be talking by default, 5 minutes?
Hi OK. I've just removed a user from a group and logged in as that user. After 30 minutes id, getent and tests on what he can access still show him to be a member. That's too long.
Could you do me a big favour and have a look at our client conf?
[sssd] services = nss, pam config_file_version = 2 domains = default
[nss]
[pam]
[domain/default] ldap_schema = rfc2307bis access_provider = simple enumerate = FALSE cache_credentials = true id_provider = ldap auth_provider = krb5 chpass_provider = krb5 krb5_realm = DOLORES.SITE krb5_server = doloresdc.dolores.site krb5_kpasswd = doloresdc.dolores.site
ldap_uri = ldap://doloresdc.dolores.site ldap_search_base = dc=dolores,dc=site #ldap_tls_cacertdir = /usr/local/samba/private/tls #ldap_id_use_start_tls = true ldap_user_object_class = user ldap_user_name = samAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_group_object_class = group ldap_group_search_base = dc=dolores,dc=site ldap_group_name = cn ldap_group_member = member ldap_user_search_filter =(&(objectCategory=User)(uidNumber=*))
ldap_sasl_mech = gssapi ldap_sasl_authid = ALGORFA$ ldap_krb5_keytab = /etc/krb5.keytab ldap_krb5_init_creds = true
Cheers