On Thu, 2011-09-22 at 13:50 +0200, Jan Zelený wrote:
> Hello,
>
> I have this nsswitch configuration:
>
> passwd: compat
> passwd_compat: sss
> #shadow: files ldap
> #group: files ldap
>
> #passwd: files sss
> #passwd: compat sss
> shadow: files sss
> group: files sss
>
> hosts: files dns
> bootparams: files
> ethers: files
> netmasks: files
> networks: files
> protocols: files
> rpc: files
> services: files
> netgroup: sss
> publickey: nisplus
> automount: files ldap
> aliases: files
> sudoers: files ldap
>
>
> Currently I am having problems with sssd handling netgroup changes.
>
> when I add or remove a user from a netgroup , those changes are not
> replicated automatically to clients . Should be something wrong with my
> sssd.conf configuration ?
>
> If you can give me a hand I would really appreciate it.
>
> Thanks,
>
> Francisco Marin
Hi,
my first guess would be cache expiration. Did you try running sss_cache -N on
the client before trying if the propagation worked?
The issue here is almost certainly cache expiration. Once you have
requested a netgroup, it will be available for entry_cache_timeout
seconds (defaults to 90 minutes). So changing the value on the server
won't have an effect on the client until up to 90 minutes later.
You can change this timeout by setting the following in the
[domain/DOMAINNAME] section of sssd.conf:
entry_cache_timeout = 90
(to set it to 90 seconds)
You can also purge your cache immediately by stopping SSSD and removing
the file /var/lib/sss/db/cache_DOMAINNAME.ldb.
In SSSD 1.6.0 and later, you can also use the sss_cache command like Jan
described above to immediately expire all cache entries (without
deleting the cache).