On Thu, Aug 17, 2017 at 03:36:20PM +1000, Lachlan Musicman wrote:
> We use FreeIPA/SSSD to authenticate our RStudio Server, which we control
> via HBAC membership of an AD group.
...
> 1. Why is the group override not working and how can I get it working or
> change our set up so that it does work
Could you please describe how you set up the group membership with the
override so that we could set up a similar environment locally?
> 2. If this is because users's are being timed out of the sss db cache
> (/var/lib/sss/db/cache_<domain>.ldb ), how can I set the cache refresh to a During login, the group membership should always be fetched again from
> much much longer period?
the server, so the cache should effectively be ignored, precisely so that
we want the group membership to be very precise during login. The only
additional cache might be the sssd cache for the AD domain data, because
the identity data of the AD users are fetched from the IPA server.
But unless your group memberships or overrides are changing a lot, this
shouldn't be an issue.