On Mon, 2018-03-12 at 20:36 +0100, Jakub Hrozek wrote:
CAUTION: This email originated from outside of the organization. Do
not click links or open attachments unless you recognize the sender and know the content
is safe.
> On 12 Mar 2018, at 14:59, Joakim Tjernlund <Joakim.Tjernlund(a)infinera.com>
wrote:
>
> On Sun, 2018-03-11 at 21:38 +0100, Jakub Hrozek wrote:
> > CAUTION: This email originated from outside of the organization. Do not click
links or open attachments unless you recognize the sender and know the content is safe.
> >
> >
> > > On 9 Mar 2018, at 14:45, Joakim Tjernlund
<Joakim.Tjernlund(a)infinera.com> wrote:
> > >
> > > On Fri, 2018-03-09 at 13:28 +0100, Jakub Hrozek wrote:
> > > > CAUTION: This email originated from outside of the organization. Do
not click links or open attachments unless you recognize the sender and know the content
is safe.
> > > >
> > > >
> > > > SSSD 1.16.1
> > > > ===========
> > > >
> > > > The SSSD team is proud to announce the release of version 1.16.1 of
the
> > > > System Security Services Daemon.
> > > >
> > > > The tarball can be downloaded from
https://releases.pagure.org/SSSD/sssd/
> > > >
> > > > RPM packages will be made available for Fedora shortly.
> > > >
> > > > Feedback
> > > > --------
> > > > Please provide comments, bugs and other feedback
> > > > via the sssd-devel or sssd-users mailing lists:
> > > >
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
> > > >
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
> > > >
> > >
> > > Did a quick test here and it seems like enumerate = true is
> > > broken. Is it just me or .. ?
> >
> > I don’t know about any bugs around enumeration in 1.16.1. Maybe you found an
issue, but it’s hard to say without more context.
>
> OK, thanks.
> I am a bit pressed for time but I did install 1.16.1 on another machine as well and
now I see
> a pattern:
> I cleared the sss/db and rebooted, logged in and tested again with good old finger
command
> and it failed, I waited 5-10 mins and finger still failed. Went on lunch and
> when I got back finger worked!
>
> It seems that enumerate can take a very long time?
Yes, but that should be no different from 1.16.0. Do the two versions behave differently
for you?
Yes, I don't recall 1.16.0 taking that long.
One odd thing I noticed:
finger -m <user name>
will fail with enumerate=true until the enumeration is done.
With enumerate=false it will always succeed, even after a restart with empty cache.
Did you already check the sssd logs if there is anything interesting there?
No, not yet, don't have the BW to process these ATM.
btw the config file you posted uses enumerate=false, did you revert from true because of
the issue you are seeing?
yes, I did revert before sending the config file, sorry for that.
> sssd.conf(minor edits):
>
> [sssd]
> config_file_version = 2
> domains =
xxx.com
> services = nss, pam
> #debug_level = 0x0fff
>
> [nss]
> fallback_homedir = /home/%u
> default_shell = /bin/bash
> #debug_level = 0x0fff
> enum_cache_timeout = 3600
> entry_negative_timeout = 300
>
> [pam]
> #debug_level = 0x0fff
>
> [
domain/xxx.com]
> #debug_level = 0xffff
>
> timeout = 30
> ad_maximum_machine_account_password_age = 0
>
> ignore_group_members = false
> ldap_id_mapping = false
> cache_credentials = true
> enumerate = false
> ldap_enumeration_refresh_timeout = 1800
> entry_cache_timeout = 3600
> refresh_expired_interval = 2700
>
> id_provider = ad
> auth_provider = ad
> access_provider = permit
> chpass_provider = ad
>
> dyndns_update = true
> dyndns_refresh_interval = 600
> dyndns_update_ptr = true
> dyndns_ttl = 3600
> case_sensitive = false
>
> ldap_referrals = false
> ldap_sasl_mech = GSSAPI
> ldap_schema = rfc2307bis
>
> ldap_access_order = expire
> ldap_account_expire_policy = ad
> ldap_force_upper_case_realm = true
>
> krb5_realm =
XXXX.COM
> krb5_canonicalize = true
> krb5_store_password_if_offline = true
> krb5_use_kdcinfo = False
> krb5_renewable_lifetime = 7d
> krb5_lifetime = 24h
> krb5_renew_interval = 4h
>
> Jocke
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org