On Sun, 2018-03-11 at 21:38 +0100, Jakub Hrozek wrote:
CAUTION: This email originated from outside of the organization. Do
not click links or open attachments unless you recognize the sender and know the content
is safe.
> On 9 Mar 2018, at 14:45, Joakim Tjernlund <Joakim.Tjernlund(a)infinera.com>
wrote:
>
> On Fri, 2018-03-09 at 13:28 +0100, Jakub Hrozek wrote:
> > CAUTION: This email originated from outside of the organization. Do not click
links or open attachments unless you recognize the sender and know the content is safe.
> >
> >
> > SSSD 1.16.1
> > ===========
> >
> > The SSSD team is proud to announce the release of version 1.16.1 of the
> > System Security Services Daemon.
> >
> > The tarball can be downloaded from
https://releases.pagure.org/SSSD/sssd/
> >
> > RPM packages will be made available for Fedora shortly.
> >
> > Feedback
> > --------
> > Please provide comments, bugs and other feedback
> > via the sssd-devel or sssd-users mailing lists:
> >
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
> >
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
> >
>
> Did a quick test here and it seems like enumerate = true is
> broken. Is it just me or .. ?
I don’t know about any bugs around enumeration in 1.16.1. Maybe you found an issue, but
it’s hard to say without more context.
OK, thanks.
I am a bit pressed for time but I did install 1.16.1 on another machine as well and now I
see
a pattern:
I cleared the sss/db and rebooted, logged in and tested again with good old finger
command
and it failed, I waited 5-10 mins and finger still failed. Went on lunch and
when I got back finger worked!
It seems that enumerate can take a very long time?
sssd.conf(minor edits):
[sssd]
config_file_version = 2
domains =
xxx.com
services = nss, pam
#debug_level = 0x0fff
[nss]
fallback_homedir = /home/%u
default_shell = /bin/bash
#debug_level = 0x0fff
enum_cache_timeout = 3600
entry_negative_timeout = 300
[pam]
#debug_level = 0x0fff
[
domain/xxx.com]
#debug_level = 0xffff
timeout = 30
ad_maximum_machine_account_password_age = 0
ignore_group_members = false
ldap_id_mapping = false
cache_credentials = true
enumerate = false
ldap_enumeration_refresh_timeout = 1800
entry_cache_timeout = 3600
refresh_expired_interval = 2700
id_provider = ad
auth_provider = ad
access_provider = permit
chpass_provider = ad
dyndns_update = true
dyndns_refresh_interval = 600
dyndns_update_ptr = true
dyndns_ttl = 3600
case_sensitive = false
ldap_referrals = false
ldap_sasl_mech = GSSAPI
ldap_schema = rfc2307bis
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
krb5_realm =
XXXX.COM
krb5_canonicalize = true
krb5_store_password_if_offline = true
krb5_use_kdcinfo = False
krb5_renewable_lifetime = 7d
krb5_lifetime = 24h
krb5_renew_interval = 4h
Jocke