Hi
We are using sssd available on RHEL 7 and have a query on purging sssd cache incase domain goes offline. We are using just the UID/GID and group membership for users. And netgroups (both LDAP and NIS proxy) in some cases
As I understand, sss_cache utility only invalidates the records, which marks them expired. Whenever the domain is online, these will be refreshed. But if the domain is offline, those expired records will still be returned as valid.
- Please reconfirm if this understanding is correct - And if this is correct, then is there a way to purge the records to return users/group queries invalid if domain is offline
Thanx & Regards, Varun Mittal
On (07/03/15 18:56), Varun Mittal3 wrote:
Hi
We are using sssd available on RHEL 7 and have a query on purging sssd cache incase domain goes offline. We are using just the UID/GID and group membership for users. And netgroups (both LDAP and NIS proxy) in some cases
As I understand, sss_cache utility only invalidates the records, which marks them expired. Whenever the domain is online, these will be refreshed. But if the domain is offline, those expired records will still be returned as valid.
SSSD periodically removed cached expired objects. By default periodic clean-up task is executed every 3 hours. Details: man sssd-ldap -> ldap_purge_cache_timeout
Entries will not removed from sssd cache if user successfuly authenticate and option "cache_credentials" is enabled. Details: man sssd.conf -> cache_credentials -> offline_credentials_expiration -> offline_failed_login_attempts
The last configuration option you should look at is entry_cache_timeout. The value of this option tells how long is cached entry valid. Details: man sssd.conf -> entry_cache_timeout
BTW. There is a still chance that entry can be returned even thought it was removed from sssd cache. The reason is that sssd uses the fast memory cache on client side and value are cached by default for 300 seconds. Details: man sssd.conf -> memcache_timeout
Could you describe your use case for purging sssd cache or could you explain why do you need it.
LS
From: Lukas Slebodnik lslebodn@redhat.com To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Date: 03/07/2015 07:14 PM Subject: Re: [SSSD-users] How to purge sssd cache Sent by: sssd-users-bounces@lists.fedorahosted.org
On (07/03/15 18:56), Varun Mittal3 wrote:
Hi
We are using sssd available on RHEL 7 and have a query on purging sssd cache incase domain goes offline. We are using just the UID/GID and group membership for users. And
netgroups
(both LDAP and NIS proxy) in some cases
As I understand, sss_cache utility only invalidates the records, which marks them expired. Whenever the domain is online, these will be
refreshed.
But if the domain is offline, those expired records will still be
returned
as valid.
SSSD periodically removed cached expired objects. By default periodic
clean-up
task is executed every 3 hours. Details: man sssd-ldap -> ldap_purge_cache_timeout
Entries will not removed from sssd cache if user successfuly authenticate and option "cache_credentials" is enabled. Details: man sssd.conf -> cache_credentials -> offline_credentials_expiration -> offline_failed_login_attempts
We are not using sssd for authentication. Just UID/GID, group memberships, names and netgroups lookup for NFS use cases
The last configuration option you should look at is entry_cache_timeout. The value of this option tells how long is cached entry valid. Details: man sssd.conf -> entry_cache_timeout
BTW. There is a still chance that entry can be returned even thought it was removed from sssd cache. The reason is that sssd uses the fast
memory
cache on client side and value are cached by default for 300 seconds. Details: man sssd.conf -> memcache_timeout
Could you describe your use case for purging sssd cache or could you explain why do you need it.
LS
Ours is mostly NFS use case where the NFS server will need to resolve names, group members, netgroup etc. And the admin may want to purge some specific entry in case that is modified/removed from the directory server. So the NFS server must immediately delete that entry even if the domain is offline to avoid security issues.
Hi,
On 7 Mar 2015 18:56, "Varun Mittal3" varun.mittal@in.ibm.com wrote:
Hi
We are using sssd available on RHEL 7 and have a query on purging sssd
cache incase domain goes offline.
We are using just the UID/GID and group membership for users. And
netgroups(both LDAP and NIS proxy) in some cases
As I understand, sss_cache utility only invalidates the records, which
marks them expired. Whenever the domain is online, these will be refreshed. But if the domain is offline, those expired records will still be returned as valid.
- Please reconfirm if this understanding is correct
- And if this is correct, then is there a way to purge the records to
return users/group queries invalid if domain is offline
I haven't tried on CentOS 7 but it should be done by doing below given steps as far as sssd is concerned. This is a manual procedure, if you want automatic procedure then look into cache_timeout option in sssd.
1. service sssd stop 2. cd /var/lib/sss/db 3. rm -rf * 4. service sssd start
--Regards Ashishkumar S. Yadav
From: Ashish Yadav gwalashish@gmail.com To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Date: 03/08/2015 09:23 AM Subject: Re: [SSSD-users] How to purge sssd cache Sent by: sssd-users-bounces@lists.fedorahosted.org
Hi, On 7 Mar 2015 18:56, "Varun Mittal3" varun.mittal@in.ibm.com wrote:
Hi
We are using sssd available on RHEL 7 and have a query on purging
sssd cache incase domain goes offline.
We are using just the UID/GID and group membership for users. And
netgroups(both LDAP and NIS proxy) in some cases
As I understand, sss_cache utility only invalidates the records,
which marks them expired. Whenever the domain is online, these will be refreshed. But if the domain is offline, those expired records will still be returned as valid.
- Please reconfirm if this understanding is correct
- And if this is correct, then is there a way to purge the records
to return users/group queries invalid if domain is offline
I haven't tried on CentOS 7 but it should be done by doing below given steps as far as sssd is concerned. This is a manual procedure, if you want automatic procedure then look into cache_timeout option in
sssd.
Reading about cache_timeout from man page, that also looks like it will only mark the records invalid not purge them
- service sssd stop
- cd /var/lib/sss/db
- rm -rf *
- service sssd start
Yeah, I tested this on RHEL. This seems to work but then it will purge all the records for any domain. I wouldn't be able to purge a single record with this.
Hi,
On Sun, Mar 8, 2015 at 10:16 AM, Varun Mittal3 varun.mittal@in.ibm.com wrote:
From: Ashish Yadav gwalashish@gmail.com To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Date: 03/08/2015 09:23 AM Subject: Re: [SSSD-users] How to purge sssd cache Sent by: sssd-users-bounces@lists.fedorahosted.org
Hi, On 7 Mar 2015 18:56, "Varun Mittal3" varun.mittal@in.ibm.com wrote:
Hi
We are using sssd available on RHEL 7 and have a query on purging
sssd cache incase domain goes offline.
We are using just the UID/GID and group membership for users. And
netgroups(both LDAP and NIS proxy) in some cases
As I understand, sss_cache utility only invalidates the records,
which marks them expired. Whenever the domain is online, these will be refreshed. But if the domain is offline, those expired records will still be returned as valid.
- Please reconfirm if this understanding is correct
- And if this is correct, then is there a way to purge the records
to return users/group queries invalid if domain is offline
I haven't tried on CentOS 7 but it should be done by doing below given steps as far as sssd is concerned. This is a manual procedure, if you want automatic procedure then look into cache_timeout option in
sssd.
Reading about cache_timeout from man page, that also looks like it will only mark the records invalid not purge them
- service sssd stop
- cd /var/lib/sss/db
- rm -rf *
- service sssd start
Yeah, I tested this on RHEL. This seems to work but then it will purge all the records for any domain. I wouldn't be able to purge a single record with this.
If you have multiple domain then delete the specific domain's file only. All files should be consisting domain name in their filename.
--Regards Ashishkumar S. Yadav
On Sun, Mar 08, 2015 at 10:16:51AM +0530, Varun Mittal3 wrote:
- service sssd stop
- cd /var/lib/sss/db
- rm -rf *
- service sssd start
Yeah, I tested this on RHEL. This seems to work but then it will purge all the records for any domain. I wouldn't be able to purge a single record with this.
This works, but: 1) Since the cache also stores the password hashes, you lock yourself out of the client if you remove the cache while offline. You might consider just moving the cache instead.
2) As Lukas said, there is a second cache layer since 1.9 that is stored as /var/lib/sss/mc/
sssd-users@lists.fedorahosted.org