Notice: I sent this email to the list using another mail address, which i believe whas not verified properly. If this emali is properly sent to the list you can disregard moderating the message.

Hello

Im setting up a single signon solution for about 1200 servers. The situation as it seems is that we are setting up all users in a windows 2008 r2 active directory, adding proper unix permissions. A user with proper priveliges to read active directory is being used by sssd to read which users is allowed in and not. If the users does not have a home directory they are being created automatically. So whats the issue here? Access to the system does not happen instantanely and i believe its because sssd is polling active directory every 120 seconds. It seems as if it has issues remaining its state and it is just as if it would loose its local database. I would like to be able to have users being logged directly after a user is being added to active directory. Is this possible and how could this be achieved?

Versions being used: Debian 7.4


ii  sssd                               1.8.4-2                       amd64        System Security Services Daemon
ii  sssd-tools                         1.8.4-2                       amd64        System Security Services Daemon -- tools


 config:
--

[sssd]
config_file_version = 2
domains = int.home.local
services = nss, pam
debug_level = 0

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/int.home.local]
# Unless you know you need referrals, turn them off
ldap_referrals = false
# Uncomment if you need offline logins
cache_credentials = true
enumerate = true

id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap

# Uncomment if service discovery is not working
ldap_uri = ldap://win-04vje0onhci.int.home.local

# Comment out if not using SASL/GSSAPI to bind
#ldap_sasl_mech = GSSAPI
# Uncomment and adjust if the default principal host/fqdn@REALM is not available
#ldap_sasl_authid = nfs/client.ad.example.com@AD.EXAMPLE.COM

# Define these only if anonymous binds are not allowed and no keytab is available
# Enabling use_start_tls is very important, otherwise the bind password is transmitted
# over the network in the clear
#ldap_id_use_start_tls = True
ldap_default_bind_dn = CN=test,CN=Users,DC=int,DC=home,DC=local
ldap_default_authtok_type = password
ldap_default_authtok = secretpassword

ldap_schema = rfc2307bis

ldap_user_search_base = CN=Users,DC=int,DC=home,DC=local
ldap_user_object_class = user

ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName

ldap_group_search_base = CN=Builtin,DC=int,DC=home,DC=local
#ldap_group_search_base = ou=group,dc=int,dc=home,dc=local
ldap_group_object_class = group

ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true

# Uncomment if dns discovery of your AD servers isn't working.
krb5_server = win-04vje0onhci.int.home.local
krb5_realm = int.home.local

# Probably required with sssd 1.8.x and newer
krb5_canonicalize = false

# Perhaps you need to redirect to certain attributes?
# ldap_user_object_class = user
# ldap_user_name = sAMAccountName
# ldap_user_uid_number = msSFU30UidNumber
# ldap_user_gid_number = msSFU30GidNumber
# ldap_user_gecos = displayName
# ldap_user_home_directory = msSFU30HomeDirectory
# ldap_user_shell = msSFU30LoginShell
# ldap_user_principal = userPrincipalName
# ldap_group_object_class = group
# ldap_group_name = cn
# ldap_group_gid_number = msSFU30GidNumber

--
Vänliga Hälsningar / Best Regards
Paul Liljenberg