Hello,
I'm using sssd-2.2.3 on CentOS 8.2.2004 with an ldap (actually the ldap
exposed by an Active Directory server) backend.
This works fine but I'm having a hard time trying to figure out how
different caches actually work. I've read about the different *cache*
directives in sssd.conf(5).
I'm trying to understand what exactly happens when I:
- add a group membership for a user in the ldap directory
- then test different combinations of 'id' or 'id <user>'
commands
and opening or not of a new shell (via ssh) regarding the delay for the
new membership to appear (or not ?) on the client
# My setup :
- 2 domains are defined but only one is used :
domains = foo_home
- auth provider is ldap with the AD schema :
auth_provider = ldap
ldap_schema = AD
- initially, no *cache* directive is present
- on Centos 8.2 nsswitch is configured with sss first :
passwd: sss files systemd
group: sss files systemd
# My understanding is that (but I might be wrong):
1) there's caching of user/group resolutions somewhere else (glibc ?
shell ?) from sssd
2) running 'id' is different from running 'id <user>' (as with the
latter there is name resolution involved ?)
3) sssd.conf directives I might be interested in tweaking in my case are
the domain-scope ones below:
entry_cache_timeout
entry_cache_user_timeout
entry_cache_group_timeout
but mostly entry_cache_user_timeout
So I added, as a test,
entry_cache_user_timeout = 5
# What I experience
I'm starting with a new sssd instance without cache :
# sss_cache -E
# systemctl stop sssd
# sss_cache -E
# rm /var/lib/sss/db/*
# systemctl start sssd
Note: I'm not sure if sss_cache acts upon offline sssd
1) shell A, logged in as user foo : id | grep -i 'new_group' or id foo |
grep -i 'new_group' does not match anything
2) add 'foo' into 'new_group' on the ldap backend
3)
a) test 1
after 5 minutes:
- shell A : id foo | grep -i 'new_group' shows the new group
membership
- but shell A : id | grep -i 'new-group' still does not match
anything
b) test 2
user foo logs into shell B:
- in shell B : id | grep -i 'new_group' and id foo | grep -i
'new_group' *both* show the new membership
- in shell A : id | grep -i 'new_group' still does not show the
new membership, but id foo | grep -i 'new_group' does
Can you help me explain what exactly is going on and what cache(s)
is(are) involved in each case ?
Thanks for your help
--
Thomas HUMMEL
aa
Show replies by date