All,
This new sssd version for RHEL7 (sssd-1.16.5-10.el7_9.11) fixes a bug
we’ve seen in sssd. This bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1984591 . (Thanks, Sumit!)
We’ve verified this bugfix – that it only auto-discovers the expected
domains now, not the extra domains that it shouldn’t discover. So how
best to roll out this new bugfixed sssd version? (We do “no downtime” OS
patching + kernel splicing monthly, so we try to be gentle in our monthly
patching.)
Right now, the following domains have been auto-discovered:
[root@spikeol73canbo yum.repos.d]# sssctl domain-list
amer.company.com
company.com
emea.company.com
apac.company.com
japn.company.com
EMEAICMD.geodll.company.com
geocompany.company.com
EMEAICM.GEOCOMPANY.COMPANY.COM
alienware.com
corp.svcs
perotsystems.net
companyservices.dmz
Beer.Town
production.online.company.com
jp-poclab.companypoc.com
emea-poclab.companypoc.com
oldev.preol.company.com
olqa.preol.company.com
ap-poclab.companypoc.com
[root@spikeol73canbo yum.repos.d]#
Only the top 5 AD domains are good domains that should be discovered.
When I yum upgrade to this new good sssd version all the above domains are
still cached. Even if I do ‘sssctl cache-expire -E’, these cached bogus
domains still are not cleaned up. If I aggressively clear the sssd cache
as so:
systemctl stop sssd
cd /var/lib/sss
rm -rf db/*
rm -f /mc/*
systemctl start sssd
that clears the cache. But that’s pretty invasive to push out as part of
monthly patching.
1. Is there a kinder, gentler way to expire these bogus cached AD
domains? Along the lines of sssctl cache-expire -E or sssctl cache-expire
-d <bogus domain>?
2. If we let this new sssd version sit for 1-2 days, will these bogus
auto-discovered AD domains auto-expire from cache on their own?
Spike