[Freeipa-users] SSS problems with eDirectory
Simo Sorce
ssorce at redhat.com
Thu Jul 22 15:59:33 UTC 2010
On Thu, 22 Jul 2010 11:10:25 -0400
Scott Duckworth <sduckwo at clemson.edu> wrote:
> I removed all files from /var/lib/sss/db/ and restarted sssd. Same
> behavior. nscd is disabled, so I don't think it's caching at any
> level.
>
> Here is what I ran:
>
> [root at duck2 ~]# getent passwd sduckwo
> sduckwo:*:45265:10000:Scott Duckworth:/home/sduckwo:/bin/bash
> [root at duck2 ~]# groups sduckwo
> sduckwo : cuuser
> [root at duck2 ~]# getent group coes_socunix
> coes_socunix:*:120105:sduckwo
When enumeration is disabled this is the normal behavior.
You will see only users/groups that have been fetched. Generally at
login time because of the initgroups call.
Ie a users will always have correct memmberships, but groups may not
should all user members they truly have in the ldap server.
If you require perfect representation you will have to turn on
enumeration. This will eventually show up all the memberships although
on the first startup it may take a while to show all groups, until they
have all been downloaded and cached.
Changes to group memberships may also take some time to show as
enumerations are scheduled periodically and results cached.
Of cours when a user logs in its information (including its group
membership) is refreshed and validated, so at login time the membership
is correctly updated for that user across all its groups.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list