Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1290853
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Description of problem: In an IPA to AD trust environment, the AD trusted users stay in SSSD cache for much longer than expected. Actually, they stay in cache for a fixed amount of 10 hours while the IPA users for 5400 seconds (by default). The cache expiration options do not affect the trusted users as well. In fact, we can see: In src/providers/ipa/ipa_s2n_exop.c: --- static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, struct req_input *req_input, struct resp_attrs *attrs, struct resp_attrs *simple_attrs, const char *view_name, struct sysdb_attrs *override_attrs, bool update_initgr_timeout) { int ret; time_t now; uint64_t timeout = 10*60*60; /* FIXME: find a better timeout ! */ --- That I believe is causing this issue.
I think we have a long-term and a short-term solution.. For short-term we can extend the subdomain_inherit option. But what would be better and a long-term solution would be to code up the INI parser so that we can also define configuration for the subdomain.
subdomain_inherit
blockedby: => blocking: => cc: => mzidek changelog: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => mark: no => 0 review: True => 0 selected: => testsupdated: => 0
Replying to [comment:1 jhrozek]:
long-term solution would be to code up the INI parser so that we can also define configuration for the subdomain.
What does this mean?
Replying to [comment:2 dpal]:
Replying to [comment:1 jhrozek]: long-term solution would be to code up the INI parser so that we can also define configuration for the subdomain. What does this mean?
So I'm not sure if INI already has all the smarts, but we're not using them or if INI is still missing some features. But what i was aiming for was:
[domain/ipa.example.com] id_provider=ipa [domain/ipa.example.com/ad.example.com] entry_cache_timeout = 123
(Or even better, with a drop-in file)
Fields changed
priority: major => minor
Michal, is this something you planned on doing in scope of your 1.14 changes?
owner: somebody => sbose status: new => assigned
The time options are handled a bit differently than other options and are store in the domain object and not together with the other backend specific options. Luckily the domain object of the configured domain, which has the timeout values as configured in sssd.conf, is copied and only the sub-domain specific attributes like name and SID are replaced and all other values, including the timeouts are kept. So they are inherited automatically which is what we want here.
Only if there is a request to allow different timeouts for the different domains we have to think about extending the configuration scheme. Currently I think we are fine.
patch: 0 => 1
We can decide about other releases during our weekly triage.
also pushed to sssd-1-13:
milestone: NEEDS_TRIAGE => SSSD 1.13.4 resolution: => fixed status: assigned => closed
Metadata Update from @jhrozek: - Issue assigned to sbose - Issue set to the milestone: SSSD 1.13.4
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3940
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.