On 04/18/2013 11:30 AM, John Hodrien wrote:
On Thu, 18 Apr 2013, steve wrote:
Having the user login has no effect. getent still shows him as
memberOf (he appears alongside his now primary group and not, as
should happen, alongside his secondary group).
Perhaps I was misunderstanding. I thought you were changing a user's
primary
group, and weren't seeing that updated. I'd expect you to have to
wait to the
cache to clear, or do:
sss_cache -u thatuser
Maybe I was misunderstanding what you're trying to do.
Can I just query one thing? Why on earth are you changing user
attributes
for users so frequently?
Yes. Thanks. We have to justify from winbind, nslcd or sssd for a
situation where 600 users can login to any one of around 80 machines
in a Samba4 domain. Adding/removing a user to a group is quite
common. This is not recognised on the clients unless root intervenes:
Impossible! Less common, but common enough in our environment is
moving a user's home directory.
It's not recognised on the clients until the cache expires, but I
don't see
how that can not be the case. This'd also be the case with windows,
where the
user's PAC will be used to verify group membership, which often means
forcing
a user to log off and back on again to update group membership.
We've eliminated winbind and are left with nslcd which is time
consuming to implement (but which passes all the tests), and sssd
with it's point and click configuration. We'd really like to go with
sssd but we have to prove in a test lab that what we do will be
covered. We simply have to maintain the domain centrally. We cannot
visit 80 clients everytime a change is made.
Group membership changes propogate in our environment just fine within a
reasonable period of time. What should we be talking by default, 5
minutes?
Hi
OK. I've just removed a user from a group and logged in as that user.
After 30 minutes id, getent and tests on what he can access still show
him to be a member. That's too long.
Could you do me a big favour and have a look at our client conf?
[sssd]
services = nss, pam
config_file_version = 2
domains = default
[nss]
[pam]
[domain/default]
ldap_schema = rfc2307bis
access_provider = simple
enumerate = FALSE
cache_credentials = true
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
krb5_realm = DOLORES.SITE
krb5_server = doloresdc.dolores.site
krb5_kpasswd = doloresdc.dolores.site
ldap_uri = ldap://doloresdc.dolores.site
ldap_search_base = dc=dolores,dc=site
#ldap_tls_cacertdir = /usr/local/samba/private/tls
#ldap_id_use_start_tls = true
ldap_user_object_class = user
ldap_user_name = samAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_group_object_class = group
ldap_group_search_base = dc=dolores,dc=site
ldap_group_name = cn
ldap_group_member = member
ldap_user_search_filter =(&(objectCategory=User)(uidNumber=*))
ldap_sasl_mech = gssapi
ldap_sasl_authid = ALGORFA$
ldap_krb5_keytab = /etc/krb5.keytab
ldap_krb5_init_creds = true
Cheers
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
