On Mon, 2018-03-12 at 20:36 +0100, Jakub Hrozek wrote: > CAUTION: This email originated from outside of the organization. Do not click > links or open attachments unless you recognize the sender and know the > content is safe. > > > > On 12 Mar 2018, at 14:59, Joakim Tjernlund <joakim.tjernl...@infinera.com> > > wrote: > > > > On Sun, 2018-03-11 at 21:38 +0100, Jakub Hrozek wrote: > > > CAUTION: This email originated from outside of the organization. Do not > > > click links or open attachments unless you recognize the sender and know > > > the content is safe. > > > > > > > > > > On 9 Mar 2018, at 14:45, Joakim Tjernlund > > > > <joakim.tjernl...@infinera.com> wrote: > > > > > > > > On Fri, 2018-03-09 at 13:28 +0100, Jakub Hrozek wrote: > > > > > CAUTION: This email originated from outside of the organization. Do > > > > > not click links or open attachments unless you recognize the sender > > > > > and know the content is safe. > > > > > > > > > > > > > > > SSSD 1.16.1 > > > > > =========== > > > > > > > > > > The SSSD team is proud to announce the release of version 1.16.1 of > > > > > the > > > > > System Security Services Daemon. > > > > > > > > > > The tarball can be downloaded from > > > > > https://releases.pagure.org/SSSD/sssd/ > > > > > > > > > > RPM packages will be made available for Fedora shortly. > > > > > > > > > > Feedback > > > > > -------- > > > > > Please provide comments, bugs and other feedback > > > > > via the sssd-devel or sssd-users mailing lists: > > > > > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel > > > > > https://lists.fedorahosted.org/mailman/listinfo/sssd-users > > > > > > > > > > > > > Did a quick test here and it seems like enumerate = true is > > > > broken. Is it just me or .. ? > > > > > > I don’t know about any bugs around enumeration in 1.16.1. Maybe you found > > > an issue, but it’s hard to say without more context. > > > > OK, thanks. > > I am a bit pressed for time but I did install 1.16.1 on another machine as > > well and now I see > > a pattern: > > I cleared the sss/db and rebooted, logged in and tested again with good old > > finger command > > and it failed, I waited 5-10 mins and finger still failed. Went on lunch and > > when I got back finger worked! > > > > It seems that enumerate can take a very long time? > > Yes, but that should be no different from 1.16.0. Do the two versions behave > differently for you?
Yes, I don't recall 1.16.0 taking that long. One odd thing I noticed: finger -m <user name> will fail with enumerate=true until the enumeration is done. With enumerate=false it will always succeed, even after a restart with empty cache. > > Did you already check the sssd logs if there is anything interesting there? No, not yet, don't have the BW to process these ATM. > > btw the config file you posted uses enumerate=false, did you revert from true > because of the issue you are seeing? yes, I did revert before sending the config file, sorry for that. > > > sssd.conf(minor edits): > > > > [sssd] > > config_file_version = 2 > > domains = xxx.com > > services = nss, pam > > #debug_level = 0x0fff > > > > [nss] > > fallback_homedir = /home/%u > > default_shell = /bin/bash > > #debug_level = 0x0fff > > enum_cache_timeout = 3600 > > entry_negative_timeout = 300 > > > > [pam] > > #debug_level = 0x0fff > > > > [domain/xxx.com] > > #debug_level = 0xffff > > > > timeout = 30 > > ad_maximum_machine_account_password_age = 0 > > > > ignore_group_members = false > > ldap_id_mapping = false > > cache_credentials = true > > enumerate = false > > ldap_enumeration_refresh_timeout = 1800 > > entry_cache_timeout = 3600 > > refresh_expired_interval = 2700 > > > > id_provider = ad > > auth_provider = ad > > access_provider = permit > > chpass_provider = ad > > > > dyndns_update = true > > dyndns_refresh_interval = 600 > > dyndns_update_ptr = true > > dyndns_ttl = 3600 > > case_sensitive = false > > > > ldap_referrals = false > > ldap_sasl_mech = GSSAPI > > ldap_schema = rfc2307bis > > > > ldap_access_order = expire > > ldap_account_expire_policy = ad > > ldap_force_upper_case_realm = true > > > > krb5_realm = XXXX.COM > > krb5_canonicalize = true > > krb5_store_password_if_offline = true > > krb5_use_kdcinfo = False > > krb5_renewable_lifetime = 7d > > krb5_lifetime = 24h > > krb5_renew_interval = 4h > > > > Jocke > > _______________________________________________ > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org