Am Sun, Oct 10, 2021 at 06:25:08PM -0400 schrieb James Ralston:
> For our on-site Linux machines, we use the sssd-ad provider to both
> map users/groups from Active Directory, and to authenticate users via
> Kerberos.  It works fantastically well, to the point where we have
> absolutely no desire to go back to maintaining local users/groups in
> /etc/passwd and /etc/group (respectively).
> 
> We are contemplating offering remote Linux laptops to our users.  But
> our InfoSec team is adamant that our AD DCs must not be reachable from
> the Internet at large.  So unless the owner of the laptop logs in to
> the laptop locally and then connects to our VPN, the laptop will have
> no access to Active Directory, and therefore sssd will be in offline
> mode.
> 
> We are wondering whether it would be feasible to set the various sssd
> caches to have long values (e.g. 180 days) so that as long as the user
> fires up the laptop and connects to the VPN once every 180 days, they
> will still be able to login (using their cached password) and
> getpwnam/getpwuid/getgrnam/getgrgid will still work for their
> uids/gids (because sssd will return the values it cached from the last
> time it was able to reach the AD DCs).
> 
> It’s not clear to us how we would implement this.  We could adjust
> various timeouts; e.g., from:
> 
>     entry_cache_timeout = 5400
>     cache_credentials = FALSE
> 
> To:
> 
>     entry_cache_timeout = 7776000
>     cache_credentials = TRUE
> 
> …but I don’t think this is going to do what we want.  We only want
> sssd to keep entries in the cache for 90 days when it is offline.  If
> sssd comes back online (because the user connected to the VPN and thus
> AD is reachable again), we want AD to refresh any cached entries that
> are older than 90 minutes.
> 
> So, what we really want is an option for sssd that essentially says,
> “You are frequently going to be operating in offline mode, so only
> kick things out of the cache when you are in online mode, because

Hi,

SSSD does not "kick things out of the cache" when in offline mode. So
with the default setting you can run in offline mode as long as you
want. Cached entries can expire and then SSSD will try to refresh them.
Since they cannot be refreshed when offline SSSD will keep using them.
Cached entries are only removed if they cannot be found on the server
anymore which of course only works when online.

The only item you can configure here is how long the cached password
hash should be used with the 'offline_credentials_expiration' option. By
default there is no limit.

HTH

bye,
Sumit

> otherwise there’s a good chance that the user won’t be able to login
> to fire up the VPN so that you can switch to online mode.”
> 
> Has anyone attempted running sssd in a mostly-offline environment like
> this?  If so, how well does it work, and what settings are you using?
> 
> Thanks!
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to