[SOLVED] Joined Linux to AD domain - domain group info becomes quickly outdated, SSSD cache needs to be cleared often.

tfm217 · 09-09-2019, 03:08 PM

Hi folks, first time poster so go easy on me.. appreciate any help..

I recently joined a Linux (Ubuntu VM) to the domain at work using the 'realmd' method:

Code:

realm join domain.local --user USER@@DOMAIN.LOCAL --install=/

And it worked, the authentication and all. I can specify groups with domain users who can SSH, be sudoers, etc..

However, the group information becomes very quickly outdated in cache, causing me to have the need to run this below command a lot to purge the cache and bring in new information. For instance, if I want to run 'groups' command to view the groups of a certain domain user, the information may be outdated unless I purge the cache:

Code:

sss_cache -E

(could also use a more targeted approach with the command, -E is 'everything').

My question is, how can I get the Linux system to obtain updated group data when it's needed (when the group is checked by the system) without purging the cache?

Here is the sssd.conf file (<Domain> removed):

Code:

[sssd]
domains = Domain.local
config_file_version = 2
services = nss, pam, ssh

[domain/Domain.local]
ad_domain = Domain.local
krb5_realm = Domain.LOCAL
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = false
fallback_homedir = /home/%u
access_provider = ad
ldap_use_tokengroups = false

tyler2016 · 09-10-2019, 10:30 AM

I would do a man sssd.conf and read the section about NSS configuration options. There are all sorts of configuration options related to caching.

Code:

man sssd.conf

tfm217 · 09-10-2019, 10:49 AM

Quote:

Originally Posted by tyler2016

I would do a man sssd.conf and read the section about NSS configuration options. There are all sorts of configuration options related to caching.

Code:

man sssd.conf

Thanks. I decided I am going to play with the entry_cache_group_timeout config option. I will update on how it goes.

tfm217 · 09-10-2019, 08:10 PM

Quote:

Originally Posted by tfm217

Thanks. I decided I am going to play with the entry_cache_group_timeout config option. I will update on how it goes.

OK so that did not work... What I tried was (in the sssd.conf file)

Code:

entry_cache_group_timeout = 120

However a little while later, the 'groups' command was again showing incorrect information, so I removed that line..

To my understanding this should have created a 2-min timeout for the group data in cache so that if it's been over 120 seconds since the data was pulled from the LDAP (AD), it should attempt to refresh it. Is my understanding correct?

Stumped.

tfm217 · 09-12-2019, 03:03 PM

Now I'm trying to set the overall entry_cache_timeout = 120 just to see if it has an effect. If anyone has experience with this, though, I'd be grateful for the input.

tyler2016 · 09-13-2019, 09:22 AM

Is nscd running? Are you restarting sssd after each change to the configuration file?

tfm217 · 09-13-2019, 01:00 PM

Quote:

Originally Posted by tyler2016

Is nscd running? Are you restarting sssd after each change to the configuration file?

NSCD does not appear to be installed; but yes I am restarting sssd every time I change the conf file.

tfm217 · 09-13-2019, 01:01 PM

Despite trying a low timeout value with the entry_cache_timeout, it appears the problem continues.

tyler2016 · 09-16-2019, 05:53 AM

Try this:

Code:

[NSS]
memcache_timeout = 5
#your other options

If this works, make the value as large as possible. It can have a performance impact. Don't actually comment out your other options, the second line means leave the rest of your config alone, just add the memcache_timeout option.

tfm217 · 09-16-2019, 03:57 PM

Quote:

Originally Posted by tyler2016

Try this:

Code:

[NSS]
memcache_timeout = 5
#your other options

If this works, make the value as large as possible. It can have a performance impact. Don't actually comment out your other options, the second line means leave the rest of your config alone, just add the memcache_timeout option.

I'm giving this a try, I'll let you know how it goes.

tfm217 · 09-16-2019, 04:07 PM

I'll wait and see if anything acts up again after tyler2016's suggestion.

In the meantime, I noticed something new... I'm not sure if the actual behavior is 'outdated' cache anymore.

Here's why:

I know that a (AD) domain admin account of mine has around two dozen groups. When the issue is occurring (a few times a day, preventing me from logging in via SSH) the 'groups' command for my domain admin account only returns two groups ('domain users' and 'vmadmins'). When the server is pulling data correctly from Active Directory, the group returns my entire set of groups (like I said, two dozen or so). Not sure if that rings any bells.

This is the 'groups' command I'm executing:

Quote:

groups domain_admin_username

tyler2016 · 09-17-2019, 05:07 AM

Hmm. Do you have multiple domain controllers? If so, have you verified they are replicating?

tfm217 · 09-21-2019, 08:50 AM

Quote:

Originally Posted by tyler2016

Hmm. Do you have multiple domain controllers? If so, have you verified they are replicating?

Multiple and they are replicating.

I think I am giving up on this method and I am going to use pbis-open (BeyondTrust) for the domain join, it seems to configure the system more solidly when I do it that way...

I appreciate everyone's input.