[SOLVED] Joined Linux to AD domain - domain group info becomes quickly outdated, SSSD cache needs to be cleared often.
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
And it worked, the authentication and all. I can specify groups with domain users who can SSH, be sudoers, etc..
However, the group information becomes very quickly outdated in cache, causing me to have the need to run this below command a lot to purge the cache and bring in new information. For instance, if I want to run 'groups' command to view the groups of a certain domain user, the information may be outdated unless I purge the cache:
Code:
sss_cache -E
(could also use a more targeted approach with the command, -E is 'everything').
My question is, how can I get the Linux system to obtain updated group data when it's needed (when the group is checked by the system) without purging the cache?
Thanks. I decided I am going to play with the entry_cache_group_timeout config option. I will update on how it goes.
OK so that did not work... What I tried was (in the sssd.conf file)
Code:
entry_cache_group_timeout = 120
However a little while later, the 'groups' command was again showing incorrect information, so I removed that line..
To my understanding this should have created a 2-min timeout for the group data in cache so that if it's been over 120 seconds since the data was pulled from the LDAP (AD), it should attempt to refresh it. Is my understanding correct?
Now I'm trying to set the overall entry_cache_timeout = 120 just to see if it has an effect. If anyone has experience with this, though, I'd be grateful for the input.
If this works, make the value as large as possible. It can have a performance impact. Don't actually comment out your other options, the second line means leave the rest of your config alone, just add the memcache_timeout option.
If this works, make the value as large as possible. It can have a performance impact. Don't actually comment out your other options, the second line means leave the rest of your config alone, just add the memcache_timeout option.
I'm giving this a try, I'll let you know how it goes.
I'll wait and see if anything acts up again after tyler2016's suggestion.
In the meantime, I noticed something new... I'm not sure if the actual behavior is 'outdated' cache anymore.
Here's why:
I know that a (AD) domain admin account of mine has around two dozen groups. When the issue is occurring (a few times a day, preventing me from logging in via SSH) the 'groups' command for my domain admin account only returns two groups ('domain users' and 'vmadmins'). When the server is pulling data correctly from Active Directory, the group returns my entire set of groups (like I said, two dozen or so). Not sure if that rings any bells.
Hmm. Do you have multiple domain controllers? If so, have you verified they are replicating?
Multiple and they are replicating.
I think I am giving up on this method and I am going to use pbis-open (BeyondTrust) for the domain join, it seems to configure the system more solidly when I do it that way...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.