m57n2 via FreeIPA-users wrote: > Hello, > I have had set up a test-bed environment consist of: > > IPA server [master] - OL8.4 > IPA server [replica] - OL8.4 > IPA client1 - OL8.4 > IPA client2 - OL8.4 > IPA client3 - Ubuntu20.04LTS > > //I've installed "master" manually and the rest of hosts via ansible > playbooks. > All works fine: user created on IPA directory [let's say: "adminux"] can > succesfully login on clients with SUDO priviliges. > > Now I started to test offline [sssd] login ....and it works [too]fine => > user can log into system even though it was disabled on IPA server! > > I started to tune-up sssd.conf parameters: > ------------------------------------------------------ > root@cl3:~# vim /etc/sssd/sssd.conf > > [domain/ux.example.com] > > id_provider = ipa > ipa_server = _srv_, idm1.ux.example.com > ipa_domain = ux.example.com > ipa_hostname = cl3.ux.example.com > auth_provider = ipa > chpass_provider = ipa > access_provider = ipa > cache_credentials = True > ldap_tls_cacert = /etc/ipa/ca.crt > dyndns_update = True > dyndns_iface = ens33 > krb5_store_password_if_offline = True > > * > * > *entry_cache_timeout = 60 > * > *account_cache_expiration = 1* > > > [sssd] > services = nss, pam, ssh, sudo > > domains = ux.example.com > [nss] > homedir_substring = /home > > *enum_cache_timeout = 10 > * > *entry_cache_nowait_percentage = 0* > > [pam] > *pam_verbosity = 3 > * > *offline_credentials_expiration = 1* > [sudo] > > [sudo] > > [autofs] > > [ssh] > > [pac] > > [ifp] > > [secrets] > > [session_recording] > -------------------------------------------------- > > I was also trying to erase sssd cache with command: > > *#sss_cache -E* > > ...but it doesn't work in my test env!
What doesn't work? What are you expecting? > I'll appreciate any suggestions "How can I control _off-line logon > cache_ in case of user creation, user deletion, user rights change and > so on..." ? If its offline then the client will not see user creation, deletion, etc because it's offline, right? rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
