Hi, thanks for the answer. To clarify:
1. "What doesn't work?" => Command "sss_cache -E" on client host... doesn't have impact on possibility to logon with cached credentials. I can login again with debug info: "Authenticated with cached credentials." << which come from "pam_verbosity = 3" parameter inside sssd.conf //of course I have disabled both (master and replica) IPA services by "ipactl stop" before testing off-line login. 2. "What are you expecting?" As an linux env admin(s) we are going to implement IdM/IPA solution for "ux" part of our mixed win-linux hosts env. We realized that "SSH key management with local accounts" is... let's say "not scalable" ;-) ...but in the other hand I need to be sure that in case of admin/user account modification or IPA server unavailability => user will not have a possibility to logon (there are some users from AD which should have acces to shell and they will be added via IPA<=>AD trust [final step of our deployment]. //I mean that this "off-line logon" is ...expectetd behavior, but I want to have full control over it. I know that there is no possibility to turn of caching due to sofisticated architecture of sssd daemon (https://sssd.io/docs/architecture.html) but, as i described above, we need to know "what is going on under the hood". 3. Is there only solution for that - is a ...removing all files from '/var/lib/sss/db' from each client-host on which particular user has had an access? Regards, M. Sent with ProtonMail Secure Email. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ czwartek, 7 października 2021 14:51, Rob Crittenden <[email protected]> napisał(a): > m57n2 via FreeIPA-users wrote: > > > Hello, > > > > I have had set up a test-bed environment consist of: > > > > IPA server [master] - OL8.4 > > > > IPA server [replica] - OL8.4 > > > > IPA client1 - OL8.4 > > > > IPA client2 - OL8.4 > > > > IPA client3 - Ubuntu20.04LTS > > > > //I've installed "master" manually and the rest of hosts via ansible > > > > playbooks. > > > > All works fine: user created on IPA directory [let's say: "adminux"] can > > > > succesfully login on clients with SUDO priviliges. > > > > Now I started to test offline [sssd] login ....and it works [too]fine => > > > > user can log into system even though it was disabled on IPA server! > > > > I started to tune-up sssd.conf parameters: > > ------------------------------------------ > > > > root@cl3:~# vim /etc/sssd/sssd.conf > > > > [domain/ux.example.com] > > > > id_provider = ipa > > > > ipa_server = srv, idm1.ux.example.com > > > > ipa_domain = ux.example.com > > > > ipa_hostname = cl3.ux.example.com > > > > auth_provider = ipa > > > > chpass_provider = ipa > > > > access_provider = ipa > > > > cache_credentials = True > > > > ldap_tls_cacert = /etc/ipa/ca.crt > > > > dyndns_update = True > > > > dyndns_iface = ens33 > > > > krb5_store_password_if_offline = True > > > > *entry_cache_timeout = 60 > > > > * > > > > account_cache_expiration = 1 > > > > [sssd] > > > > services = nss, pam, ssh, sudo > > > > domains = ux.example.com > > > > [nss] > > > > homedir_substring = /home > > > > *enum_cache_timeout = 10 > > > > * > > > > entry_cache_nowait_percentage = 0 > > > > [pam] > > > > *pam_verbosity = 3 > > > > * > > > > offline_credentials_expiration = 1 > > > > [sudo] > > > > [sudo] > > > > [autofs] > > > > [ssh] > > > > [pac] > > > > [ifp] > > > > [secrets] > > > > [session_recording] > > ------------------- > > > > I was also trying to erase sssd cache with command: > > > > #sss_cache -E > > > > ...but it doesn't work in my test env! > > What doesn't work? What are you expecting? > > > I'll appreciate any suggestions "How can I control off-line logon > > > > cache in case of user creation, user deletion, user rights change and > > > > so on..." ? > > If its offline then the client will not see user creation, deletion, etc > > because it's offline, right? > > rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
