Hi Everyone, I've been tweaking sssd.conf configs on the masters and clients in my AlmaLinux 9 IdM domain (it's in a trust with AD, too). Sometimes it's easy to tell when a particular option belongs on the master or on the client or on both. Most of the time though, I don't know for sure when to put a parameter in the masters' sssd.conf instead of in the client's. The man page for sssd.conf doesn't usually make it clear either.
For example, I'm playing around with the cache timeouts. I've done the tweaks on the client side since the cache is local to the client. Thus, I figured setting the timeouts on the client is appropriate. However, I still wonder: if the same settings were on the masters instead, wouldn't the masters then return results much faster to the client? Here's what one Ubuntu 20's sssd.conf looks like right now: [domain/idm.tld.com] id_provider = ipa dns_discovery_domain = idm.tld.com ipa_server = _srv_, p1idma01.idm.tld.com ipa_domain = idm.tld.com ipa_hostname = gitlab.tld.com auth_provider = ipa chpass_provider = ipa access_provider = ipa cache_credentials = True ldap_tls_cacert = /etc/ipa/ca.crt krb5_store_password_if_offline = True pwd_expiration_warning = 14 selinux_provider = none lookup_family_order = ipv4_only sudo_provider = ipa autofs_provider = ipa subdomains_provider = ipa session_provider = ipa hostid_provider = ipa ipa_automount_location = ala [domain/idm.tld.com/corp.ad.tld.com] ad_site = ala [domain/corp.ad.tld.com] entry_cache_timeout = 43200 entry_cache_service_timeout = 5400 entry_cache_computer_timeout = 5400 lookup_family_order = ipv4_only [sssd] domains = idm.tld.com default_domain_suffix = corp.ad.tld.com [nss] cache_first = True default_shell = /bin/bash enum_cache_timeout = 3600 entry_negative_timeout = 360 memcache_timeout = 3600 [pam] cache_first = True [sudo] cache_first = True [autofs] cache_first = True autofs_negative_timeout = 3600 [ssh] [pac] cache_first = True pac_lifetime = 3600 [ifp] [secrets] [session_recording] How do we find out when the parameters should be set on the master instead of the client? Is the determining factor to decide if we want a "domain wide" setting instead of per client? If so, how do I know which paramter is better suited to be set "domain wide"? I'm sorry if this is obvious to others. But, it's never been 100% clear to me (except in some cases). -- Ranbir _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
