Hello! I don't know start from where to tracking down this issue. I found another something interesting.
1. Set `global_policy` password expired (both min and max) to 0 (zero) 2. Add user called `dummy` 3. Set global_policy password expired min (1) and max (90). 4. Add user called `dummy2` Both user dummy and dummy2 have same password expiration :D This problem is same with assign sudo/group to user. I was set debug_level = 7 to following section in sssd.conf : [domain/mydomain.co.id] .. debug_level = 7 .. [sssd] .. debug_level = 7 .. [sudo] .. debug_level = 7 .. I didn't find any related information about the 4 step above. On 07/30/2015 08:54 PM, Jakub Hrozek wrote: > On Thu, Jul 30, 2015 at 07:09:47PM +0700, Dewangga Bachrul Alam wrote: >> Hello Jakub! >> >> Sorry for delayed email, >> My bad, I disabled cache_credentials, not sssd_cache. > > Then I think it's completely unrelated to the sudo rules problem. > >> >> I tried modified my user `dewangga` to remove sudo rules, the cache >> still active even I restart the sssd service and delete all ccache* files. > > Yes, cache can't be completely disabled with sssd. See: > https://jhrozek.wordpress.com/2015/03/11/anatomy-of-sssd-user-lookup/ > >> >> There's no information on sssd log folder. >> >> -rw-------. 1 root root 0 Jul 29 19:26 krb5_child.log >> -rw-------. 1 root root 105K Jul 30 04:49 ldap_child.log >> -rw-------. 1 root root 0 Jul 29 19:26 sssd.log >> -rw-------. 1 root root 0 Jul 29 19:26 sssd_merahciptamedia.co.id.log >> -rw-------. 1 root root 0 Jul 29 19:26 sssd_nss.log >> -rw-------. 1 root root 0 Jul 29 19:26 sssd_pac.log >> -rw-------. 1 root root 0 Jul 29 19:26 sssd_pam.log >> -rw-------. 1 root root 0 Jul 29 19:26 sssd_ssh.log >> -rw-------. 1 root root 0 Jul 29 19:26 sssd_sudo.log >> >> >> On 07/30/2015 02:33 PM, Jakub Hrozek wrote: >>> On Thu, Jul 30, 2015 at 02:26:03PM +0700, NitrouZ wrote: >>>> Hello! >>>> >>>> I set the cache value to False on sssd.conf. (On IPA server and client). >>> >>> Can you show me the exact config directive you used? >>> >>>> >>>> On Thursday, July 30, 2015, Jakub Hrozek <[email protected]> wrote: >>>> >>>>> On Wed, Jul 29, 2015 at 10:03:14PM +0700, Dewangga wrote: >>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>> Hash: SHA1 >>>>>> >>>>>> Hello! >>>>>> >>>>>> Thanks for the hints both of you, yes the sssd_cache is in play. >>>>>> I've set the cache to false, is it have any impact to ipa >>>>>> server/client (performance, security or another issue)? >>>>> >>>>> How exactly did you 'disable' the cache? The sssd cache can't be >>>>> disabled, it can either be removed manually or the cache lifetime can be >>>>> set short.. >>>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>>> >>>> >>>> >>>> -- >>>> Sent from iDewangga Device -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
