How to make sssd cache more aggressively
Environment
- Red Hat Enterprise Linux (RHEL)
- Identity Management (IdM)
- Trust between the Identity Management (IdM) server and Active Directory (AD)
Issue
- Waiting 5 minutes is too long for new entries to appear.
- Updates made on the Active Directory side are taking too long to reflect on the Red Hat Linux side.
- When try to check the new user or group it says
no such userorno such group.
Resolution
From man sssd.conf:
memcache_timeout (int)
Specifies time in seconds for which records in the in-memory cache will be valid
Default: 300
entry_cache_timeout (integer)
How many seconds should nss_sss consider entries valid before asking the backend again
The cache expiration timestamps are stored as attributes of individual objects in the cache. Therefore,
changing the cache timeout only has effect for newly added or expired entries. You should run the sss_cache(8)
tool in order to force refresh of entries that have already been cached.
Default: 5400
To reduce the NSS and domain cache timeouts, modify /etc/sssd/sssd.conf as follows:
[nss]
memcache_timeout = 10
[domain/default]
entry_cache_timeout = 60
Diagnostic Steps
- You will have to clear the cache to have the new settings take effect.
- Make the recommended changes then execute the following:
# service sssd stop
# rm -f /var/lib/sss/db/*
# service sssd start
# watch 'getent passwd user1'
- Please execute the following in another terminal.
# ipa user-mod user1 --shell='/bin/sh'
- In less than a minute you will see the shell change to
/bin/shin thegetentoutput.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments