Red Hat Bugzilla – Bug 741981
Separate Cache Timeouts for SSSD
Last modified: 2012-03-17 19:44:00 EDT
Description of problem:
Currently SSSD has 1 monolithic timeout for nss data. users / groups / netgroups.
This is impaction in situations where Sudo needs to get at updated netgroup data for Authorization decisions. But can only acquire data from the (default 90 minute) cache.
Steps to Reproduce:
1. Setup an IPA / SSSD client for Sudo
2. Perform a Sudo action without the host added to the hostgroup/netgroup in a sudo rule.
3. Notice that the action is denied and cached.
4. Add the host to the hostgroup/netgroup that is in a sudo rule
5. Notice that the action is still denied.
Cached data is not updated
Cached data is individually timed out, or refreshed for actions such as sudo lookups.
sssd-1.8.0-6.fc17 has been submitted as an update for Fedora 17.
sssd-1.8.0-6.fc16 has been submitted as an update for Fedora 16.
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sssd-1.8.0-6.fc16'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
sssd-1.8.0-6.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
sssd-1.8.1-7.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.