I found this bug while working on tests for the nss_ex interface, but even with the help of the design page, I'm not sure what would the best fix be, so I'm filing a ticket.

When a user is being invalidated from the initgroups memory cache, the sss_mmap_cache_invalidate function is passed the input name (e.g. user). Then the code goes to sss_mc_find_record where the name is used to generate the hash and the slot and an entry is found. But then we go to:

582         if (strcmp(key->str, t_key) == 0) {
583             break;
584         }

Which never matches, because the t_key is the unique name in case of the initgroup cache, so the comparison is always false..

There is a crude fix in PR https://github.com/SSSD/sssd/pull/558 but it's probable that someone else will be doing a proper fix, so filing an issue is safer.