#4064 SSSD cache group information not updated
Opened 6 months ago by bionunu. Modified 5 months ago

I have created one-way trust between Active directory 2016 to a IPA server. Then I set up a client and using Active Directory user I am able to login to the clent machine.
Problem statement:
In the active directory, I have created a user group (ad_group@adserver.local) and created 2 users to make part of the group( ad_user1 and ad_user2).
In IPA server(ipa.example.com) the internal posix group which is connected to active directory is called ad_ipa_internal. when I ran
[root@ipa ~]# date; SSS_NSS_USE_MEMCACHE=NO getent group ad_ipa_internal
Thu Aug 15 16:15:31 AEST 2019
group ad_ipa_internal:*:1003003:ad_user1@.adserver.local,ad_user2@.adserver.local

but if a remove user ad_user2 from the Active Directory group. the user still exist in ipa group.
Now if i ran sss_cache -G it is still there, but the dataExpireTimestamp in /var/lib/sss/db/timestamps_example.com.ldb and var/lib/sss/db/cache_example.com.ldb is set to 1. the only way to get the update group info is if I remove
/# rm -rf /var/lib/sss/db/*
/# systemctl restart sssd.service

then it get updated group information.

[root@ipa ~]# cat /etc/sssd/sss.conf
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = srv.example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa.example.com
chpass_provider = ipa
ipa_server = ipa.example.com
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt

services = sudo, nss, ifp, pam, ssh
domains = example.com
/#memcache_timeout = 600
homedir_substring = /home


the other problem is if I dont run sss_cache -G on ipa server then client sss cache is not updated. the remove problem exist in both ipa and client

Installed Packages
Name : sssd
Arch : x86_64
Version : 1.16.2
Release : 13.el7

I tried to follow the below referrals:

Login to comment on this ticket.