On ti, 16 elo 2022, Lucas Blommers via FreeIPA-devel wrote:
Hi,
So what I did was:
1. I changed the group of an account using the IPA web interface.
2. I verified the change on the server terminal using "id <username>" and
I got the updated information.
3. I tried to verify the update on the client side by issuing the same command "id
<username>" but this time I got the old information.
Thanks for describing your use case. In general, group membership for a
user is updated by SSSD at authentication time when that user logs into
the system in question. This is because once logged in, a set of
supplementary groups a process running under the user account will have
is fixed and cannot be changed without starting a different session.
This is pretty much the same for all networking software that provides a
remote group membership capabilities through nsswitch interface on Linux
and UNIX-like systems. Discovering updates to group membership is in
general not easy without actual authentication being done.
There are various settings in SSSD to affect an entry cache that may
force a cached entry for the user be refreshed (leading to group
updates). Please see man page for sssd.conf(5) in domain section.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland