Group membership changes propogate in our environment just fine within a reasonable period of time. What should we be talking by default, 5 minutes?
Hi OK. I've just removed a user from a group and logged in as that user. After 30 minutes id, getent and tests on what he can access still show him to be a member. That's too long.
From man sssd.conf:
entry_cache_timeout (integer) How many seconds should nss_sss consider entries valid before asking the backend again
Default: 5400So the default cache lifetime is 5400 seconds, you can set a shorter one if you need the entries to be updated more frequently.
Hi. It has no effect . I set:
entry_cache_timeout = 10 and restarted sssd, waited for a minute or so but still getent, id and permissions of the user were still those of being a group member. This suggests that the cache is still being consulted. It sometimes works, but after a variable length of time. The current test (removing a user from a group) has been running for 20 minutes but still the user is a member of the group. Stuck!