>> Group membership changes propogate in our environment just
fine within a
>> reasonable period of time. What should we be talking by default,
>> 5 minutes?
> Hi
> OK. I've just removed a user from a group and logged in as that
> user. After 30 minutes id, getent and tests on what he can access
> still show him to be a member. That's too long.
>
From man sssd.conf:
entry_cache_timeout (integer)
How many seconds should nss_sss consider entries valid
before asking the backend again
Default: 5400
So the default cache lifetime is 5400 seconds, you can set a shorter one
if you need the entries to be updated more frequently.
Hi.
It has no effect . I set:
entry_cache_timeout = 10
and restarted sssd, waited for a minute or so but still getent, id and permissions of the
user were still those of being a group member. This suggests that the cache is still being
consulted. It sometimes works, but after a variable length of time. The current test
(removing a user from a group) has been running for 20 minutes but still the user is a
member of the group. Stuck!