On Mon, Mar 24, 2014 at 10:36:53PM -0400, Mark London wrote: Please check the entry_cache_*_timeout options described in the sssd.conf man page and please be aware of memcache_timeout. HTH bye, Sumit

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/25/2014 06:14 AM, steve wrote: This is only useful on event-driven behavior. Be careful about doing this; it will wipe out any cached credentials on the system. Mark, how do your lookups happen? Are you really relying on 'getgrent()' calls to get group information? If so, you really don't have any choice; lowering the enum time is the best you can do. If what you really mean is "When I make a change, I want newly logged-in users to have that change immediately reflected.", that's a different question (and one that you will be happy to know is already handled for you). The cache refresh timeouts exist entirely for the support of 'getpwnam()', 'getgrent()' and friends. But SSSD also does a forced cache update of any groups to which the user belongs as part of the authentication phase. So whenever a user logs in, SSSD will first do a full refresh of the user object and all associated group objects, *then* perform the login. In other words, as long as SSSD could access LDAP at login time, any logged-in user will always be assigned the group memberships present in LDAP. (*) So before we can realistically answer your original question, we need to know more about the specific use case that you are trying to address. (*) Special note: a limitation of UNIX/LINUX is that if the user's group membership changes while they are logged in, that change will not take effect on that session; it will only happen on next login.