I've noticed a cache issue in SSSD 1.12 on RHEL 6 after executing a global update via ansible (ansible all -m yum -a "name=* state=latest").
Essentially after the update, queries against the cache appear to return invalid (incomplete) results on all 12 RHEL boxes that were updated.
Issuing an "sss_cache -E" does not correct the issue, but it is fixed after stopping SSSD, deleting the DB (rm /var/lib/sss/db/*) and then restarting SSSD.
SSSD --version appears to report as 1.12.4 both before and after the update.
User query after patching:
id "username"
uid=xxx(username) guid=xxx(group 1) groups=xxx(group 1)
The UID and GUIDs above are correct - but incomplete as the user is a member of 28 groups.
User query results both before patching and after patching (after removing /var/lib/sss/db/*)
id "username"
uid=xxx(username) guid=xxx(group 1) groups=xxx(group 1),xxx(group 2),xxx(group 3), xxx(group 4),
xxx(group 5), xxx(group 5), xxx(group 6), etc
This may be related to the same SSSD bug seen in this environment that was discussed last week (inconsistent SSSD behaviour).
I'm hoping that 1.13 resolves this issue when RHEL 6.8 is released.
My SSSD config is below and the entries applied as fixes for the previous issue are bolded:
config_file_version = 2
debug_level = 1
domains = <domain>
services = nss, pam, ssh, pac, sudo
default_domain_suffix = <domain>
debug_level = 1
id_provider = ad
access_provider = ad
auth_provider = ad
chpass_provider = ad
ldap_schema = ad
ad_enable_gc = false
# Permits offline logins:
cache_credentials = true
default_shell = /bin/bash
fallback_homedir = /home/%d/%u
#Use FQDN for logins - when multiple domains share same username
use_fully_qualified_domain_names = true
# Ignore forest root domain, but have to specify current domain SID because of RHEL bug - see
subdomains_provider = none
ldap_idmap_default_domain_sid = <SID>
#Don't attempt to auto update DNS records
dyndns_update = false
debug_level = 1
debug_level = 1
filter_users = root,oracle,grid,mfe,postfix
filter_groups = root
debug_level = 1
debug_level = 1
debug_level = 1