I have an AD setup where users can be a member of perhaps 130 groups.

When I run 'groups jbloggs' this can take 90 seconds or even longer.

I have reduced that time to perhaps 20 seconds by setting

ignore_group_members = TRUE

Once the information is cached the groups command returns in less that one second.

However, after a length of time the cache seems to be invalidated and the information is fetched again from the server, taking 20 seconds again.

The cacheing parameters are set to:

entry_cache_timeout = 5400
entry_cache_user_timeout = 5400
entry_cache_group_timeout = 5400
refresh_expired_interval = 4000

Surely this means that after 4000 seconds the user and group information is refreshed in the background.

So a user running the groups command would always see freshly cached values?

Clearly I am not understanding something here.