If `sss_cache -E` doesn’t remove the cached entries, then you’re getting that group data from somewhere else, or perhaps your sssd is configured to point at a different replica than you think.
Look for something that is other than what you expect in nsswitch.conf, etc... > On Aug 11, 2025, at 10:05 AM, Russell Jones via FreeIPA-users > <[email protected]> wrote: > > Hi all, > > I am trying to understand the caching behavior of SSSD+FreeIPA better. How > long of a cache delay is reasonable? > > I have deleted a number of old user groups from our FreeIPA installation, and > verified that the groups are gone on all 4 replicated servers via the ipa > command, and through the web interface. However on all of our clients, even > 30 minutes later, the groups still show when I do for example "getent group > testgroup3". > > I understand that sssd caching is at play here. However the super confusing > thing is I have the following set on a client that we really need to not have > old cache on, and it seems to ignore it: > > entry_cache_timeout = 5 > memcache_timeout = 5 > enum_cache_timeout = 5 > > This client also seems to ignore sss_cache -E and -G. Restarting sssd also > does not make the old groups go away. The only thing that finally resulted in > the deleted groups no longer being returned is deleting the contents of > /var/lib/sss/db. > > Why? How can I get faster responses to group updates from this client? > > I realize this isn't the sssd mailing list. Posting here as that mailing list > seems dead, and hoping someone here has crossed this path before and has some > info to share! > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
