Thanks, Yeah, this is definitely not the issue. nsswitch is only pulling users and groups from files, sss, systemd. There are no local users or groups configured on the client.
The group does eventually go away after about an hour on the client. There is a cache expiring somewhere that sss_cache -E just flat does not do anything with. It's just confusing to me, I don't understand the behavior and looking through the bug list I am not seeing anything. Not a big deal I suppose, a "known issue" for our environment with a workaround if needed. On Tue, Aug 12, 2025 at 2:11 PM Jo Rhett <[email protected]> wrote: > If `sss_cache -E` doesn’t remove the cached entries, then you’re getting > that group data from somewhere else, or perhaps your sssd is configured to > point at a different replica than you think. > > Look for something that is other than what you expect in nsswitch.conf, > etc... > > > On Aug 11, 2025, at 10:05 AM, Russell Jones via FreeIPA-users < > [email protected]> wrote: > > > > Hi all, > > > > I am trying to understand the caching behavior of SSSD+FreeIPA better. > How long of a cache delay is reasonable? > > > > I have deleted a number of old user groups from our FreeIPA > installation, and verified that the groups are gone on all 4 replicated > servers via the ipa command, and through the web interface. However on all > of our clients, even 30 minutes later, the groups still show when I do for > example "getent group testgroup3". > > > > I understand that sssd caching is at play here. However the super > confusing thing is I have the following set on a client that we really need > to not have old cache on, and it seems to ignore it: > > > > entry_cache_timeout = 5 > > memcache_timeout = 5 > > enum_cache_timeout = 5 > > > > This client also seems to ignore sss_cache -E and -G. Restarting sssd > also does not make the old groups go away. The only thing that finally > resulted in the deleted groups no longer being returned is deleting the > contents of /var/lib/sss/db. > > > > Why? How can I get faster responses to group updates from this client? > > > > I realize this isn't the sssd mailing list. Posting here as that mailing > list seems dead, and hoping someone here has crossed this path before and > has some info to share! > > -- > > _______________________________________________ > > FreeIPA-users mailing list -- [email protected] > > To unsubscribe send an email to > [email protected] > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
