sssd and ldap authentication cache

cache latency ldap sssd

On our box running OpenSUSE 12.2 we have installed OpenLDAP and sssd daemon. We are using these two services for user authentication. Recently we created a script which creates new web-users for our vhosts dynamically, but now we are dealing with a problem.

It seems that sssd uses some kind of cache and during getent passwd it returns users that have been deleted from LDAP. Sometimes it doesn't return recently created user immediately as it is necessary further in the script (for setting permissions with setfacl and chown).

Restarting LDAP, sssd or nscd doesn’t help, neither flushing cache with sss_cache -U. We tried lowering cache in config of sssd but it seems that it doesn’t affect anything.

We need to somehow explicitly refresh the cache after adding new user to LDAP or disable the cache at all.

Has anyone experienced similar issue?


Solution 1:

From the man page (sssd.conf):

NSS configuration options
       These options can be used to configure the Name Service Switch (NSS)
       service.

       enum_cache_timeout (integer)
           How many seconds should nss_sss cache enumerations (requests for
           info about all users)
       Default: 120

I would insert something like:

[nss]
enum_cache_timeout 10

(adjust seconds as it seems fit)

Solution 2:

Try sss_cache -E

or try stopping sssd, removing the files in /var/lib/sss/db/*, and restarting sssd

Solution 3:

I have expierenced similar issues

I noticed that getent passwd | grep <username> and getent passwd <username> will not return the same results,

Using strace I found that getent passwd <username> checks data in "/var/lib/sss/mc/passwd"

wheras getent passwd | grep <username> will connect to /var/lib/sss/pipes/nss and get it's data from there.

This is really confusing me, since both approaches seem to hit different caches. These caches seem to get updated when I run sudo su - <username> but seem to otherwise be valid for hours.

The result in practice is that e.g. ssh access won't work for a user a few minutes after it is removed from the ldap, but getent passwd will keep on showing it for hours, so it's hard for me to check if this users is in fact removed or not (without clearing some caches manually all the time)

Solution 4:

  • You can't disable caching completely with sssd.

  • You can disable sss as an authentication provider completely and just query LDAP directly if that's what you want.

For example, in /etc/nsswitch.conf, change lines like:

passwd:     files sss

to

passwd:     files ldap
  • You can force cleaning of the cache by removing /var/lib/sss/db/*

Solution 5:

You could try to disable caching credentials by adding directive to /etc/sssd/sssd.conf:

[domain/default]
cache_credentials = False

You may then verify that sssd uses cache on credentials with console command:

# authconfig --test|grep credential
credential caching in SSSD is disabled

Related

What is the best way to fix NTFS file permissions to inherit parent?
How can I compact the VHD file with Ubuntu?
why doesn't ntp recover after an Internet-less startup?
OperationalError, no such column. Django
Using Json Slurper + Groovy + Azure answer
Post method not reading json, only String in Spring Boot api
react-native-pdf iOS and Android build errors
How to compile tsconfig.json into a config object using TypeScript API?
Ubuntu Won't Boot After Install on Samsung NP915S3G: error "All boot options are tried." [duplicate]
Grub loads instead of Ubuntu whenever my HP streambook reboots
Crontab execution of multiple commands but last command is omitted
How to make login keyring forget a password