sss_cache keeps looking for a LOCAL domain, not purging LDAP records

redhat openldap sssd

I've added a user to a group in LDAP. The user shows up in ldapsearch. However, the user does not show up when I list group members on my RHEL instance using getent group my_group.

Am I correct in assuming that this is because SSSD caches group membership?

When I try to purge the SSSD cache for the group, it doesn't do anything:

# sss_cache -d LDAP -g my_group
(Mon Dec 14 10:40:41:816191 2015) [sss_cache] [confdb_get_domain_internal] (0x0010): Unknown domain [LOCAL]
(Mon Dec 14 10:40:41:816364 2015) [sss_cache] [confdb_get_domains] (0x0010): Error (2 [No such file or directory]) retrieving domain [LOCAL], skipping!
# echo $?
0

Specifically, the user still doesn't show up in the getent group my_group listing.

Why is it looking for a "LOCAL" domain when I specified the "LDAP" domain in the command?

Here's the SSSD configuration

# cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = LOCAL,LDAP
debug_level = 5

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5

[domain/LDAP]
cache_credentials = true

id_provider = ldap
auth_provider = ldap

ldap_uri = ldaps://my_hostname.my_domain.com
ldap_search_base = dc=my_domain,dc=com
ldap_id_use_start_tls = true
ldap_tls_reqcert = never
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt

debug_level = 5

  1. Is this a bug in sss_cache?

  2. Should I just rm -f /var/lib/sss/db/cache_LDAP.ldb instead?

  3. At that point, should I just set cache_credentials = false in sssd.conf?


  1. I don't think it's a bug in sss_cache, your configuration references a domain called LOCAL, yet the domain is not defined. Just drop LOCAL from the domains line and try again..

  2. That is different. sss_cache works by setting the expiration timestamp to the past. This forces the lookup next time, but doesn't remove the entries completely, so they are still around for cases where the client would go offline

  3. That really depends on whether you want to allow your users to log in while the connection to the server is lost.


sss_cache doesn't 'purge' the cache. It just marks the cache entries as invalid, which should trigger a refresh, at least if everything is working properly.

If you really want to purge the cache, you can delete everything in /var/lib/sss/db and restart sssd.

e.g.

# systemctl stop sssd
# cd /var/lib/sss/db
# rm *
# systemctl restart sssd

Related

Permission denied error in cron jobs log
What's the equivalent of "what the hell are you doing?" in a negative sentence?
When was the phrase 'sunlit uplands' first used? [closed]
"...to have been" or "... to having been"?
Is “complete conjecture” an oxymoron?
Is the following sentence an adjective clause or an adjective phrase or a noun clause? [closed]
when does the noun "time" become a countable noun?
Is 'subject' in 'is subject to considerable debate' a verb or a noun?
Where is the boundary (if any) between oxymoron and paradox?
such term or such a term?
The multiple meanings of "any" in different circumstances
to make way for the full strength and development of the central consciousness