sssd and ldap authentication cache

sssd and ldap authentication cache

https://serverfault.com/questions/506507/sssd-and-ldap-authentication-cache

Asked 12 years, 6 months ago Modified 2 years, 2 months ago Viewed 50k times 13

On our box running OpenSUSE 12.2 we have installed OpenLDAP and sssd daemon. We are using these two services for user authentication. Recently we created a script which creates new web-users for our vhosts dynamically, but now we are dealing with a problem.

It seems that sssd uses some kind of cache and during getent passwd it returns users that have been deleted from LDAP. Sometimes it doesn’t return recently created user immediately as it is necessary further in the script (for setting permissions with setfacl and chown).

Restarting LDAP, sssd or nscd doesn’t help, neither flushing cache with sss_cache -U. We tried lowering cache in config of sssd but it seems that it doesn’t affect anything.

We need to somehow explicitly refresh the cache after adding new user to LDAP or disable the cache at all.

Has anyone experienced similar issue?

ldapcachelatencysssd

Share Improve this question Follow edited May 9, 2013 at 22:21 dawud’s user avatar dawud 15.5k44 gold badges4545 silver badges6262 bronze badges asked May 9, 2013 at 20:20 Seth Rayer’s user avatar Seth Rayer 13111 gold badge11 silver badge33 bronze badges Add a comment 6 Answers Sorted by: 8

Try sss_cache -E

or try stopping sssd, removing the files in /var/lib/sss/db/*, and restarting sssd Share Improve this answer Follow edited May 17, 2017 at 20:47 answered May 17, 2017 at 20:37 gerard’s user avatar gerard 34533 silver badges1010 bronze badges Add a comment 6

From the man page (sssd.conf):

NSS configuration options These options can be used to configure the Name Service Switch (NSS) service.

   enum_cache_timeout (integer)
       How many seconds should nss_sss cache enumerations (requests for
       info about all users)
   Default: 120

I would insert something like:

[nss] enum_cache_timeout 10

(adjust seconds as it seems fit) Share Improve this answer Follow answered Nov 18, 2015 at 12:05 473183469’s user avatar 473183469 1,38022 gold badges1212 silver badges2525 bronze badges Add a comment 4

I have expierenced similar issues

I noticed that getent passwd

grep and getent passwd will not return the same results,

Using strace I found that getent passwd checks data in "/var/lib/sss/mc/passwd"

wheras getent passwd

grep will connect to /var/lib/sss/pipes/nss and get it's data from there.

This is really confusing me, since both approaches seem to hit different caches. These caches seem to get updated when I run sudo su - but seem to otherwise be valid for hours.

The result in practice is that e.g. ssh access won’t work for a user a few minutes after it is removed from the ldap, but getent passwd will keep on showing it for hours, so it’s hard for me to check if this users is in fact removed or not (without clearing some caches manually all the time)

Disabling caches is not an option in this case, having 2000+ users running jobs on 2000+ servers. Share Improve this answer Follow edited Aug 24, 2023 at 10:42 answered Oct 24, 2016 at 14:35 Jens Timmerman’s user avatar Jens Timmerman 92644 silver badges1212 bronze badges

thanks for your tips, it's very helpful to me to fix the remove linux account cached by sssd – 
Marslo
Commented Aug 2, 2024 at 2:53

Add a comment 3

You could try to disable caching credentials by adding directive to /etc/sssd/sssd.conf:

[domain/default] cache_credentials = False

You may then verify that sssd uses cache on credentials with console command:

authconfig –test|grep credential

credential caching in SSSD is disabled

Share Improve this answer Follow edited May 14, 2013 at 20:40 answered May 14, 2013 at 5:03 Augustin Ghauratto’s user avatar Augustin Ghauratto 18711 silver badge88 bronze badges

2
authconfig is redhat command, the problem is about OpenSUSE 12.2 – 
c4f4t0r
Commented Nov 29, 2013 at 15:29
1
cache_credentials is about credentials; question is about caching of users lookup. – 
473183469
Commented Nov 18, 2015 at 12:06

Add a comment 2

You can't disable caching completely with sssd.

You can disable sss as an authentication provider completely and just query LDAP directly if that's what you want.

For example, in /etc/nsswitch.conf, change lines like:

passwd: files sss

to

passwd: files ldap

You can force cleaning of the cache by removing /var/lib/sss/db/*

Share Improve this answer Follow answered May 9, 2013 at 20:47 Grisha Levit’s user avatar Grisha Levit 39511 silver badge88 bronze badges

This is wrong. There's a configuration directive that controls caching. – 
ewwhite
Commented May 14, 2013 at 7:14
2
Are you referring to cache_credentials? Does that disable all caching or just credentials, as the name would imply? – 
Grisha Levit
Commented May 20, 2013 at 17:20

Add a comment 0

Notice that having cache_credentials = True in Fedora 30/31 gives an error that makes impossible to login using LDAP users. I haven’t found a documented bug related to this so I write it here.