RHEL 7 and AD user help

Latest response

We have our RHEL 7 nodes integrated into our windows AD everything is working except when we remove a user in AD from a group. The user still shows the group on the RHEL node.
Steps I have done.
stop sssd
ran sss_cache -E
start sssd
logged in as user in question
ran "id" and group that was removed on AD still shows.
I had my AD administrator remove the user and only add to one group. Ran steps above to clear cache. Same group still shows.
We have synced the AD thinking there was one not synced.
Checked netstat to see when domain controller was attached to look at it specifically and see if seen there.
When we had the user it had group 1/2/3 , recreated only with group 1, group 2 went away but group 3 is still there.
I have even removed the host from AD and re-registered with realm join and still same thing.
I have stopped sssd and removed the db and started again.
Anyone ever seen this? Did I miss something? I would hate to have to do this each time a user changes groups etc...

Responses

You need to run this:

 rm -rf /var/lib/sss/{db,mc}/*

This clears the SSSD cache.

Then restart sssd.

Also you can add this to sssd.conf to clear it up:

account_cache_expiration (integer) Number of days entries are left in cache after last successful login before being removed during a cleanup of the cache. 0 means keep forever. The value of this parameter must be greater than or equal to offline_credentials_expiration. Default: 0 (unlimited)

account_cache_expiration sets the number of days after a successful login that the entire user account entry is removed from the SSSD cache. This must be equal to or longer than the individual offline credentials cache expiration period.

account_cache_expiration = 7
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.