- Posted In
- Red Hat Identity Management
We have a FreeIPA domain running with several NFS clients auto-mounting a Kerberized NFSv4 server (krb5p).
We're running the latest RHEL 7.6 on all nodes and everything is working great with one exception: it takes 24 hours after removing a user from an IPA group for them to lose access to a share.
1. User logs into NFS client and browses a group-restricted share.
2. FreeIPA admin removes that user from the group which grants access to the aforementioned share.
3. User logs out of the client, back in and browses the share again without issue (despite the group no longer appearing with the id/groups command).
4. Reboot the client or wait 24 hours and the user loses access as expected.
Is there a way to ensure group changes in IPA are immediately honored by the NFS clients?