I'm standing up SSSD as a client to use against my LDAP server. I have a POSIX group defined in LDAP (name: "mygroup", GID: 501) of which I am a member.

SSSD appears to be configured correctly client-side. I can successfully see this group and its members by executing "getent group mygroup". When I do an "id myusername", I see the groups I am part of, displayed as follows:

uid=1540(myusername) gid=502(users) groups=502(users),501(mygroup)

Looks great! But then about five minutes later, I repeat the "id myusername" command and get the following:

uid=1540(myusername) gid=502(users) groups=502(users),501

SSSD is still aware that there is a GID 501 that I am a member of, but it "forgets" that group name. This actually causes some issues with things like access.conf that rely on that group name. I have experimented with the "entry_cache_group_timeout" parameter in sssd.conf but no luck so far.

Advice? tia

I think I figured it out. Turns out my LDAP group had been accidentally assigned the same GID (501) as another LDAP. The tip-off was this in the sssd_nss.log file:

[sssd[nss]] [nss_cmd_getgrgid_search] (0x0010): getgrgid call returned more than one result !?!

What seems to have been happening is that my lookup of the group via getent group mygroup would put that entry into the in-memory cache of SSSD. The default time for that cache to flush itself is 300 seconds (i.e. five minutes). Once my group was assigned a new unique GID in LDAP, SSSD appears to be holding onto the entry beyond what it was holding onto before.

Good job and well done.