Home / server / Questions / 830104
Accepted
db_ch
Asked: 2017-02-03 03:43:49 +0800 CST

Does Linux keeps a cache of groups members if on LDAP ? (Difference between groups vs getent group))

  • 772

Our users and groups LDAP configuration is working.

Our server is using LDAP to store users and groups.

# /etc/nsswitch.conf :
passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

But today we added a new group in LDAP, with 3 users, and then, added other users. The 3 users are in the group but not the others.

We can see this by using the "groups " : more precisely, "getent group GROUPNAME" shows the user in the group while "groups " does not show the group for that user... ?!

Therefore I am trying to understand :

  • Is there some kind of cache for groups - LDAP list ?
  • Or is it possible for the synchronization to fail, if yes how to manually re-launch it ?

Sorry not to be more precise in my question, but I really don't see where to start...

P. S. Config files

# /etc/ldap/ldap.conf
URI     ldap://172.16.1.232
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt


# /etc/pam_ldap.conf
base dc=ourdomain,dc=ch
uri ldap://172.16.1.232/
ldap_version 3
rootbinddn cn=admin,dc=ourdomain,dc=ch
pam_password crypt
linux ldap openldap groups pam-ldap

2 Answers

  1. Best Answer

    pam_ldap and nsswitch have no caching mechanisms, but nscd or sssd may be present on your system that implement cache.

    To invalidate / flush nscd groups cache use:

    sudo nscd --invalidate=group

    To invalidate / flush sssd groups cache use:

    sudo sss_cache -G
    • 19

  2. jopasserat's comment leads to another possible answer.

    The groups command doesn't report group memberships of a user. It reports the group ID privileges of the current process. It only uses NSS to convert numeric group IDs to names.

    When a user logs in, the group memberships are obtained from NSS, and the setgid and setgroups system calls are used to give the correct privileges to the user's initial process. All processes descended from there inherit the same privileges (except when a set-id program is executed).

    If the configured privileges change, while the user is logged in, the existing processes are not affected. You have to log out and in again to gain privileges, and if you're trying to revoke privileges, you have to kill all of the user's processes to finish the job.

    nscd and such can add extra layers of cache to worry about, but pre-existing user processes are effectively a privilege cache that is present in all configurations.

    • 3