Bug 1361597

Sorry for the missing description, hit enter to fast.

Here we go with the details.

When there is only a single member in a group and this member is being removed, sssd only removes it from the cache after "id <username>" has been executed. With one than one member in a group, the issue seems to go away.

This has been tested with the following releases:
sssd-1.13.90-0.20160506.1712.git04e4bdf.fc23.x86_64
sssd-1.13.3-22.el6.x86_64


    ########################
    enumerate = false
    entry_cache_timeout = 30
    ########################
     
    # sss_cache -u enumtest
    # sss_cache -g enumgr2
     
    # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2.test
    Fri Jul 29 14:42:09 CEST 2016
    enumgr2.test:*:300403124:
     
    ###
    ### Adding a user
    ###
     
    # adcli add-member --login-ccache='KEYRING:persistent:0:krb_ccache_w0VyosL' --domain=win.trust.test enumgr2 enumtest
     
    # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2.test
    Fri Jul 29 14:42:36 CEST 2016
    enumgr2.test:*:300403124:
     
    # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2.test
    Fri Jul 29 14:42:59 CEST 2016
    enumgr2.test:*:300403124:enumtest.test
     
    ###
    ### Removing a user
    ###
     
    # adcli remove-member --login-ccache='KEYRING:persistent:0:krb_ccache_w0VyosL' --domain=win.trust.test enumgr2 enumtest
     
    # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2.test
    Fri Jul 29 14:43:21 CEST 2016
    enumgr2.test:*:300403124:enumtest.test
     
    # ldbsearch -H /var/lib/sss/db/cache_win.trust.test.ldb gidNumber=300403124
    dataExpireTimestamp: 1469796251
     
    # date -d @1469796251
    Fri Jul 29 14:44:11 CEST 2016
    
    ### The user is still listed as a member of the group
 
    # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2.test
    Fri Jul 29 14:44:28 CEST 2016
    enumgr2.test:*:300403124:enumtest.test
     
    # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2.test
    Fri Jul 29 14:46:28 CEST 2016
    enumgr2.test:*:300403124:enumtest.test
     
    ### After running "id <user>", the group membership is updated 

    # id enumtest.test
    uid=300403121(enumtest.test) gid=300400513(domain users.test) groups=300400513(domain users.test),300403120(supergroup.test)
     
    # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2.test
    Fri Jul 29 14:46:49 CEST 2016
    enumgr2.test:*:300403124:
     
    ###
    ### The issue can't be reproduced when more than one user is a member of the group
    ###
     
    # adcli add-member --login-ccache='KEYRING:persistent:0:krb_ccache_w0VyosL' --domain=win.trust.test enumgr2 enumtest
     
    # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2.test
    Fri Jul 29 15:10:40 CEST 2016
    enumgr2.test:*:300403124:enumtest2.test,enumtest.test
     
    ### With two members in the group, the group membership is updated within the cache expiration time

    # adcli remove-member --login-ccache='KEYRING:persistent:0:krb_ccache_w0VyosL' --domain=win.trust.test enumgr2 enumtest

    # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2.test
    Fri Jul 29 15:11:00 CEST 2016
    enumgr2.test:*:300403124:enumtest2.test,enumtest.test
     
    # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2.test
    Fri Jul 29 15:11:12 CEST 2016
    enumgr2.test:*:300403124:enumtest2.test

    ### With just one group member left, the issue pops up again
     
    # adcli remove-member --login-ccache='KEYRING:persistent:0:krb_ccache_w0VyosL' --domain=win.trust.test enumgr2 enumtest2
     
    # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2.test
    Fri Jul 29 15:12:02 CEST 2016
    enumgr2.test:*:300403124:enumtest2.test
     
    # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2.test
    Fri Jul 29 15:12:36 CEST 2016
    enumgr2.test:*:300403124:enumtest2.test
     
    # adcli add-member --login-ccache='KEYRING:persistent:0:krb_ccache_w0VyosL' --domain=win.trust.test enumgr2 enumtest
    
    ### Adding a new group member makes sssd to update the group membership 

    # date; SSS_NSS_USE_MEMCACHE=NO getent group enumgr2.test
    Fri Jul 29 15:12:59 CEST 2016
    enumgr2.test:*:300403124:enumtest.test

This might be related to this upstream bug:

https://fedorahosted.org/sssd/ticket/2940

Upstream ticket:
https://fedorahosted.org/sssd/ticket/2940

verified with
-r7-permanent ~]# rpm -q sssd
sssd-1.15.2-33.el7.x86_64


[root@shr-r7-permanent ~]# adcli create-group gr2 --domain=sssd16.qe --login-ccache='KEYRING:persistent:0:0'
[root@shr-r7-permanent ~]# adcli create-user  adu1 --domain=sssd16.qe --login-ccache='KEYRING:persistent:0:0'

[root@shr-r7-permanent ~]# date; SSS_NSS_USE_MEMCACHE=NO getent group gr2
Fri May 26 02:32:47 EDT 2017
gr2:*:616401130:

[root@shr-r7-permanent ~]# adcli add-member gr2 adu1 --domain=sssd16.qe --login-ccache='KEYRING:persistent:0:0'
[root@shr-r7-permanent ~]# sleep 30
[root@shr-r7-permanent ~]# date; SSS_NSS_USE_MEMCACHE=NO getent group gr2
Fri May 26 02:33:44 EDT 2017
gr2:*:616401130:adu1

[root@shr-r7-permanent ~]# adcli remove-member gr2 adu1 --domain=sssd16.qe --login-ccache='KEYRING:persistent:0:0'
[root@shr-r7-permanent ~]# sleep 30

[root@shr-r7-permanent ~]# date; SSS_NSS_USE_MEMCACHE=NO getent group gr2
Fri May 26 02:35:33 EDT 2017
gr2:*:616401130:

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2294