+++ This bug was initially created as a clone of Bug #649285 +++

Description of problem:
SSSD has a cleanup task that removes unreferenced groups from the cache in order to keep the cache size down. However, we were only checking for direct group memberships, and not for whether there were users who had this group as their primary group ID.

As a result, it is possible for SSSD to purge legitimate groups from the cache. This can cause issues with group-based access control permissions such as access.conf and sudoers.

Version-Release number of selected component (if applicable):
sssd-1.2.1-35.el5

How reproducible:
Consistently

Steps to Reproduce:
1. Create a new group on the LDAP server. Note its ID.
2. Create a new user on the LDAP server. Set its gidNumber attribute to match the ID of the group created earlier.
3. On the client, set ldap_purge_cache_timeout = 5 (this will reduce the time between cleanup tasks to five seconds, to illustrate the problem, normally it defaults to twelve hours). Restart the sssd and wait ten seconds (to ensure full startup is done)
4. On the client, run 'id username'. The user and group will be listed.
5. Sleep six seconds.
6. Run 'id username'. The user will be missing the group.
  
Actual results:
Groups that are only identified as a user's primary group are removed when the cache cleanup routine runs.

Expected results:
All groups referenced by cached users should be intact.

Additional info:
Upstream bug: https://fedorahosted.org/sssd/ticket/624
Patch is available.