LDAP won't update if cached data exists

Question

We have an SELinux client that authenticates network users using LDAP connecting to an Active Directory server. Since our machines have to operate "untethered," we have to use nscd to cache group and passwd info.

Here's the issue. If we change group information on the Active Directory server, then log in on the client, if a cache exists for that user, LDAP seems to ignore the server and only use the cached data. The only way we've been able to get an update is to invalidate the passwd cache.

Significant portion of /etc/nsswitch.conf:

    passwd: file ldap cache
    group:  file ldap cache
    shadow: file ldap cache

Thanks.

Update: Figured out running strace getent passwd that nscd cache gets checked before /etc/nsswitch.conf gets read, so the configuration of nss doesn't matter.

Update 2: Playing with nss_updatedb today to see if it will work. So far no joy, although this howto looks like exactly what we need to do.

Answer 1

We finally resolved this by using nss_updatedb to cache the group and passwd databases locally. We then turned off nscd.

We added the pam_exec module to the pam.d listing and use it to run nss_updatedb before authentication to make sure the local cache is up to date.

Answer 2

If you don't want to cache results from active directory then you need to either turn off nscd or set its cache life time to a few minutes (edit /etc/nscd.conf). I believe the default time to live is 10 minutes for passwd and and hour for group.

Answer 3

You can easily flush nscd cache with following commands:

sudo nscd -i passwd
sudo nscd -i group

After flushing nscd cache with given commands you would see changed LDAP data.

For more details see: http://sysadmin-notepad.blogspot.rs/2013/05/how-to-flush-nscd-cache-in-linux.html