I have some Red Hat 8 servers which authenticate/authorize users via Active Directory, using realmd and sssd (with simple_allow_groups to determine who can log into the servers).
However, the neccesary AD security group that we must be a member of to log in is granted with 2FA. So a user is not a member of the neccesary AD security group until it has been activated with 2FA.
So, in the morning, if a user tries to log in before activating the 2FA (or so quickly that the new groups have not had time to take effect yet), then sssd will cache the "outdated" security groups, even though the user is not allowed to log in, and they either have to wait for 1+ hours for it to expire, or have someone manually refresh it with sss_cache -u <user>.
People come to work at all times of the day, so we don't really want to set up a crontab to expire the cache for all users every few minutes if we don't have to, that would probably generate a lot of queries to AD that could have been cached.
Is there a more graceful way to get around this issue? Like an option to use cache to authenticate, but immediately recheck AD if authorization fails?
Reading the sssd manual, I'm finding lots of parameters that almost seem relevant, like entry_negative_timeout, entry_cache_timeout, offline_failed_login_attempts, but I haven't found anything that hits the mark yet.
