0

Im testing a FreeIPA integration. One of the scenarios I'm trying is taking the server offline and making tests with the client, but I am facing an issue. I have logged in on the client with a newly created FreeIPA user, than I stopped the FreeIPA server and SSH-ed again to the client . So far so good.

But I cant find a way to delete the cached FreeIPA user. I tried sss_cache -E but it does not help. As far as I can tell the account_cache_expiration setting in /etc/sssd/sssd.conf should delete the cached user after given time but it is 0 (unlimited time) by default

I'm using server with CentOS 7.4/FreeIPA 4.5.0 and client with Linux Mint 18.3/SSSD 1.13.4

PS: This question is about similar issue but remain unanswered sssd and ldap authentication cache

edin_tam
  • 1
  • 1
  • 3

2 Answers2

1

sss_cache doesn't delete the cache on purpose, because then you'd have no way of logging to an offline client, the cached passwords are (so far) stored in the same cache as the rest of the data.

If you really want to remove the cache, one of the sssctl subcommands does that.

But selectively removing one entry is not possible. btw if you removed the user from the server, just requesting the user while the client is online should help.

jhrozek
  • 1,320
  • 6
  • 5
0

You can't delete just one user from the cache.

If you want to completely clear the cache then it's necessary to delete the contents of:

/var/lib/sss/db

After that,

systemctl restart sssd

Be sure that you have network connectivity to your LDAP server or else no one will be able to log in.

Nasir Riley
  • 2,035
  • 8
  • 9