We have an SELinux client that authenticates network users using LDAP connecting to an Active Directory server. Since our machines have to operate "untethered," we have to use nscd to cache group and passwd info.
Here's the issue. If we change group information on the Active Directory server, then log in on the client, if a cache exists for that user, LDAP seems to ignore the server and only use the cached data. The only way we've been able to get an update is to invalidate the passwd cache.
Significant portion of /etc/nsswitch.conf:
passwd: file ldap cache group: file ldap cache shadow: file ldap cache
Thanks.
Update: Figured out running strace getent passwd
that nscd cache gets checked before /etc/nsswitch.conf gets read, so the configuration of nss doesn't matter.
Update 2: Playing with nss_updatedb today to see if it will work. So far no joy, although this howto looks like exactly what we need to do.