-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/01/2011 03:36 PM, JR Aquino wrote: Setting the entry_cache_timeout to something small (e.g. 1 second) should work properly. If it does not, then there's likely a bug in our group processing that isn't removing the memberOf link. Please try setting this timeout and then provide logs of the /var/log/sssd/sssd_<DOMAIN>.log, ideally at debug_level = 9. SSSD cannot disable caching because it was designed around the concept of allowing offline authentication. All lookups are cached so that if the network connection becomes unavailable, the system can still function properly. As such, our internal operations are always performed against cached entries, with those timeouts being used to determine when we need to refresh the entries before using them. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/