Linux LDAP Group Membership Caching: Why getent group Shows Users But groups Command Doesn’t


2 views

When working with LDAP-integrated Linux systems, you might encounter a discrepancy between what getent group shows and what the groups command displays. This typically occurs when:

  • New LDAP groups are created
  • Group memberships are modified
  • Multiple users are added to existing groups

The behavior stems from how Linux systems handle LDAP lookups through nsswitch and the Name Service Cache Daemon (nscd). Your /etc/nsswitch.conf shows the standard LDAP integration:

# /etc/nsswitch.conf:
passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

Key components involved:

  1. getent: Directly queries the name service switch (including LDAP)
  2. groups: May use cached information through nscd

Linux systems implement several caching layers for performance:

# Check if nscd is running
systemctl status nscd

# Common cache locations
ls -l /var/cache/nscd/
ls -l /var/lib/sss/db/

To resolve the discrepancy, try these methods:

# Method 1: Restart nscd
sudo systemctl restart nscd

# Method 2: Clear specific caches
sudo nscd -i passwd
sudo nscd -i group

# Method 3: SSSD systems (if used)
sudo systemctl restart sssd
sudo sss_cache -E

Your current LDAP configuration appears correct:

# /etc/ldap/ldap.conf
URI     ldap://172.16.1.232
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

# /etc/pam_ldap.conf
base dc=ourdomain,dc=ch
uri ldap://172.16.1.232/
ldap_version 3
rootbinddn cn=admin,dc=ourdomain,dc=ch
pam_password crypt

Use these to diagnose the issue:

# Check complete group membership
getent group | grep GROUPNAME

# Verify user's primary group
id username

# Test LDAP queries directly
ldapsearch -x -H ldap://172.16.1.232 -b "dc=ourdomain,dc=ch" "(cn=GROUPNAME)" memberUid

For production environments, consider:

  • Adjusting nscd cache timeout settings in /etc/nscd.conf
  • Implementing SSSD for more sophisticated caching control
  • Setting up proper cache invalidation triggers

Example nscd.conf modification:

# /etc/nscd.conf
enable-cache            group           yes
positive-time-to-live   group           300
negative-time-to-live   group           60
suggested-size          group           211
check-files             group           yes
persistent              group           yes
shared                  group           yes

Recently encountered an interesting LDAP group synchronization issue where:

getent group marketing     # Shows all members including newly added ones
groups john.doe           # Doesn't show newly assigned groups

The discrepancy stems from how Linux's Name Service Switch (NSS) handles LDAP lookups differently between these commands:

  • getent: Directly queries all configured sources (files, LDAP) in sequence
  • groups: Relies on NSS caching through nscd (Name Service Cache Daemon)

First verify if nscd is running:

systemctl status nscd
ps aux | grep nscd

If active, check its configuration:

# /etc/nscd.conf typically contains:
enable-cache            group           yes
positive-time-to-live   group           3600

Option 1: Flush nscd cache

nscd --invalidate=group
# Or full restart
systemctl restart nscd

Option 2: Bypass cache temporarily

getent group | grep marketing

For OpenLDAP environments, consider these optimizations:

# /etc/nslcd.conf adjustment:
nss_reconnect_tries 2
nss_reconnect_sleeptime 1
nss_reconnect_maxsleeptime 8
nss_reconnect_maxconntries 2

The pam_ldap configuration may need tuning for group refresh:

# /etc/pam.d/common-session
session optional pam_mkhomedir.so skel=/etc/skel umask=0022
session required pam_unix.so
session optional pam_ldap.so

For production systems, I recommend:

  1. Reduce nscd cache TTL
  2. Implement periodic cache invalidation
  3. Consider SSSD as alternative to nscd
# Sample crontab entry for cache refresh
*/15 * * * * /usr/sbin/nscd -i group

These commands help diagnose the issue:

ldapsearch -x -b "ou=groups,dc=example,dc=com" "(cn=marketing)"
getent -s ldap group marketing
strace -f groups john.doe