Comment 5 for bug 1039151

I understand your issue. Right now, your best bet is to operate with 'cache_credentials = False', which will at least deny access completely until SSSD has re-established connection to the LDAP and KDC servers. As I said above, we always operate in offline mode for a period of 1-2 minutes after failing to connect to the LDAP server.

Upon review of this bug, I agree that we should modify this behavior in the case where cache_credentials = False so that we will always bypass the offline timeout in the event of a PAM conversation request. I've opened the upstream ticket https://fedorahosted.org/sssd/ticket/1493 to track this.

Thanks for the bug report!