If the cache is invalid SSS will, obviously, go back to the source and return the information there, however, bizarrely, if the original source doesn't have the information (like when a user is deleted) the cached information is still returned. That cached information is retained for ever it seems so my supposedly deleted user accounts still appear to be active on the machines.
OK. The underlying problem wasn't specifically the cache. But it appears that an update to SSSD/LDAP has introduced the "feature" of not believing self-signed certificates, even if the CA for those certificates is in place on the host. It used to work, but now doesn't.
The consequence of this is that the connection to the LDAP server fails and it falls back to the cache contents, even if the cache is marked invalid.
Setting "ldap_tls_reqcert = never" in sssd.conf fixed it - it still encrypts, but the certificate isn't checked.
This is not a cue for a diatribe about how self signed certificates are bad and how easy it is to get a real SSL certificate. There are reasons. It's just annoying that something that used to work, was a perfectly correct thing to do, has now been broken.
P.