When a user logs into a host via SSH and a password to authenticate, the samlogon cache is populated or updated for that user, to contain fresh group membership data. When he later logs on with SSH and Kerberos to authenticate, an existing samlogon cache entry for him is used but not updated, so stale group membership data may be taken. As the samlogon cache does not expire, group membership data could be very old depending on user login behavior. Other login mechanisms might produce the same behavior.