Todd,
I confess I don't completely understand your solution. I get that
configuration management tools use the passwordlastset attribute with a
value that's greater than XX days to cull objects. My Windows server
engineering counterparts have a scheduled job that deletes all machine
accounts
As a follow on to that, to keep themselves clear of debris, configuration
management tools use the passwordlastset attribute with a value that's greater
than XX days to cull objects as well. We had similar issues when we first
implemented SSSD several years ago too. We ultimately decided to
Sumit and Gordon,
You have given me much to think on and digest. Thanks.
Gordon, we religiously patch monthly. Except for sssd in July, where a new
update sssd*-2.4.0-9.0.1.el8_4.1.x86_64 broke our env and we had to roll
back the update to previous version sssd*-2.4.0-9.0.1.el8.x86_64 . (We