The primary reason we disabled tokenGroups is because our sssd logs were filling up with 'Unable to resolve SID S-1-5-21-XXX-XXX-XXX-XXX - will try next sid.' entries. We found a work-around from this doc. https://pagure.io/SSSD/sssd/issue/2914
In our environment not all of our AD groups are POSIX enabled, so I think that's why we see a lot of those log entries. I just tested enabling tokenGroups and that seem to have solved the issue. I'm seeing the LDAP query (port 389) going to a domain controller from the same domain as the user. Is enabling tokenGroups the recommended configuration when using the AD provider? The one thing I read is querying for tokenGroups is an expensive operation on the domain controllers and care should be taken when scaling this to larger environments. https://learn.microsoft.com/en-us/windows/win32/adschema/a-tokengroups Any insight into this? Is SSSD more efficient with tokenGroups enabled versus not? -Jeff _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
