Thanks for the reply Spike. We will do some performance tests in our AD environment for this.
There are situations where tokenGroups should be disabled to get consistent results like changing the search base for groups. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/changing-the-ldap-search-base-for-users-and-groups-in-a-trusted-ad-domain In this scenario with tokenGroups disabled we would still hit the same issue in my original post. To me this seems to be a bug in sssd, it can't rely just on the GC to get back a complete list of groups a user is member of because you'll be missing other group scopes like Global and Domain Local. Am I thinking about this wrong? -Jeff _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
