Yes, we rely on sssd's site-awareness, no hard-coding. I don't believe we have any misconfiguration in AD sites and services. For example we have a site name SiteA and within this site we have a DC from the forest root and a DC from the child domain.
SiteA Root-DC1 (contoso.com) Corp-DC1 (corp.contoso.com) Both Root-DC1 and Corp-DC1 are GCs in the same forest. I don't see anything wrong with having GCs from multiple domains in the same site, in fact I think this would be more efficient for clients when it need to communicate with forest root DCs. When sssd does the discovery both Root-DC1 and Corp-DC1 will be returned in the list of available GCs, so there could be a chance sssd uses Root-DC1 for the GC queries and when that happens Global secondary groups will be missing. We have work-arounds for this issue in our environment like using TokenGroups, but I just wanted to see if we think this is a bug then it should be fixed in future releases. -Jeff _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
