sssd personnel, In RHEL7, sssd was auto-discovering AD domains that trusted this domain, but that this domain did not trust. i.e., it was over-discovering AD domains.
For a large company, you'll have one or more prod AD domain. That all trust each other. Then you'll likely have an engineering and possibly a test AD domain. These engineering and test domains would trust the prod domain(s), but the prod domain(s) wouldn't trust these engineering/test domains (nor should they). So if sssd were AD-integrated to one of the prod domains, it should auto-discover the prod domains only. It's true that buried deep in AD's data structures, there is a trust relationship with the test domain and the engineering domain. But it's a trust going the wrong way. Sumit fixed this for RHEL7, it seems the fix was first pushed out in sssd-1.16.5-10.el7_9.11. RHEL7 seems to still be fixed as of today. At least on RHEL8 and RHEL9, it seems to have reverted. There is a work-around. in /etc/sssd/sssd.conf file, you can add: [domain/prod1.company.com] .... ad_enabled_domains = prod1.company.com, prod2.company.com, prod3.company.com So while all these extraneous auto-discovered AD domains still show in 'sssctl domain-list', they no longer cause problems. Spike
-- _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
