Howdy,
We are having intermittent login issues with our SSSD/IPA clients using Identity Manager in a read-only cross-forest trust configuration.
The SSSD/IPA servers themselves don't seem to be having this issue, just the SSSD/IPA clients using the IDM/IPA servers as their identity provider.
In addition, the problem only affects AD accounts, not native IDM accounts.
The issue manifests itself as either failed logins or the 'id' command returning user unknown.
All of our IDM servers are RHEL 8. Clients are various mixes of RHEL 7 and RHEL 8, all exhibiting the same issue.
We have a P2 open with Red Hat, and it feels like they are having a problem pinpointing the issue.
Red Hat support seems to be indicating our AD environment is to blame, at least partially, as most our of AD groups don't have GIDs. We have 80K + users in our AD (not all of them assigned a Unix UID in AD as most of them have no need to log in to Unix). However, the users that are logging in via SSSD obviously have UIDs and many groups attached to them, most of which may not have Possix GIDs as many of those groups will never need to touch Unix. (ie, email groups, Windows only access groups, etc, etc, etc)
Red Hat seems to indicate this is a highly unusual configuration for AD, where not all groups have Possix GIDs assigned.
I'm curious to know if those who have large AD environments like this with a mix of Unix and non-Unix uses, truly assign a Possix GID to each and every group, even if that group will never be utilized by Unix.
Also curious to know if anyone else is experiencing intermittent loging problems like this, and if you were able to solve it, and how?
Thank you...