Hello
We have made the recommended changes by updating
ignore_group_members = True
subdomain_inherit = ignore_group members
in the [domain/...] section on IPA servers and clients
and updated
refresh_expired_interval = 4000
Unfortunately we are still unable to log in to IPA clients using AD user accounts.
Sanitized logs from the freeipa client are available here
https://privatebin.net/?92fe7e1e98968463#BVdn5hR2L5gkt3ryfvvzygWDhs2DsAYk...
I see frequent entries indicating SSSD is offline, however when I view the status it
appears to be online.
Heidi