Hi,I am trying to setup an authentication against Active Directory, with multiple domains, and I haven't been able to find the recommended way to do it (it is very possible I missed it...), so I am looking for explanation and advice.With a master domain example.com, and subdomains sub1.example.com, sub2.example.com, etc, how would you setup sssd (and the linux system) to authenticate the users from all the domains ?To give te example, my user is ad admin across all the forests (my_user@example.com), and I want to authenticate on all the servers, smtp.example.com or proxy.sub1.example.com, etc. I also want on some computer to authenticate customer's account (my_customer@sub1.example.com). For now, I have 2 different setups :- on computers from example.com[sssd]config_file_version = 2debug_level =0domains = example.comservices = nss, pam[domain/example.com]enumerate = truedns_discovery_domain = cy2._sites.example.comdebug_level = 8id_provider = adaccess_provider = adldap_id_mapping = false#dyndns_update = false- on computer from sub1.example.com[sssd]config_file_version = 2debug_level =0domains = sub1.example.com,example.comservices = nss, pam[domain/example.com]enumerate = truedns_discovery_domain = cy2._sites.example.comdebug_level = 9id_provider = adaccess_provider = adldap_id_mapping = false[domain/sub1.example.com]enumerate = truedns_discovery_domain = cy2._sites.sub1.example.comdebug_level = 7id_provider = adaccess_provider = adldap_id_mapping = falseI join computer to example.com or to sub1.example.com:oras I would do with an ordinary windows workstation.And for AD, I use the posix attributes (and that may be the way...) so if a UID or GID exists in both domains, I happen to find wrong group names, etc.I hope my questions are clear enough ! :-) What am I doing wrong ? What are the recommended settings for that situation ?Thanks,Jeremy