I want to get some links to the relevant bugs into this old thread for the benefit of anyone finding this thread in the archives...
Currently if I do not set "ignore_group_members = True" in sssd.conf, logins can take upwards of 6 minutes and "sssd_be" will max the CPU for up to 20 minutes after logon, which makes it a non-starter. The reason I want to allow group members to be seen is that I want certain domain groups to be able to perform elevated actions using polkit. If I ignore group members, polkit reports that the group is empty and so no one can elevate in the graphical environment.
I would say here polkit could be improved in addition to sssd. If polkit is calling getgr* to find if a user is a member of a certain group it's neither going to be precise nor will that work on large environments.
Did you ask on a polkit list why it's evaluating membership in a group with getgr*?
I think Polkit does this so that it can provide the authentication agent with a list of users for the user to choose from.
There's this on sssd-devel: https://lists.freedesktop.org/archives/polkit-devel/2016-November/000514.htm... and this in Red Hat's Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1214026
And there's this Polkit issue: https://gitlab.freedesktop.org/polkit/polkit/-/issues/24