All, This new sssd version for RHEL7 (sssd-1.16.5-10.el7_9.11) fixes a bug we’ve seen in sssd. This bug: https://bugzilla.redhat.com/show_bug.cgi?id=1984591 . (Thanks, Sumit!) We’ve verified this bugfix – that it only auto-discovers the expected domains now, not the extra domains that it shouldn’t discover. So how best to roll out this new bugfixed sssd version? (We do “no downtime” OS patching + kernel splicing monthly, so we try to be gentle in our monthly patching.) Right now, the following domains have been auto-discovered: [root@spikeol73canbo yum.repos.d]# sssctl domain-list amer.company.com company.com emea.company.com apac.company.com japn.company.com EMEAICMD.geodll.company.com geocompany.company.com EMEAICM.GEOCOMPANY.COMPANY.COM alienware.com corp.svcs perotsystems.net companyservices.dmz Beer.Town production.online.company.com jp-poclab.companypoc.com emea-poclab.companypoc.com oldev.preol.company.com olqa.preol.company.com ap-poclab.companypoc.com [root@spikeol73canbo yum.repos.d]# Only the top 5 AD domains are good domains that should be discovered. When I yum upgrade to this new good sssd version all the above domains are still cached. Even if I do ‘sssctl cache-expire -E’, these cached bogus domains still are not cleaned up. If I aggressively clear the sssd cache as so: systemctl stop sssd cd /var/lib/sss rm -rf db/* rm -f /mc/* systemctl start sssd that clears the cache. But that’s pretty invasive to push out as part of monthly patching. 1. Is there a kinder, gentler way to expire these bogus cached AD domains? Along the lines of sssctl cache-expire -E or sssctl cache-expire -d <bogus domain>? 2. If we let this new sssd version sit for 1-2 days, will these bogus auto-discovered AD domains auto-expire from cache on their own? Spike