Using the SSSD (v1.13.4-34.7.1) joined to a child domain, the modified "ldap_idmap_helper_table_size" directive value in the host sssd.conf is set at the parent domain instead of the child domain, which remains at the default of 10 (the child domain is a not a domain tree). Forest: dvc.darkvixen.com Parent domain: dvc.darkvixen.com (parent non-decitated forest root domain) Child domain: lab.dvc.darkvixen.com My understanding is that no "subdomain_provider" directive is needed for this configuration, and the "subdomain_inherit" directive does not support the inheritance of the "ldap_idmap_helper_table_size" directive. The sanitized sssd.conf: [sssd] config_file_version = 2 services = nss,pam,pac domains = lab.dvc.darkvixen.com [nss] filter_users = root filter_groups = root [pam] [pac] [domain/lab.dvc.darkvixen.com] id_provider = ad access_provider = ad enumerate = false cache_credentials = true ldap_idmap_helper_table_size = 20 ad_site = DarkVixenCorp ad_hostname = darkvixen200.lab.dvc.darkvixen.com ad_access_filter = DOM:LAB.DVC.DARKVIXEN.COM: (memberOf=CN=DARKVIXEN200_G,OU=LDAP,OU=SVS,DC=lab,DC=dvc,DC=darkvixen,DC=com) From the domain log: [dp_get_options] (0x0400): Option ldap_idmap_helper_table_size has value 20 [sssd[be[lab.dvc.darkvixen.com]]] [sdap_idmap_add_domain] (0x1000): Adding domain [S-1-5-21-623326418-92578587-4020003380] as slice [8636] [sssd[be[lab.dvc.darkvixen.com]]] [sysdb_idmap_store_mapping] (0x0100): Adding new ID mapping [dvc.darkvixen.com ][S-1-5-21-623326418-92578587-4020003380][8636] [sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_helper_table_size has value 10 [sssd[be[lab.dvc.darkvixen.com]]] [sdap_idmap_add_domain] (0x1000): Adding domain [S-1-5-21-1157061662-2021606532-2751616909] as slice [4675] [sysdb_idmap_store_mapping] (0x0100): Adding new ID mapping [ lab.dvc.darkvixen.com][S-1-5-21-1157061662-2021606532-2751616909][4675] From the relevant DC: ~# Get-ADForest ApplicationPartitions : {DC=DomainDnsZones,DC=lab,DC=dvc,DC=darkvixen,DC=com, DC=ForestDnsZones,DC=dvc,DC=darkvixen,DC=com, DC=DomainDnsZones,DC=dvc,DC=darkvixen,DC=com} CrossForestReferences : {} DomainNamingMaster : DARKVIXEN161WIN.dvc.darkvixen.com Domains : {dvc.darkvixen.com, lab.dvc.darkvixen.com} ForestMode : Windows2012R2Forest GlobalCatalogs : {DARKVIXEN161WIN.dvc.darkvixen.com, DARKVIXEN164WIN.lab.dvc.darkvixen.com} Name : dvc.darkvixen.com PartitionsContainer : CN=Partitions,CN=Configuration,DC=dvc,DC=darkvixen,DC=com RootDomain : dvc.darkvixen.com SchemaMaster : DARKVIXEN161WIN.dvc.darkvixen.com Sites : {DarkVixenCorp} SPNSuffixes : {} UPNSuffixes : {} Is this a bug fixed with later daemons or is there additional configuration required ? Many thanks, -- lawrence