You are correct, debugging was only specified in the [domain/...] section. I have enabled for nss and gathered logs again. The client and server times are indeed in sync.
I initiated my login attempt at approximately 10:16:30. At approximately 10:17:10 I was presented with a prompt to enter my password. After entering my password I was again presented with a password prompt. After entering multiple times with no success I waited and eventually the connection attempt timed out.
Server Logs for this attempt https://privatebin.net/?74adb14729c459fc#EhqWm6x2LVgfnL7iAmLZDFh3TtXpwgsH9wj... Client Logs for this attempt https://privatebin.net/?1d3532466812bef2#C6ECF2RnRMEXVi7HGLd8iYvhoSmEw2uRs88...
It seems like a considerable amount of time is spent searching the AD groups a user is a member of. For testing purposes, an AD account was created that is not a member of any groups. This user was able to successfully log in. What additional steps should be taken to account for AD's where users are members of many groups? To add to the complexity, many of these groups are nested.
I've reviewed this document (https://access.redhat.com/articles/2133801) and spent time adjusting parameters with little success.
The sssd.conf on both client and server include the following in the [domain/...] section:
subdomain_inherit = ignore_group_members ignore_group_members = True
Should these be placed somewhere else instead? Are there other options that should be set to account for large numbers of nested AD groups?
Thank you Heidi