sssd personnel,
In RHEL7, sssd was auto-discovering AD domains that trusted this domain, but that this domain did not trust. i.e., it was over-discovering AD domains.
For a large company, you'll have one or more prod AD domain. That all trust each other.
Then you'll likely have an engineering and possibly a test AD domain. These engineering and test domains would trust the prod domain(s), but the prod domain(s) wouldn't trust these engineering/test domains (nor should they).
So if sssd were AD-integrated to one of the prod domains, it should auto-discover the prod domains only. It's true that buried deep in AD's data structures, there is a trust relationship with the test domain and the engineering domain. But it's a trust going the wrong way.
Sumit fixed this for RHEL7, it seems the fix was first pushed out in sssd-1.16.5-10.el7_9.11. RHEL7 seems to still be fixed as of today.
At least on RHEL8 and RHEL9, it seems to have reverted.
There is a work-around. in /etc/sssd/sssd.conf file, you can add:
[domain/prod1.company.com] .... ad_enabled_domains = prod1.company.com, prod2.company.com, prod3.company.com
So while all these extraneous auto-discovered AD domains still show in 'sssctl domain-list', they no longer cause problems.
Spike