On Mon, Aug 26, 2019 at 04:25:38PM -0000, Jamal Mahmoud wrote:
I've managed to catch the error again with my own machine so this time i've had
time to properly capture the issue. I've been looking into the logs and what seems to
be happening is that we have multiple AD Domains Active. I want to know if this is heard
of, our local AD domain and a trusted forest are being used as Active domains in ldap
searches. Our local AD responds to a be request from sssd_be and fills the correct group
into the nss cache, then it gets a response from the trusted domain and the group
doesn't exist so it overwrites the cache with no such group. I think the intermittent
issue occurs because sometimes ldap will query the remote forest and other times the
local. Please advise on whether this is plausible or not.
It would be nice to see some log snippet to see the behaviour exactly,
but in general, requests towards the trusted back ends should be
sequential. The only similar pattern might be where sssd first checks
with the help of the global catalog which domain the group resides at
and then queries that domain's LDAP port.