Thanks for the reply Spike. We will do some performance tests in our AD environment for
this.
There are situations where tokenGroups should be disabled to get consistent results like
changing the search base for groups.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
In this scenario with tokenGroups disabled we would still hit the same issue in my
original post. To me this seems to be a bug in sssd, it can't rely just on the GC to
get back a complete list of groups a user is member of because you'll be missing other
group scopes like Global and Domain Local. Am I thinking about this wrong?
-Jeff