The primary reason we disabled tokenGroups is because our sssd logs were filling up with
'Unable to resolve SID S-1-5-21-XXX-XXX-XXX-XXX - will try next sid.' entries. We
found a work-around from this doc.
https://pagure.io/SSSD/sssd/issue/2914
In our environment not all of our AD groups are POSIX enabled, so I think that's why
we see a lot of those log entries.
I just tested enabling tokenGroups and that seem to have solved the issue. I'm seeing
the LDAP query (port 389) going to a domain controller from the same domain as the user.
Is enabling tokenGroups the recommended configuration when using the AD provider? The one
thing I read is querying for tokenGroups is an expensive operation on the domain
controllers and care should be taken when scaling this to larger environments.
https://learn.microsoft.com/en-us/windows/win32/adschema/a-tokengroups
Any insight into this? Is SSSD more efficient with tokenGroups enabled versus not?
-Jeff