[SSSD-users] Re: missing secondary groups that have Global scope

The primary reason we disabled tokenGroups is because our sssd logs were filling up with 'Unable to resolve SID S-1-5-21-XXX-XXX-XXX-XXX - will try next sid.' entries. We found a work-around from this doc. https://pagure.io/SSSD/sssd/issue/2914 In our environment not all of our AD groups are POSIX enabled, so I think that's why we see a lot of those log entries. I just tested enabling tokenGroups and that seem to have solved the issue. I'm seeing the LDAP query (port 389) going to a domain controller from the same domain as the user. Is enabling tokenGroups the recommended configuration when using the AD provider? The one thing I read is querying for tokenGroups is an expensive operation on the domain controllers and care should be taken when scaling this to larger environments. https://learn.microsoft.com/en-us/windows/win32/adschema/a-tokengroups Any insight into this? Is SSSD more efficient with tokenGroups enabled versus not? -Jeff