sssd personnel,
In RHEL7, sssd was auto-discovering AD domains that trusted this domain,
but that this domain did not trust. i.e., it was over-discovering AD
domains.
For a large company, you'll have one or more prod AD domain. That all
trust each other.
Then you'll likely have an engineering and possibly a test AD domain.
These engineering and test domains would trust the prod domain(s), but the
prod domain(s) wouldn't trust these engineering/test domains (nor should
they).
So if sssd were AD-integrated to one of the prod domains, it should
auto-discover the prod domains only. It's true that buried deep in AD's
data structures, there is a trust relationship with the test domain and the
engineering domain. But it's a trust going the wrong way.
Sumit fixed this for RHEL7, it seems the fix was first pushed out in
sssd-1.16.5-10.el7_9.11.
RHEL7 seems to still be fixed as of today.
At least on RHEL8 and RHEL9, it seems to have reverted.
There is a work-around. in /etc/sssd/sssd.conf file, you can add:
[
domain/prod1.company.com]
....
ad_enabled_domains =
prod1.company.com,
prod2.company.com,
prod3.company.com
So while all these extraneous auto-discovered AD domains still show in
'sssctl domain-list', they no longer cause problems.
Spike