sssd personnel, When a Linux SE fat-fingers the domain name when doing a 'realm permit' or 'realm permit -g', it locks all permitted users and groups. Even worse, it's not usually obvious from looking at the 'simple_allow_users' and 'simple_allow_groups' lines which entry is the culprit. Here's an example: simple_allow_groups = amerlinuxsup(a)amer.company.com, amerlinuxeng(a)amer.company.com, emealinuxsup(a)emea.company.com, emealinuxeng(a)emea.company.com, apaclinuxsup(a)apac.company.com, apaclinuxeng(a)apac.company.com, gbllinuxsuppw(a)amer.company.com, pptsupportpac(a)amer.company.com, unv_legato_admins(a)amer.company.com, scheduling_global(a)amer.company.com, amerlinuxengtfssupt(a)amer.company.com, amerlnxsvcdelauttfs(a)apac.company.com, fnms_ops(a)amer.company.com, zabbix-support(a)amer.company.com, bladelogic_linux_users(a)amer.company.com, iasnprod(a)amer.company.com, unv_dba_login(a)amer.company.com, engit-ebpa(a)amer.company.com simple_allow_users = processehcprofiler(a)amer.company.com, svc_prdautovm(a)amer.company.com, processfoglight(a)amer.company.com, svc_prdprofoglight01(a)amer.company.com, service_ome_linux(a)amr.company.com, svc_prdesquadscounix(a)apac.company.com, admmmikolaj(a)amer.company.com The offending entry is 'service_ome_linux(a)amr.company.com'. The Linux SE fat-fingered that user when doing a realm permit. Since sssd treats this as an unknown domain (to sssd), it locks all permitted users and groups. I've tried to submit this to my OS vendor as a bug, but they claim it's a 'feature'. Ok, but it would be nice to have a configuration option to ignore permitted users and groups from unknown realms -- to not lock all existing permitted users and groups. Spike