Just came across an interesting problem using sssd where I was able to getent someuser@example.com but getent group somegroup@example.com was failing. Ended up finding out with adcli info example.com that there were two DC's in the forest that were not reachable and causing the issue.
I now have it working by restricting which AD machines are used by using ad_server and ad_backup_server. I've spent the last few hours reading manuals, blogs, etc. but I'm wondering would there be a way to do the opposite?... So, instead of having an allow list using ad_server, having some kind of blacklist? I haven't discovered any options like that. Although it may be my lack of knowledge/in-depth experience using sssd, realmd. I'm open to solutions outside of using some form of sssd config options. I'm using dnsmasq on the server as well, so if there are any solutions that would work using that, I'm open to anything.
