[sekh60]

What is wrong with SSSD? Granted I have never used AD, but I have a domain set up with FreeIPA and it just works for the most part. The logs are pretty detailed when the rare issue comes up, and being kerberos based 80% of the time it's a time sync issue.

[bangboombang]

There have been several issues over time. My general problem with it was complexity. What finally broke the camel's back for me was that for unexplained reasons, sssd stayed in "offline mode" after system standby for 30-60 seconds. We could validate that the network connection was back up after max. 5 seconds, but there was no way to get this thing to go online again. So basically we had to tell our users that they won't be able to login after system standby for a minute or so.

This was impossible to debug. You could send some signal (USR1 or 2 iirc) to sssd to force it into online mode, we even tried a crude script that would run after system resume and spam sssd with that signal for a minute to no avail. Shortly after I left that department the decision was made to move to Centrify. It's a pita in other ways apparently, but everything I know about it is just from hearsay from old colleagues aynways.