One of the most frequent cases I have is that “sometimes” and “somewhere” user is not getting authenticated. Trying to SSH to the host works for some users not always, “id username” returns errors sometimes — it’s all the same problem in the environment with LDAP replication. It does not actually matter what kind of the LDAP server or domain controller is being used, always check:
- Enable debug log on the client. If the client is SSSD, add “debug_level = 9” to the /etc/sssd/sssd.conf and then restart it. Invalidate its cache if possible.
- Repeat the test so you would see the error.
- Collect the log file from the client. You would see what server it has queried to get the information.
- Check server’s log. Most likely there is no requested information on this LDAP instance due to replication issues.
This would help to identify and fix the problem.