One of the most frequent cases I have is that “sometimes” and “somewhere” user is not getting authenticated. Trying to SSH to the host works for some users not always, “id username” returns errors sometimes – it’s all the same problem in the environment with LDAP replication. It does not actually matter what kind of the LDAP server or domain controller is being used, always check:
- enable debug log on the client. If the client is SSSD, add “debug_level = 9” to the /etc/sssd/sssd.conf and then restart it. Invalidate it’s cache if possible.
- repeat the test so you would see the error.
- collect the log file from the client. You would see what server it has queried to get the information.
- check server’s log. Most likely there is no requested information on this LDAP instance due to replication issues.
This would help to identify and fix the problem.