What were you trying to do that didn't work?

Configure and access a second AD domain using SSSD.

What is the impact of this issue to you?

Cannot login on second domain.

Please provide the package NVR for which the bug is seen:

sssd-2.9.4-5.el8_10.1.x86_64                                Sun Jan 19 07:28:30 2025
sssd-ad-2.9.4-5.el8_10.1.x86_64                             Sun Jan 19 07:28:30 2025
sssd-client-2.9.4-5.el8_10.1.x86_64                         Sun Jan 19 07:28:29 2025
sssd-common-2.9.4-5.el8_10.1.x86_64                         Sun Jan 19 07:28:30 2025

sssd-krb5-2.9.4-5.el8_10.1.x86_64                           Sun Jan 19 07:28:30 2025
sssd-krb5-common-2.9.4-5.el8_10.1.x86_64                    Sun Jan 19 07:28:30 2025
sssd-ldap-2.9.4-5.el8_10.1.x86_64                           Sun Jan 19 07:28:30 2025

How reproducible is this bug?:

Always

Steps to reproduce

1.  Use KCS https://access.redhat.com/solutions/4035171 to configure access to a second AD domain in a different forest.
2. Perform user lookup or login with account from second domain.
3. Review SSSD logs to confirm that sssd-nss did not forward the request to the second domain.

Expected results

The accounts from the second domain should be able to login, sssd-nss should select the correct domain backend for lookups and authentication.

Actual results

Authentication fails, sssd-nss forwards the request to the primary domain backend.