SSSD · alexey-tikhonov · Feb 16, 2026 · Feb 17, 2026
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
@@ -1177,14 +1177,19 @@ int sysdb_add_group(struct sss_domain_info *domain,
                     int cache_timeout,
                     time_t now);
 
+/* If user_member_dn is not NULL, the user will be added as a member of the
+ * group during creation, avoiding a separate sysdb_add_group_member() call.
+ * user_member_dn must be a pre-computed DN (e.g. from sysdb_user_strdn()).
+ */
 int sysdb_add_incomplete_group(struct sss_domain_info *domain,
                                const char *name,
                                gid_t gid,
                                const char *original_dn,
                                const char *sid_str,
                                const char *uuid,
                                bool posix,
-                               time_t now);
+                               time_t now,
+                               const char *user_member_dn);
 
 /* Add netgroup (only basic attrs and w/o checks) */
 int sysdb_add_basic_netgroup(struct sss_domain_info *domain,

diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
@@ -2278,7 +2278,8 @@ int sysdb_add_incomplete_group(struct sss_domain_info *domain,
                                const char *sid_str,
                                const char *uuid,
                                bool posix,
-                               time_t now)
+                               time_t now,
+                               const char *user_member_dn)
 {
     TALLOC_CTX *tmp_ctx;
     int ret;
@@ -2365,6 +2366,11 @@ int sysdb_add_incomplete_group(struct sss_domain_info *domain,
         if (ret) goto done;
     }
 
+    if (user_member_dn != NULL) {
+        ret = sysdb_attrs_add_string(attrs, SYSDB_MEMBER, user_member_dn);
+        if (ret != EOK) goto done;
+    }
+
     ret = sysdb_set_group_attr(domain, name, attrs, SYSDB_MOD_REP);
 
 done:

diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
@@ -474,7 +474,8 @@ sdap_handle_id_collision_for_incomplete_groups(struct data_provider *dp,
                                                const char *sid_str,
                                                const char *uuid,
                                                bool posix,
-                                               time_t now);
+                                               time_t now,
+                                               const char *user_member_dn);
 
 struct sdap_id_conn_ctx *get_ldap_conn_from_sdom_pvt(struct sdap_options *opts,
                                                      struct sdap_domain *sdom);

diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
@@ -1906,7 +1906,7 @@ static void sdap_get_groups_process(struct tevent_req *subreq)
     bool next_base = false;
     size_t count;
     struct sysdb_attrs **groups;
-    char **sysdb_groupnamelist;
+
 
     ret = sdap_get_and_parse_generic_recv(subreq, state,
                                           &count, &groups);
@@ -1962,22 +1962,8 @@ static void sdap_get_groups_process(struct tevent_req *subreq)
     }
 
     if (state->no_members) {
-        ret = sdap_get_primary_fqdn_list(state->dom, state,
-                                state->groups, state->count,
-                                state->opts->group_map[SDAP_AT_GROUP_NAME].name,
-                                state->opts->group_map[SDAP_AT_GROUP_OBJECTSID].name,
-                                state->opts->idmap_ctx,
-                                &sysdb_groupnamelist);
-        if (ret != EOK) {
-            DEBUG(SSSDBG_OP_FAILURE,
-                  "sysdb_attrs_primary_name_list failed.\n");
-            tevent_req_error(req, ret);
-            return;
-        }
-
         ret = sdap_add_incomplete_groups(state->sysdb, state->dom, state->opts,
-                                         sysdb_groupnamelist, state->groups,
-                                         state->count);
+                                         state->groups, state->count, NULL);
         if (ret == EOK) {
             DEBUG(SSSDBG_TRACE_LIBS,
                   "Writing only group data without members was successful.\n");