Groups are losing periodically members which are added through LDAP group membership

Summary

Version Gitlab EE 8.11

I'm struggling with a quite interesting Problem. In our company it was required to migrate user account to a new AD. I guess that since then the function "Gitlab Group sync" is doing something wrong. Every hour all members of a Group which were assigned via an LDAP Group, are being deleted. After a couple of minutes or hours they are back in the Group.

Steps to reproduce

Expected behavior

The users assigned through LDAP to a Group shouldn't lose their Membership.

Actual behavior

Every couple of hours all users (assigned through LDAP) which were visible in a group are gone. Users are not able to access anymore their project till LDAP has refilled the groups again. Very anoing!

Relevant logs and/or screenshots

'''Started GET "/groups/sdi" for x.x.x.x at 2016-11-24 13:22:42 +0100

Read fragment views/groups/329-20161123171939128655000/projects/349-20161123184117143956000/groups/show/application_settings/1-20161019104540497789000/v2.3/81898b0083c38e04818f4d0c8130b34f (0.2ms)

Read fragment views/groups/329-20161123171939128655000/projects/351-20161123172624312984000/groups/show/application_settings/1-20161019104540497789000/v2.3/81898b0083c38e04818f4d0c8130b34f (0.3ms)

Read fragment views/groups/329-20161123171939128655000/projects/350-20161123172113013596000/groups/show/application_settings/1-20161019104540497789000/v2.3/81898b0083c38e04818f4d0c8130b34f (0.3ms)

Started POST "/admin/sidekiq/cron/ldap_group_sync_worker/enque" for x.x.x.x at 2016-11-24 13:28:44 +0100

EE::Gitlab::LDAP::Sync::Group: LDAP group sync cannot remove Henning (40) from group FISC (6) as this is the group's last owner

EE::Gitlab::LDAP::Sync::Group: LDAP group sync cannot remove Marco 4) from group BB (51) as this is the group's last owner

Cannot find LDAP group with CN 'bs.a.mobility_engineering_gitlab'. Skipping

EE::Gitlab::LDAP::Sync::Group: LDAP group sync cannot remove Cedric (42) from group mobility_engineering (154) as this is the group's last owner

Cannot find LDAP group with CN 'bs.a.mobility_collaborators_gitlab'. Skipping

EE::Gitlab::LDAP::Sync::Group: LDAP group sync cannot remove Cedric (42) from group mobility_collaborators (155) as this is the group's last owner

Cannot find LDAP group with CN 'bs.a.mobility_app_factory_gitlab'. Skipping

EE::Gitlab::LDAP::Sync::Group: LDAP group sync cannot remove Cedric (42) from group app_factory (156) as this is the group's last owner

Cannot find LDAP group with CN 'bs.a.servicenow.engineer'. Skipping

EE::Gitlab::LDAP::Sync::Group: LDAP group sync cannot remove Robert (82) from group cloud-engineers (210) as this is the group's last owner

Cannot find LDAP group with CN 'bs.a.sc3_gitlab_admin'. Skipping

EE::Gitlab::LDAP::Sync::Group: LDAP group sync cannot remove Volker (34) from group VolkersGroup (220) as this is the group's last owner

Started GET "/admin/groups" for x.x.x.x at 2016-11-24 13:32:33 +0100

Started GET "/admin/groups?utf8=%E2%9C%93&sort=&name=app" for x.x.x.x at 2016-11-24 13:32:36 +0100

Started GET "/admin/groups/app_factory" for x.x.x.x at 2016-11-24 13:32:39 +0100

Started GET "/admin/groups/app_factory/edit" for x.x.x.x at 2016-11-24 13:36:34 +0100

Started GET "/admin/groups" for x.x.x.x at 2016-11-24 13:45:34 +0100

EE::Gitlab::LDAP::Sync::Group: LDAP group sync cannot remove Henning (40) from group FISC (6) as this is the group's last owner . . . Cannot find LDAP group with CN 'bs.a.mobility_app_factory_gitlab'. Skipping

Cannot find LDAP group with CN 'bs.a.servicenow.engineer'. Skipping . . .'''

#################################################

Does anybody have a clue what it can be? Is it somehow related to the AD-migrated user account? Login with these accounts if working fine. From my perception it seems that the code see different uids and think that the users in the Group should be deleted - but it's only a guess. (code on Group.rb)