On pe, 09 heinä 2021, iulian roman via FreeIPA-users wrote:
Thanks for the links. According to the document , override for AD users can happen only in Default Trust View, therefore I cannot have the second host-based view defined. In this case it is absolutely impossible to make the override for AD users work for both SSSD versions.
I think you have misunderstood what the documentation is saying.
'Default Trust View' can only contain overrides for users/groups from trusted AD domains. Other ID views can contain overrides for either IPA users/group or users/groups from trusted AD domains.
Overrides from ID Views are cummulative: Default Trust View overrides apply always but host-specific view is applied locally at the host, after SSSD on the host already received the data from an IPA server.
On IPA server only Default Trust View is applied and it is not possible to add another view to IPA server.
If you have problems with ID overrides' application on the specific host, chances are that you have issues with consistency of UID/GID <-> SID mapping in general.