On pe, 09 heinä 2021, iulian roman via FreeIPA-users wrote:
I think you have misunderstood what the documentation is saying.
yes, probably I misunderstood the statement from the doc: "The Default Trust View is always applied to IdM servers and replicas as well as to AD users and groups. You cannot assign a different ID view to them: they always apply the values from the Default Trust View"
'Default Trust View' can only contain overrides for users/groups from trusted AD domains. Other ID views can contain overrides for either IPA users/group or users/groups from trusted AD domains.
Overrides from ID Views are cummulative: Default Trust View overrides apply always but host-specific view is applied locally at the host, after SSSD on the host already received the data from an IPA server.
On IPA server only Default Trust View is applied and it is not possible to add another view to IPA server.
If you have problems with ID overrides' application on the specific host, chances are that you have issues with consistency of UID/GID <-> SID mapping in general.
It can be, but I have no idea how to investigate further. I have done hundreds of tests, and it either works with one sssd version either with the other one. In AD I have the UID, GID, GID is resolved to a name, etc. On IPA server the GIDs,UIDs , username and group name are always resolved correctly, the problem occurs on the clients and it has to do with the cache and the magic group but I cannot figure out what exactly is the issue.