I have a freeipa server at freeipa.domain.com. Works fine and users have been migrated from an old NIS setup. New machines are added to the domain and users can log in using their freeipa credentials. However, one issue we have observed is that `getent` does not behave as expected. On a freshly installed server (freeipa client), group information for alice seems to be messed up. Running `getent group alice`, we get `alice:*:1024:`. Running `getent paswd alice`, we get `alice:*:1024:1026:allice NIS_USER:/home/alice:/bin/bash`. Running `id alice`, we get `uid=1024(alice) gid=1026(bob) groups=1026(bob),185400081(sudoers)`. This is very confusing. Neither alice nor bob have local accounts. When checking directly in freeipa (kinit admin; ipa user-show alice --all), we get `UID: 1024`, `GID: 1026` and `Member of groups: sudoers, ipausers`. This seems to be correct, because in the old NIS environment alice had uid 1024 and gid 1026. How can we get `getent group alice` to display the correct gid and `id alice` to not claim that gid 1026 belongs to bob? For reference, `id bob` shows `uid=1026(bob) gid=1028(carol) groups=1028(carol)`.
Thank you so much for your help!