I also observed one peculiar thing when it comes to group membership of the group which is used in my HBAC rule. When I issue getent group ad_users on the server, I get: ad_users:*:1010200005:jdoe@td.mydomain.com
In the FreeIPA's web UI membership looks like follows:
External member S-1-5-21-4217214799-1184961203-849681438-1104 S-1-5-21-4217214799-1184961203-849681438-1111 jdoe@td.mydomain.com
and ipa group-find returns these members: Group name: ad_users_external Description: ad_domain users external map External member: S-1-5-21-4217214799-1184961203-849681438-1121, S-1-5-21-4217214799-1184961203-849681438-1104, S-1-5-21-4217214799-1184961203-849681438-1111
Could it also be that due to what is displayed in the FreeIPA's UI other two members are not returned correctly by the getent command?