Hello. We are using FreeIPA primarily to connect our Linux fleet efficiently to our organisational AD and it’s working well in that capacity. However, we are investigating a number of different enterprise NAS solutions to provide (kerberized) NFSv4 file services to this fleet. We were hoping to integrate these NAS appliances with IPA by way of the compat tree, since they don’t offer native IPA providers. This works to a point, but I’ve noticed that the compat tree does not seem to enumerate *group membership* for the AD trust users. For example, when I lookup one of my groups with an ldapsearch against one of the the IPA masters I see: dn: cn=lcm-managedlinux@localdomain,cn=groups,cn=compat,dc=ipa,dc=localdomain objectClass: ipaOverrideTarget objectClass: posixGroup objectClass: ipaexternalgroup objectClass: top cn: lcm-managedlinux@localdomain gidNumber: 1388937688 ipaAnchorUUID:: OlNJRDpTLTEtNS0yMS0yMDc4Nzk1NTYxLTQyMzMwMDU2NTctMzI2MTkwNjQ2Mi0xMzc2ODg= I don’t see any ‘memberUid’ attributes, but would expect to see about 8 members. Is this expected behaviour, or is there some additional configuration needed to obtain this functionality? Some searching online brought up these references ('Enable compat tree to provide information about AD users and groups on trust agents’) - https://bugzilla.redhat.com/show_bug.cgi?id=1585020 - https://pagure.io/freeipa/issue/7600 These read very similarly to the behaviour we’re seeing. Regards, Robert.