On pe, 09 heinä 2021, iulian roman via FreeIPA-users wrote:
I think you have misunderstood what the documentation is saying.
yes, probably I misunderstood the statement from the doc:
"The Default Trust View is always applied to IdM servers and replicas as well as to
AD users and groups. You cannot assign a different ID view to them: they always apply the
values from the Default Trust View"
'Default Trust View' can only contain overrides for
users/groups from
trusted AD domains. Other ID views can contain overrides for either IPA
users/group or users/groups from trusted AD domains.
Overrides from ID Views are cummulative: Default Trust View overrides
apply always but host-specific view is applied locally at the host,
after SSSD on the host already received the data from an IPA server.
On IPA server only Default Trust View is applied and it is not possible
to add another view to IPA server.
If you have problems with ID overrides' application on the specific
host, chances are that you have issues with consistency of UID/GID <->
SID mapping in general.
It can be, but I have no idea how to investigate further. I
have done hundreds of tests, and it either works with one sssd version either with the
other one. In AD I have the UID, GID, GID is resolved to a name, etc. On IPA server the
GIDs,UIDs , username and group name are always resolved correctly, the problem occurs on
the clients and it has to do with the cache and the magic group but I cannot figure out
what exactly is the issue.