Hi,
[PATCH 1/3] AD: Only connect to GC for subdomain users https://fedorahosted.org/sssd/ticket/2251
By connecting to GC for users from both trusted domains and parent domain, we lose the ability to download the shell and homedir if these are used with ID mapping.
This patch changes the user lookups only. Changing the logic for all lookups would break cross-domain group memberships, for example.
[PATCH 2/3] MAN: Clarify the GC support a bit It should be noted that disabling GC does *not* disable lookups from trusted domains. Disabling GC might be a a good way for admins who wish to use POSIX attributes in trusted domains and the man page should hint this option.
[PATCH 3/3] AD: Use the right memory context The caller would typically use the same combination of context as this bug implies, but we should use the passed-in context anyway.