Hi,

I have 2 rhel8 servers here: one acting as IPA server with a trust to an AD domain that has posix attributes, the other one acting as ipa client to the first one.
The packages installed on the client:
sssd-tools-2.0.0-43.el8_0.3.x86_64
sssd-common-2.0.0-43.el8_0.3.x86_64
libsss_sudo-2.0.0-43.el8_0.3.x86_64
sssd-ad-2.0.0-43.el8_0.3.x86_64
libsss_idmap-2.0.0-43.el8_0.3.x86_64
sssd-client-2.0.0-43.el8_0.3.x86_64
sssd-common-pac-2.0.0-43.el8_0.3.x86_64
sssd-ldap-2.0.0-43.el8_0.3.x86_64
sssd-2.0.0-43.el8_0.3.x86_64
python3-sss-murmur-2.0.0-43.el8_0.3.x86_64
python3-sss-2.0.0-43.el8_0.3.x86_64
sssd-nfs-idmap-2.0.0-43.el8_0.3.x86_64
libsss_nss_idmap-2.0.0-43.el8_0.3.x86_64
sssd-krb5-common-2.0.0-43.el8_0.3.x86_64
sssd-krb5-2.0.0-43.el8_0.3.x86_64
sssd-ipa-2.0.0-43.el8_0.3.x86_64
libsss_certmap-2.0.0-43.el8_0.3.x86_64
python3-sssdconfig-2.0.0-43.el8_0.3.noarch
libsss_autofs-2.0.0-43.el8_0.3.x86_64
sssd-proxy-2.0.0-43.el8_0.3.x86_64
sssd-kcm-2.0.0-43.el8_0.3.x86_64

The master config:
[domain/my.unix.domain]
id_provider = ipa
ipa_server_mode = True
ipa_server = ipaserver.my.unix.domain
ipa_domain = my.unix.domain
ipa_hostname = ipaserver.my.unix.domain.sys
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
#override_homedir = /home/%u
subdomain_homedir = /home/%u
debug_level = 10

[sssd]
services = nss, pam, ifp, ssh, sudo
domains = my.unix.domain
debug_level = 10

The slave config:
[domain/my.unix.domain]
debug_level=10
id_provider = ipa
ipa_server = _srv_, ipaserver.my.unix.domain
ipa_domain = my.unix.domain
ipa_hostname = ipaserver.my.unix.domain
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
#subdomain_enumerate = all

[sssd]
services = nss, pam, ssh, sudo
domains = my.unix.domain
debug_level=10

Now on the master I can resolve all AD groups/users that have posix attributes. But on the slave I have issues:
- it can't resolve users where the primary groupid doesn't exist (no issue on the master, apparently some known limitiation ?). The reason this is an issue seems to be that each user has his "own" private group as primary group configured in AD (the primary gid is the same as the uid). Anyway, I can work around this issue by defining the needed groups in Identity Management I guess.
- I can't seem to get any group resolving to work. I don't expect to see the group members (no enumeration), but on a slave "getent group blabla@AD.DOMAIN" doesn't work at all, no AD groups are returned.

When I do the getent group command on the IPA client, I get this in the logs on the IPA server:

(Mon Dec  2 13:31:29 2019) [sssd[be[my.unix.domain]]] [dp_get_account_info_send] (0x0200): Got request for [0x1][BE_REQ_USER][name=blabla@ad.domain]
(Mon Dec  2 13:31:29 2019) [sssd[be[my.unix.domain]]] [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in view [Default Trust View] with filter [(&(objectClass=ipaUserOverride)(uid=blabla))].
(Mon Dec  2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=blabla))][cn=Default Trust View,cn=views,cn=accounts,dc=my,dc=unix,dc=domain].
(Mon Dec  2 13:31:29 2019) [sssd[be[my.unix.domain]]] [ipa_get_ad_override_done] (0x4000): No override found with filter [(&(objectClass=ipaUserOverride)(uid=blabla))].
(Mon Dec  2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=blabla)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=ad,dc=domain].
(Mon Dec  2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sysdb_cache_search_groups] (0x2000): Search groups with filter: (&(objectCategory=group)(ghost=blabla@ad.domain))
(Mon Dec  2 13:31:29 2019) [sssd[be[my.unix.domain]]] [dp_get_account_info_send] (0x0200): Got request for [0x1][BE_REQ_USER][name=blabla@AD.DOMAIN]
(Mon Dec  2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(krbPrincipalName=blabla@AD.DOMAIN)(mail=blabla@AD.DOMAIN)(krbPrincipalName=blabla\\@AD.DOMAIN@MY.UNIX.DOMAIN))(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=my,dc=unix,dc=domain].
(Mon Dec  2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(&(|(krbPrincipalName=blabla@AD.DOMAIN)(mail=blabla@AD.DOMAIN)(krbPrincipalName=blabla\\@AD.DOMAIN@MY.UNIX.DOMAIN))(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))(objectClass=ipaIDObject))][cn=trusts,dc=my,dc=unix,dc=domain].
(Mon Dec  2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sysdb_cache_search_groups] (0x2000): Search groups with filter: (&(objectCategory=group)(ghost=blabla@AD.DOMAIN))
(Mon Dec  2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [blabla@AD.DOMAIN] found.
(Mon Dec  2 13:31:29 2019) [sssd[be[my.unix.domain]]] [dp_get_account_info_send] (0x0200): Got request for [0x1][BE_REQ_USER][name=blabla@AD.DOMAIN]
(Mon Dec  2 13:31:29 2019) [sssd[be[my.unix.domain]]] [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in view [Default Trust View] with filter [(&(objectClass=ipaUserOverride)(uid=blabla))].
(Mon Dec  2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=blabla))][cn=Default Trust View,cn=views,cn=accounts,dc=my,dc=unix,dc=domain].
(Mon Dec  2 13:31:29 2019) [sssd[be[my.unix.domain]]] [ipa_get_ad_override_done] (0x4000): No override found with filter [(&(objectClass=ipaUserOverride)(uid=blabla))].
(Mon Dec  2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(userPrincipalName=blabla@AD.DOMAIN)(mail=blabla@AD.DOMAIN)(userPrincipalName=blabla\\@AD.DOMAIN@AD.DOMAIN))(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=ad,dc=domain].
(Mon Dec  2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sysdb_cache_search_groups] (0x2000): Search groups with filter: (&(objectCategory=group)(ghost=blabla@AD.DOMAIN))
(Mon Dec  2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [blabla@AD.DOMAIN] found.
(Mon Dec  2 13:31:29 2019) [sssd[be[my.unix.domain]]] [dp_get_account_info_send] (0x0200): Got request for [0x2][BE_REQ_GROUP][name=blabla@ad.domain]
(Mon Dec  2 13:31:29 2019) [sssd[be[my.unix.domain]]] [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in view [Default Trust View] with filter [(&(objectClass=ipaGroupOverride)(cn=blabla))].
(Mon Dec  2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaGroupOverride)(cn=blabla))][cn=Default Trust View,cn=views,cn=accounts,dc=my,dc=unix,dc=domain].
(Mon Dec  2 13:31:29 2019) [sssd[be[my.unix.domain]]] [ipa_get_ad_override_done] (0x4000): No override found with filter [(&(objectClass=ipaGroupOverride)(cn=blabla))].
(Mon Dec  2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=blabla)(objectClass=group)(sAMAccountName=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=ad,dc=domain].
(Mon Dec  2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results.
(Mon Dec  2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sdap_has_deref_support_ex] (0x0400): The server supports deref method ASQ
(Mon Dec  2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sdap_check_ad_group_type] (0x4000): AD group [] has type flags 0x80000002.
(Mon Dec  2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sdap_nested_group_hash_insert] (0x4000): Inserting [CN=blabla,OU=xxx,OU=xxx,DC=AD,DC=DOMAIN] into hash table [groups]
(Mon Dec  2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sdap_nested_group_process_send] (0x2000): About to process group [CN=blabla,OU=xxx,OU=xxx,DC=AD,DC=DOMAIN]

So it does search for the group (in the end), and finds it too; after which it starts looking for each member in the group. In the end it says this:
(Mon Dec  2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sdap_process_ghost_members] (0x0400): The group has 23 members
(Mon Dec  2 13:31:29 2019) [sssd[be[my.unix.domain]]] [sdap_process_ghost_members] (0x0400): Group has 23 members

But apparently some issues exist with those members, since all are stored as "ghost members" and later on it returns no external members for the group.
But the client returns the group to be unknown, not a group with 0 members.
If I set "ignore_group_members = true" on the IPA master, the client shows the group as expected. So maybe it is also related to the first issue of an unknown primary group for users (in this case members of the group)?

Maybe someone can shed any light on this? 

With friendly regards,
Franky