For RHEL7 and RHEL8 sssd, it can see domain-local AD groups (from the local domain) + global groups (from the local domain) + universal groups (from all trusted domains).

Yet it cannot see global groups from non-local trusted domains.  We have those team convert the group to universal groups and problem solved.  (don't use many global groups anyway),

Is this expected behaviour? 

in the /etc/sssd/sssd.conf file, the local domain is defined and then the other trusted domains are auto-discovered.  so that it's searching the GC to find universal group memberships.  I mention the trusted domains in "domain_resolution_order".

Like I say -- this is not a big problem.  We rarely use global groups anyway.  Just curious if this is expected behaviour.

Spike