I have an IPA domain (ipa.engr.tamu.edu) that has a one-way trust with an AD domain (engr.tamu.edu). I've created a POSIX group called 'linux_team' that contains an external group called 'linux_team_ext', which itself contains the AD group linux_team@engr.tamu.edu (from the trusted domain). When I run a 'getent group linux_team', I get nothing back at all. However, it seems that from the logs it does fetch all of the group members:
(Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): No override name available. (Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): Added [coe-william.luke@engr.tam u.edu] to [overridememberUid]. (Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): No override name available. (Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): Added [coe-andrew.eggleston@engr .tamu.edu] to [overridememberUid]. (Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): Added [coe-blake.dworaczyk@engr. tamu.edu] to [overridememberUid]. (Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): No override name available. (Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): Added [coe-david.miller@engr.tam u.edu] to [overridememberUid]. (Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): No override name available. (Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): Added [coe-j.polasek@engr.tamu.edu] to [overridememberUid]. (Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): No override name available. (Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): Added [coe-matthew.mjelde@engr.tamu.edu] to [overridememberUid]. (Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): No override name available. (Fri Aug 16 16:16:37 2019) [sssd[nss]] [sysdb_add_group_member_overrides] (0x4000): Added [coe-steve.herring@engr.tamu.edu] to [overridememberUid].
Ultimately I see this log entry: (Fri Aug 16 16:16:37 2019) [sssd[nss]] [nss_get_grent] (0x0040): Incomplete group object for linux_team@engr.tamu.edu[0]! Skipping
I've tested the trust relationship and it seems to work fine. I've also added a user override to the 'Default Trust View' and I'm able to fetch the user without a problem. Everything except for group membership from the trusted AD domain seems to be working.
Here are the complete logs: https://drive.google.com/file/d/164_zRBreVtA4P9-MZ0r8MIx-ElFOful-/view?usp=s...
freeipa-users@lists.fedorahosted.org