This ticket is based on an IRC discussion I had with @sbose, so the actual idea about what needs to be done is his.

When an IPA client looks up a user from an IPA server, the user with all their groups is looked up. The client would first do a REQ_FULL_WITH_MEMBERS s2n request for the user which returns the user entry and all their groups. Then, the client issues a REQ_FULL_WITH_MEMBERS s2n request for each group.

Because of historical reasons, where the s2n operations were only used to resolve a SID where it was not known if the SID belongs to a user or a group, the s2n request triggers a lookup on the server for a user first and only if a user is not found, a request for a group is tried.

This is not optimal especially in case there are many trusted domains, because every request must first iterate over the domain list looking for a user and then it would iterate over the domain list again looking for a group.

To improve the situation, Sumit suggested that the request is extended with an object type on the IPA side and the extdom plugin is also extended with to use this data to trigger the appropriate lookup on the IPA server.