When you add a user ID override to the Default Trust View and give the user an SSH public key, all works as expected. However, when you remove the user override, the SSH key for the user persists when looked up via sss_ssh_authorizedkeys. When I asked about this in the #freeipa IRC channel, it was suggested that I open an issue here. This is similar to but not the same as https://pagure.io/SSSD/sssd/issue/3602.

I'm running FreeIPA 4.6.4 on an up-to-date CentOS 7. These are the packages that are installed:

[root@ipatest log]# rpm -q ipa-server sssd krb5-server pki-server selinux-policy
ipa-server-4.6.4-10.el7.centos.2.x86_64
sssd-1.16.2-13.el7_6.5.x86_64
krb5-server-1.15.1-37.el7_6.x86_64
pki-server-10.5.9-6.el7.noarch
selinux-policy-3.13.1-229.el7_6.9.noarch

Steps to reproduce:

1. FreeIPA 4.6.4 on CentOS 7 installed and configured with a one-way trust to AD.
2. In the FreeIPA Web UI: Identity -> ID View -> Default Trust View
3. Add a new user override
4. Add an SSH public key to the user override
5. On the command line, run: sss_ssh_authorizedkeys user@ad-domain.com to verify that the public key can be looked up.
6. In the Web UI, delete the override

Expected results:
* Running sss_cache -E followed by sss_ssh_authorizedkeys user@ad-domain.com should not return the ssh key after the override is deleted

Actual results:
* Running sss_cache -E followed by sss_ssh_authorizedkeys user@ad-domain.com still returns the ssh key

Workarounds:
1. Delete the SSH key in the override before deleting the override.
2. Re-add the user override without an SSH key and then run sss_cache -E