>>>> This is an old thread, but I can confirm that this is still an issue on
>>>> RHEL 7.2 + 4.2. This creates problems when there are roles associated
>>>> with groups, but group membership through GID is broken. I had migrated
>>>> all old NIS accounts into ipa. I then added the host enrollment role to
>>>> a particular group. Now, unless I add the users to the group explicitly,
>>>> they won't get the role, even if their gid is the same as the gid of the
>>>> group.
>>>
>>> The user GIDNumber just sets the default group for POSIX. If you do
>>> groups on the user I'll bet it shows correctly.
>>>
>>> For the purposes of IPA access control, as you've seen, the user must
>>> have a memberOf for a given group, either directly or indirectly.
>>>
>>> rob
>>>
>>
>> Exactly, but the question is, shouldn't IPA add this membership automatically?
>> (Of course, only in case IPA has group with this GID.)
> 
> IMHO we should. Currently, the user effectively has different group membership
> on POSIX systems and non-POSIX systems which read only member attribute. I
> think that this is surprising and inconsistent.

Seems like next step is to open the RFE.

I wouldn't characterize it as POSIX vs non-POSIX as that could confuse
things. It is just that if the user doesn't have a UPG then they
probably don't have a memberOf for their GID group.