One additional item I found-
https://access.redhat.com/solutions/6977745
- Check if the trust is relying on POSIX attributes coming from Active Directory.
That is NOT the case for me.
ipa idrange-find shows:
3 ranges
Range Name: GSILSMIL_id_range
...
Range type: Active Directory domain_range
Range Name: IDM.GSIL.SMIL_id_range
...
Range type: local_domain range
Range Name: GSILSMIL_subid_range
...
Range type: Active Directory domain_range