While I have seen similar posts to the list while digging through the archive, I cannot find this question specifically answered. We are coming from OpenLDAP and migrating to FreeIPA on CentOS 7.5. We are using indirect memberships to make this migration easier as we are moving from an organically grown OpenLDAP to a very structured FreeIPA implementation. What seems to be happening is that indirect memberships don't show using the standard Linux tools. Using either "id" or "groups" doesn't show any indirect memberships yet the permissions seem to still work properly. This is causing some confusion with our team.

Group B is a member of Group A and the user is also a direct member of groups C and D.  When using "id" for a given user it returns B, C, D and not A. However I can create a file owned by user root and group A with 550 permissions and the user can view the contents of the file. "ipa user-show" shows the proper memberships with A being an indirect membership. 

Is this the expected behavior when using indirect memberships? If so, does one abandon the standard CLI tool and use only ipa commands? I am fully aware this could be a configuration issue but I have yet to find the correct configuration to expose indirect membership to the standard Linux tools.
--