Do your AD users in question belong to any IPA groups?
>
No, they didn't. They do now.
I have applied your 4 steps solution (instead of clearing the caches in the
fifth step, I just rebooted the IPA server), and it looks good so far. I
will do some more tests during the following days, and then will post the
results.
Thanks very much John!