Do your AD users in question belong to any IPA groups?

No, they didn't. They do now.

Your symptoms are very similar to the following post:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/VHTB3GR65L77SS7CS5H4GWHRMBIKQWXP/

I have applied your 4 steps solution (instead of clearing the caches in the fifth step, I just rebooted the IPA server), and it looks good so far. I will do some more tests during the following days, and then will post the results.

Thanks very much John!