Unfortunately it seems to not be so easy:
rtadmin@ubt18-test:~$ cat /etc/nsswitch.conf
...
#passwd:         compat systemd sss
#group:          compat systemd sss
passwd:         files sss
group:          files sss
shadow:         files sss
gshadow:        files
...
rtadmin@ubt18-test:~$ getent passwd user1
user1:*:30335:33111:User One:/users/user1:/bin/bash
rtadmin@ubt18-test:~$ groups user1
user1 : unix_users groups: cannot find name for group ID 33118
33118

Curiously, when I did `getent passwd user1` it seems to have resolved and cached the primary group, but not any secondary groups.

Discussing `sss_cache -E`,
rtadmin@ubt18-test:~$ sudo sss_cache -E
rtadmin@ubt18-test:~$ groups user1
user1 : groups: cannot find name for group ID 33111
33111 groups: cannot find name for group ID 33118
33118
rtadmin@ubt18-test:~$ groups user2
user2 : groups: cannot find name for group ID 33111
33111
rtadmin@ubt18-test:~$ getent passwd user2
user2:*:30255:33111:User Two:/users/user2:/bin/bash
rtadmin@ubt18-test:~$ groups user2
user2 : groups: cannot find name for group ID 33111
33111

# (note that user2 is not in group 33118.)

-- and that also shoots down my assumption regarding `getent passwd <user>` causing the primary group to be cached.

On Fri, Jul 20, 2018 at 5:55 PM, Joakim Tjernlund - Joakim.Tjernlund@infinera.com <sssdusers.retinkab.d133d58ee0.Joakim.Tjernlund#infisssd-users@lists.fedorahosted.org> wrote:

Start with replacing compat with files in nsswitch.conf