Feature: In an IPA-AD trust setup, getpwnam and getgrnam calls for IPA groups that contain AD members via external groups used to only return members who were cached via an initgroups call. This patch adds the ability to resolve external members without the initgroups operation as well.
Reason: The slapi-nis plugin makes heavy use of this functionality when presenting the external group members to the compatibility tree which is then consumed by legacy clients. It's the only way to define sudo rules through an external group to legacy clients at the moment.
Result: calling "getent group" for an IPA group that contains a member from an Active Directory domain would return the AD members as well. Please note that "Domain Users" are a bit of a special case here and its members are not resolved. This is because Domain Users are a primary group for AD users, but do not contain its members as LDAP attributes.