Follow-up: today I tried clearing the sssd cache and restarting sssd on all three clients, and all three lost their AD users:
# rm -f /var/lib/sss/db/* # service sssd restart Stopping sssd: [ OK ] Starting sssd: [ OK ] # id 'MIDD\juser' id: MIDD\juser: No such user David Guertin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project