How can I manage docker group in freeipa?

First I tried managing dockerroot in freeipa, since that is the only one I saw with sudo getent group | grep dock. I saw somewhere that said I can create a group in freeipa with the same GID and it will sync with the local group. That is not an option for me. I have the group dockerroot on several machines with _different_ GIDs. So I turned to sss_override. I tried sudo sss_override group-add dockerroot -g but I get:

Unable to find group dockerroot@[unknown].

I can't find in the documentation if I am missing something. I tried using dockerroot@localhost but I get:

Unable to parse name dockerroot@localhost.

I started deploying docker to machines and want a couple users to be able to run docker without sudo. I don't want to create rules on every target machine. Any time I spin up a new machine with docker, special users should automatically get the group membership through freeipa rules. Doing yum remove docker && yum install docker doesn't seem to affect the group either. Could I just delete it and recreate it? I don't know what I'm breaking here so I'm hesitant to do more. ---------- Now I've tried following docker's docs which say to do this:

sudo groupadd docker
sudo usermod -aG docker $USER
docker run hello-world

I want this on my domain so instead I create the group in freeipa, and add my user to it. I gave it time to sync, logged out and in, and checked the group:

sudo getent group docker
docker:*::

But I still get permission denied.