I tried the GPO and that actually worked, thanks Robert. I had to specify all the subdomains we use as well in the value field (we have IPA-clients in several subdomains of i.rdmedia.com). It appears my issue is solved. 

Looking forward to hear what the Microsoft guys say. 

On 21 June 2017 at 00:41, Alexander Bokovoy <abokovoy@redhat.com> wrote:
On ti, 20 kesä 2017, Robert Johnson wrote:
I ran into this exact same problem with my IPA domain in a one way external
trust to our Windows 2012 R2 AD forest.  It appears that Microsoft may have
removed the routing suffix option from the Windows 2012 R2 native forest
trust gui.  My solution was to follow the instructions in the "Define host
name-to-Kerberos realm mappings" section of this document from Microsoft:
https://support.microsoft.com/en-us/help/947706/windows-server-2008-group-policy-settings-for-interoperability-with-non-microsoft-kerberos-realms
 This document is not about a type of trust FreeIPA is using in the case
of external trust to AD (neither in a normal cross-forest trust).

.

Assuming the IPA realm name is the same as the domain name you would use:
Value Name: I.RDMEDIA.COM
Value: .i.rdmedia.com      (Notice the period at the beginning of the
domain name)

I applied the GPO to all of my workstations (not the servers) but I don't
see any harm across all the windows systems.
 It looks like the GPO change is more of a Kerberos settings modification
on AD side that basically is equivalent of krb5.conf's [domain_realm]
section and is not really related to the technology of the trust.

BTW, I reproduced the original issue in a lab at the interop here at
Microsoft HQ and I'm going to talk to Microsoft guys to find out what is
happening there in reality.



Rob Johnson

On Tue, Jun 20, 2017 at 3:04 PM, Alexander Bokovoy via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

On ti, 20 kesä 2017, Tiemen Ruiten via FreeIPA-users wrote:

Please see the attached screenshot for the Trust settings, and thank you
for your time.

Thanks. I'm not sure why is that happening even for the immediate forest
root domain that i.rdmedia.com is. I'll check with Microsoft doc help
team while here at the Redmond Interop 2017.


--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org


--
/ Alexander Bokovoy



--
Tiemen Ruiten
Systems Engineer
R&D Media