I have a FreeIPA domain, i.rdmedia.com, (CentOS 7.3, fully up-to-date: rpm versions are 4.4.0-14.el7.centos.7) with a two-way, non-transitive, external trust to an Active Directory domain in another forest, clients.rdmedia.com, (Windows Server 2012R2). I've setup the trust using the Administrator credentials. 

As one of the final steps, I would like to get passwordless SSH-access using GSSAPI to work, but unfortunately I get the following error in the Putty log when connecting from an AD domain-joined client:

Event Log: GSSAPI authentication initialisation failed

Event Log: The target was not recognized