I checked /etc/krb5.conf and it is mapped. I have tried as well the bellow scenario,
which might help in troubleshooting:
- If i configure trust with a different AD domain (the one created for test, with only
one DC behind AD domain) , the same IPA domain works properly. The only difference is that
in sssd logs i do not see any reference to
ldap/dccontroller.example.local(a)IPADEV.EXAMPLE.LOCAL and no GSSAPI errors, it seems it
does not ask for that ldap service Kerberos ticket at all, or is asking for a different
service ticket.
Another difference between the PRD environment and TEST environment is : ipa domain is a
subdomain for the main AD domain (IPA domain is ipadev.example.local and the AD domain
is example.local) , but for the test AD i have ipa domain ipadev.example.local and AD
domain is example.intern (therefore no domain/subdomain relationship between them).
The test AD domain I tried (and which works) does use Windows Server 2012 and the main AD
domain (which does not work) uses a mix of Windows Server 2012 and Windows Server 2016
operating systems.
There might be other differences as well, but I do not know exactly where to look into (I
do not manage the AD).