[Freeipa-users] Export service keytab as Active Directory user

Hi, we are running FreeIPA 4.5.4 on Centos 7 with a one way trust to an Active Directory. We want to allow AD users to retrieve service keytab on FreeIPA managed hosts. AD users are linked to a external group, and these group to a FreeIPA group.  We've created a service and allowed FreeIPA group (for testing external group too) to retrieve keytab. Now we logged in with AD credentials to a FreeIPA managed host, got an ticket with kinit user@AD-domain and tried to retrieve keytab for service, which runs in an error "Failed to parse result: Insufficient access rights". With an FreeIPA user, added to FreeIPA group above, it works. So what we are missing here ? Is it possible to retrieve service keytabs as a trusted AD user ? Thanks.