Update:
I created a new FreeIPA realm (
SUB.LAB.EXAMPLE.COM) to make further tests, with a fresh
install of the IPA-environment, and was able to replicate the problem described above. I
had a hunch, thanks to earlier online posts, discussing a similar error that the problem
could relate to the MS-PAC-diagram, and changed the "Default PAC types" from
"MS-PAC, nfs:NONE" to "PAD". Via the command:
ipa config-mod --pac-type=PAD
After that the trust-relationship worked as expected between the two ipa realms
SUB.LAB.EXAMPLE.COM and
LAB.EXAMPLE.COM.
I can only find documentation describing this from IPA V3.:
https://www.freeipa.org/page/V3/Read_and_use_per_service_pac_type
I am not entirely sure about the consequences of changing the PAC-type in an environment
that is more or less only consists for unix-machines. Is the PAD-diagram (POSIX
Authorization Data), described in the draft:
https://datatracker.ietf.org/doc/html/draft-ietf-krb-wg-pad-01
In use at all?
I do plan to integrate an Samba Active Directory and and Microsoft Active Directory in the
environment to deepen our understanding on trust-relationships. So I still wonder, if
there is another way I can maintain a trust-relationship between two ipa-instances without
changing the PAC-type.
Because of this, I assume it would be more logical to disable MS-PAC in our main realm
than in our LAB-environment.
I still appreciate thoughts or comments, or documentation regarding this.