Hi, we have a setup with a Forest Trust to an AD Domain. Everything looks good on the FreeIPA Servers itself. We can see User information if we do "getent passwd user(a)ad.domain" or "id user(a)ad.domain" or "sssctl user-checks user(a)ad.domain". But on a connected client, we get only the user of the ipa domain and no user information on ad user. In the logs, we found no obvious error. The only thing we see in sssd.log is: (Tue Jul 10 16:19:27 2018) [sssd[be[ipa.domain]]] [delayed_online_authentication_callback] (0x0200): Backend is online, starting delayed online authentication. (Tue Jul 10 16:19:28 2018) [sssd[be[ipa.domain]]] [dp_get_account_info_handler] (0x0200): Got request for [0x1][BE_REQ_USER][name=user(a)ad.domain] (Tue Jul 10 16:19:28 2018) [sssd[be[ipa.domain]]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null). (Tue Jul 10 16:19:28 2018) [sssd[be[ipa.domain]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. Best Regards, Axel