On to, 29 huhti 2021, iulian roman via FreeIPA-users wrote:
First, to make it clear. You should not have IPA servers (replicas) in
.example.local. If you'd do, this is unsupported configuration and any
bugs you'd see there are your own problems. There is simply no way to
support servers from two separate Kerberos realms trusting each other in
the same DNS domain.
That means that both ipa server and replica should be in the .ipadev.example.local DNS
domain (or any other domain different than .example.local) ?
I need to mention that I am not using any integrated DNS, but an external one configured
in Infoblox.
The trust is only one way (ipa trusts AD domain).
>
> The configuration for IPA clients in .example.local is described in the
> FreeIPA wiki's page you already referred in this thread. Anything
> deviating from it would cause issues, as you are witnessing already.