When trying to establish an AD trust between IPA 4.5.4 and Samba 4.8.1 (MIT Kerberos), it fails with the following error:

[root@atlas5ipa samba]# ipa -vv trust-add ATLAS5.HPC --range-type=ipa-ad-trust --two-way=true --admin=Administrator --server dc.atlas5.hpc
Active Directory domain administrator's password:

ipa: ERROR: Insufficient access: CIFS server denied your credentials

IPA Server Versions
-------------------
root@atlas5ipa samba]# rpm -qa | grep ipa
python2-ipaclient-4.5.4-10.el7.centos.noarch
ipa-server-trust-ad-4.5.4-10.el7.centos.x86_64
python-ipaddress-1.0.16-2.el7.noarch
python-libipa_hbac-1.16.0-19.el7.x86_64
sssd-ipa-1.16.0-19.el7.x86_64
ipa-server-4.5.4-10.el7.centos.x86_64
ipa-python-compat-4.5.4-10.el7.centos.noarch
python-iniparse-0.4-9.el7.noarch
ipa-common-4.5.4-10.el7.centos.noarch
python2-ipaserver-4.5.4-10.el7.centos.noarch
ipa-client-4.5.4-10.el7.centos.x86_64
ipa-server-dns-4.5.4-10.el7.centos.noarch
libipa_hbac-1.16.0-19.el7.x86_64
ipa-server-common-4.5.4-10.el7.centos.noarch
python2-ipalib-4.5.4-10.el7.centos.noarch
ipa-client-common-4.5.4-10.el7.centos.noarch

[root@atlas5ipa samba]# rpm -qa | grep samba
samba-libs-4.7.1-6.el7.x86_64
samba-common-tools-4.7.1-6.el7.x86_64
samba-winbind-4.7.1-6.el7.x86_64
samba-client-libs-4.7.1-6.el7.x86_64
samba-4.7.1-6.el7.x86_64
samba-winbind-modules-4.7.1-6.el7.x86_64
samba-python-4.7.1-6.el7.x86_64
samba-common-libs-4.7.1-6.el7.x86_64
samba-common-4.7.1-6.el7.noarch


Samba DC Server Versions
------------------------
Samba 4.8.1 compiled with MIT Kerberos against GNUTLS 3.5.0
Note: The IPA server and Samba AD server are running on separate VM's. Both have CentOS 7.3.1611 installed. 

Here are the last few lines in the /var/log/httpd/error_log file from the IPA server. You can see that information about both sides is being exchanged but it ends up failing. --- signed SMB2 message lsa_lsaRSetForestTrustInformation: struct lsa_lsaRSetForestTrustInformation out: struct lsa_lsaRSetForestTrustInformation collision_info : * collision_info : NULL result : NT_STATUS_OK rpc reply data: lsa_QueryTrustedDomainInfoByName: struct lsa_QueryTrustedDomainInfoByName in: struct lsa_QueryTrustedDomainInfoByName handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000016-0000-0000-f15a-25affc130000 trusted_domain : * trusted_domain: struct lsa_String length : 0x0014 (20) size : 0x0014 (20) string : * string : 'atlas5.hpc' level : LSA_TRUSTED_DOMAIN_INFO_FULL_INFO (8) signed SMB2 message lsa_QueryTrustedDomainInfoByName: struct lsa_QueryTrustedDomainInfoByName out: struct lsa_QueryTrustedDomainInfoByName info : * info : NULL result : NT_STATUS_OBJECT_NAME_NOT_FOUND lsa_CreateTrustedDomainEx2: struct lsa_CreateTrustedDomainEx2 in: struct lsa_CreateTrustedDomainEx2 policy_handle : * policy_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000016-0000-0000-f15a-25affc130000 info : * info: struct lsa_TrustDomainInfoInfoEx domain_name: struct lsa_StringLarge length : 0x0014 (20) size : 0x0016 (22) string : * string : 'atlas5.hpc' netbios_name: struct lsa_StringLarge length : 0x000c (12) size : 0x000e (14) string : * string : 'ATLAS5' sid : * sid : S-1-5-21-600493320-3079828444-3896724992 trust_direction : 0x00000003 (3) 1: LSA_TRUST_DIRECTION_INBOUND 1: LSA_TRUST_DIRECTION_OUTBOUND trust_type : LSA_TRUST_TYPE_UPLEVEL (2) trust_attributes : 0x00000000 (0) 0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY 0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN 0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION 0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST 0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL 0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION auth_info_internal : * auth_info_internal: struct lsa_TrustDomainInfoAuthInfoInternal auth_blob: struct lsa_DATA_BUF2 size : 0x00000440 (1088) data : * data: ARRAY(1088) access_mask : 0x00010000 (65536) 0: LSA_TRUSTED_QUERY_DOMAIN_NAME 0: LSA_TRUSTED_QUERY_CONTROLLERS 0: LSA_TRUSTED_SET_CONTROLLERS 0: LSA_TRUSTED_QUERY_POSIX 0: LSA_TRUSTED_SET_POSIX 0: LSA_TRUSTED_SET_AUTH 0: LSA_TRUSTED_QUERY_AUTH signed SMB2 message lsa_CreateTrustedDomainEx2: struct lsa_CreateTrustedDomainEx2 out: struct lsa_CreateTrustedDomainEx2 trustdom_handle : * trustdom_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_ACCESS_DENIED [Tue May 08 10:07:34.739980 2018] [:error] [pid 3854] ipa: INFO: [jsonserver_session] admin@IPA.DOMAIN.COM: trust_add/1(u'ATLAS5.HPC', realm_admin=u'Administrator', realm_passwd=u'********', realm_server=u'dc.atlas5.hpc', range_type=u'ipa-ad-trust', bidirectional=True, version=u'2.228'): ACIError --- When you look at the Samba AD trust list, it shows the following entry. If you delete the trust and try to add it again, the entry comes back. [root@atlas5dc samba]# bin/samba-tool domain trust list Type[Forest] Transitive[Yes] Direction[BOTH] Name[ipa.domain.com]

I have poured over this for days and cannot find a reason why it's saying NT_STATUS_ACCESS_DENIED. I've tried verifying all the tedious details like DNS SRV records and user SIDs, so now I feel like it's going to be something more obvious  :)
Thanks,
nate