I'm in a interop puzzle dilemma, hope you can help me out.

Currently all our user accounts are hosted in an Active Directory environment we don't own (another team handles that for us), acme.tld for this discussion. 

We're in the need to implement:

- FreeIPA to handle our linux machine accounts and process/app users with ipa.domain.tld

- FreeIPA (same as above or different cluster?) to handle external provider accounts with ext.domain.tld

- Own AD Controllers to handle our Windows machines with ad.domain.tld

The aim is:

1. Allow acme.tld users to access ipa.domain.tld machines.

2. Allow acme.tld users to access ad.domain.tld machines

3. Allow ext.domain.tld users to access ipa.domain.tld machines

4. Allow ext.domain.tld users to access ad.domain.tld machines 

1 seems to be solved trusting acme.tld on FreeIPA side

2 seems to be solved trusting acme.tld on AD side 

Not sure how to solve 3 and 4, can you provide any recommendation?.

Regards,

CI.-