[Freeipa-users] Cannot log in as an AD user to FreeIPA client but can log in to server

Hi all, I've set up two FreeIPA servers without CA (I provided 3rd party certificates during the installation process). I also established trust to an AD domain as below: ipa trust-add --type=ad AD.DOMAIN --external=True --all I checked that I can successfully obtain cross-realm ticket (kvno -S host ...) as described below: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/... I also can ssh to either of the two FreeIPA servers as user(a)ad.domain. However, when I configured FreeIPA client and tried to ssh into it / su inside it as the same ad user then it fails (I cannot ssh, when I try to su - as the ad user it fails with user(a)ad.domain does not exist. I increased sssd log level on both client and servers but I cannot find anything spooky there (but I might as well not know what to look for :)). Can someone please advise on how to narrow this down?