We've setup a two-way trust with AD and it seems to have worked, but it doesn't look like it is working correctly. The kerberos commands (kinit and kvno) work fine, but things like 'id aduser(a)addomain.example.com' and 'getent passwd aduser(a)addomain.example.com' don't work. # ipa trust-add --type ad addomain.example.com --admin adadmin --password --two-way=true Active Directory domain administrator's password: ----------------------------------------------------- Added Active Directory trust for realm "addomain.example.com" ----------------------------------------------------- Realm name: addomain.example.com Domain NetBIOS name: ADDOMAIN Domain Security Identifier: S-1-5-21-2229161606-873856335-779138662 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified # kinit aduser(a)addomain.example.com Password for aduser(a)addomain.example.com: # klist Ticket cache: KEYRING:persistent:0:krb_ccache_o3D2R5S Default principal: aduser(a)ADDOMAIN.EXAMPLE.COM Valid starting Expires Service principal 07/20/2017 12:16:41 07/20/2017 22:16:41 krbtgt/ ADDOMAIN.EXAMPLE.COM(a)ADDOMAIN.EXAMPLE.COM renew until 07/21/2017 12:16:38 # id aduser(a)addomain.example.com id: ‘aduser(a)addomain.example.xn--com-to0a: no such user Is this the best way to test the trust? We are running FreeIPA 4.4 and Windows Server 2012 R2 When setting up the trust we needed to modify /etc/hosts as described in https://bugzilla.redhat.com/show_bug.cgi?id=878168 Thanks, Steve