MIT Kerberos 1.14 can now properly handle S4U2Self across domain and forest boundaries (I tested this in a setup with 2 AD forests with request going from a child domain to a child domain in the other forest). Unfortunately it is currently not working with IPA in neither direction.
Metadata Update from @sbose: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
Related: https://pagure.io/freeipa/issue/8310
Metadata Update from @abbra: - Issue close_status updated to: None - Issue set to the milestone: None (was: FreeIPA 4.5 backlog)
Login to comment on this ticket.