During 'ipa trust-add ...' information about the trusted forest, its domain and domain suffices are written into the replicated LDAP tree to make this data available to clients and other services.

E.g. the KDC needs this information to know how to handle tickets from the trusted forest. If an unknown domain is found while the ticket is processed ipadb_reinit_mspac() is called to refresh the data.

Since some time IPA supports enterprise principals and can redirect a client to a different realm if the KDC assumes the principal comes from a trusted domain. To do this the data about the trusted forest is needed as well.

Since some time SSSD also enables enterprise principals automatically if it detects the alternative domain suffixes are defined for the trusted domain. As a result the clients will start sending kinit request with enterprise principals which the KDC currently cannot handle because ipadb_reinit_mspac() is only called while processing remote tickets but while processing AS request.

To reproduce setup a new trust and the call

KRB5_TRACE=/dev/stdout kinit -E abc@TRUSTED.FOREST

As a response you will receive a 'Client not found in Kerberos database' from the IPA KDC. And this will not change if no other traffic triggers an update of the trusted domain data in the KDC.

After a restart the IPA KDC will return a 'Realm not local to KDC' together with the name of the realm the client should check next. This restart should not be needed and after a reasonable timeout (currently ipadb_reinit_mspac() uses 60s) the KDC should be able to handle update data of the trusted forest.