When running ipa-adtrust-install with -U, be sure to add the --schema-compat flag to configure the schema compat tree for use with trusted domains.

When specifying the user id of the user in the other domain, use the form "userid@domain" where "userid" is the user id in the remote domain and "domain" is the lower case domain. For example, if you have a Windows user with login "testuser" in the Windows domain "ADDOMAIN.TEST" you would user "testuser@addomain.test" as the user id in the linux system.

To verify that the HBAC rule is set up:
$ kinit admin
$ ipa hbacrule-show allow_all
Rule name: allow_all
...

To test with getent passwd:
$ getent passwd testuser@addomain.test
testuser@addomain.test:*:88888888:88888889:testuser:/home/addomain.test/testuser:

To test with ssh:
$ ssh -l testuser@addomain.test localhost
testuser@addomain.test password: mypassword
$[testuser@addomain.test localhost]:

To LDAP search for the user in the compat tree:
$ ldapsearch -xLLL -b 'cn=users,cn=compat,dc=ipadomain,dc=test' "(&(objectclass=posixAccount)(uid=testuser@addomain.test))'

To do an LDAP simple bind (username and password) for the user in the compat tree:
$ ldapsearch -xLLL -D 'uid=testuser@addomain.test,cn=users,cn=compat,dc=ipadomain,dc=test' -w mypassword -s base -b "" 1.1