samba - Dec 2019 - Samba AD Trust and Linux Clients Failing with Kerberos

Hi everyone,

I've been trying for a week to get my Linux clients to work with a Samba AD
trust and would appreciate any help.

I have two active directory domains: DOMAIN.COM and SUB.DOMAIN.COM

On each are a Samba 4.10.10 DC. There exists a two way forest trust between the
two.

The two DCs can talk to one another, but the clients on each cannot (so clients
need to talk through their own domain's DC).

I can join/log into a Windows 10 or Server 2019 machine on SUB.DOMAIN.COM with
an admin/user account from DOMAIN.COM with no issue.

Linux machines on SUB.DOMAIN.COM however, cannot access anything on DOMAIN.COM.
Just trying to get a Kerberos ticket via kinit USER at DOMAIN.COM<mailto:USER
at DOMAIN.COM> fails.

[root at client.SUB.DOMAIN.COM /]# KRB5_TRACE=/dev/stdout kinit user at
DOMAIN.COM
[1221] 1576265136.982936: Getting initial credentials for user at DOMAIN.COM
[1221] 1576265136.982938: Sending unauthenticated request
[1221] 1576265136.982939: Sending request (196 bytes) to DOMAIN.COM
[1221] 1576265137.5412: Retrying AS request with master KDC
[1221] 1576265137.5413: Getting initial credentials for user at DOMAIN.COM
[1221] 1576265137.5415: Sending unauthenticated request
[1221] 1576265137.5416: Sending request (196 bytes) to DOMAIN.COM (master)
kinit: Cannot find KDC for realm "DOMAIN.COM " while getting initial
credentials

I've tried numerous krb5.conf settings, but most of the time they fail like
the above. SUB.DOMAIN.COM works fine, but anything sent to DOMAIN.COM fails. How
do I configure Kerberos to route tickets through the DC of SUB.DOMAIN.COM?

Here is one of my attempted krb5.conf files:
[libdefaults]
default_realm = SUB.DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[realms]
SUB.DOMAIN.COM = {
}
DOMAIN.COM = {
}

[domain_realm]
.sub.domain.com = SUB.DOMAIN.COM
sub.domain.com = SUB.DOMAIN.COM

[capaths]
SUB.DOMAIN.COM = {
  DOMAIN.COM = .
}