this is probably a silly idea ...
I wonder if there is some way to use Kerberos referrals on AD side in a way
which would return cross-realm referral to IPA realm.
Maybe it could be used in Frankenstein setup where IPA client belongs to a DNS
domain managed by AD ... I do not know, just throwing out the idea.
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code