Cross realm Kerberos MIT ↔ Active Directory(Parent and childs)

[MarceloMF]

Hi all,

I have the realms:
TREINO.ORG → Kerberos MIT
MATRIZ.ORG → Active Directory Parent
FILIAL.MATRIZ.ORG → Active Directory Child 1
PAC.MATRIZ.ORG → Active Directory Child 2

My challenge is to make the user joao at TREINO.ORG, can handle such a share
on PAC.MATRIZ.ORG, joao is a user in FILIAL.MATRIZ.ORG and in
PAC.MATRIZ.ORGi have set correctly permissions to
joao at FILIAL.MATRIZ.ORG.

I've tried to make TREINO.ORG trust relationship with each Active Directory
domain, and hold the trust only with the Parent Domain (MATRIZ.ORG).
Conducting tests, ticket issuance is working properly. My problem seems to
be related to user mapping in Active Directory. When I map a user in
MATRIZ.ORG, that user inherits the permissions of the user in question
itself. The problem is that when I establish the trust only with the parent
domain and let the transitive enabled the mapping of the AD permissions
only work correctly for users of the parent domain. When make the
relationship of trust with each domain of the AD, FILIAL.MATRIZ.ORG, does
not recognize a user mapped in PAC.MATRIZ.ORG.

It seems that this problem is caused by MS-PAC structure of the Microsoft
Active Directory. Anyway, any help? Thank you!

-- 
Att, Marcelo M. Fleury
Blog - http://marcelomf.blogspot.com/
Slides - http://www.slideshare.net/marcelomf/

"O primeiro dever da inteligência é desconfiar dela mesma." By Einstein