Thanks for your answers so far. A question about cross realm trusts though: This requires the AD servers to be available when doing a login via FreeIPA, right? Or is FreeIPA caching information from AD? We don't want Linux logins to be dependent on a windows server being available, that won't end well :)