We use many linux servers with Oracle Enterprise 7.1/7.2 in ActiveDirectory domain/sub-domains.

Between that domain/sub-domains (domain A) exists a bidirectional trust relationship with another Active Directory domain (domain B).

Users from domain B must sign in on linux systems in domain/sub-domains A.

Global-security-groups from AD domain B are member in domain-local-groups from AD domain A.

/etc/samba/smb.conf is configured with id-map-ranges for domain A and domain B and winbind-separator +.
/etc/krb5.conf is configured with 'realms' and 'domain_realms' domain A and domain B.
An 'id domain-A-username' and 'id domain-B+username' is successful.
Group memberships are exactly displayed.

The AD-domain-local-groups domain A are insight /etc/ssh/sshd_config and /etc/sudoers for SSH-access and sudo-rights.
But although smb.conf, krb5.conf, id-search successful and AD-domain-B-groups are in AD-domain-A-groups nobody from domain B can sign in on linux systems.
The only successful way i found out was to put AD-global-groups domain B in sshd_config and sudoers.
But that is not wanted, because we have the domain-local-groups domain A in sshd_config and sudoers.
And in that groups are the domain B groups. Linux can't interpret that?

And SSH-access from users in domain B is only successful on systems in MAIN-domain A, not the SUB-domains A.
Although the sshd_config and sudoers files are the same in MAIN and SUB.

Is there a solution that linux can interpret the AD-domain-memberships?
And that access is possible on SUB-domain-systems?

Sorry for my bad english, i'm german.

And thanks a lot for answers :-)