Kerberos authentication to root domain in Active Directory

I have an environment in Active Directory that is composed of a root and a child domain, let's call them my.root.domain.com and root.domain.com

I have a RHEL7 server I've spun up which has no problem at all authenticating against the "my.root.domain.com" domain. I cannot, however, authenticate using an account from the domain "root.domain.com". I can look up accounts using id in both domains:
id -a user1@my.root.domain.com
and
id -a user2@root.domain.com

both show my AD groups. As the root user, I can even "su - " to any user in either domain (doesn't require authentication). The problem arises when authentication happens. Trying to authenticate to user2@root.comain.com fails.

in smb.conf I have:
...
workgroup = MY
realm = MY.ROOT.DOMAIN.COM
security = ads
...

in /etc/krb5.conf I have:
[libdefaults]
dns_lookup_realm = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
proxiable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = MY.ROOT.DOMAIN.COM
dns_lookup_kdc = true
[realms]
MY.ROOT.DOMAIN.COM = {
}
ROOT.DOMAIN.COM = {
}

[domain_realm]
my.root.domain.com = MY.ROOT.DOMAIN.COM
.my.root.domain.com = MY.ROOT.DOMAIN.COM
root.domain.com = ROOT.DOMAIN.COM
.root.domain.com = ROOT.DOMAIN.COM

A packet trace does reveal that when trying to authenticate as user2@root.domain.com, it sends a KRB query of:
CNameString: ROOT.DOMAIN.COMuser2
realm: MY.ROOT.DOMIAN.COM

I know I'm the village idiot when it comes to the AD stuff, but hoping someone has a good suggestion. I'm fairly certain my krb config is not quite what it should be.

Does anyone have any suggestions how to get authentication to work with accounts located in the root domain "root.domain.com"?