I found the allow_all rule that is enabled. Mind you it is only on fedora I seem to have this issue with. Ubuntu and opensuse users can login just fine.

Is this something you set on the client it self or on the freeipa server for the host?. I never set such a option for any client though. i did enroll the other clients with the “freeipa-client-install” command and tried fedora with the initial setup. so their might be a difference in it how to enrolls?

For rdp take a look at remmina

rolling release is not the same as bleeding edge mind you. While Tumblweed is very close to bleeding edge it does actually do a load of quality control and automated test before making the updates available in the repos.