Sorry about that.. Bleeping send-button-shortcut.
Let me continue.
Command I use to test: ssh userid@subdomain2@localhost
The krb5_child.log contains these error messages:
[[sssd[krb5_child[5720]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [SUBDOMAIN1]
[[sssd[krb5_child[5720]]]] [sss_krb5_expire_callback_func] (0x2000): exp_time: [5621224]
[[sssd[krb5_child[5720]]]] [validate_tgt] (0x2000): Keytab entry with the realm of the credential not found in keytab. Using the last entry.
[[sssd[krb5_child[5720]]]] [validate_tgt] (0x0020): TGT failed verification using key for [RestrictedKrbHost/myclient@SUBDOMAIN1].
[[sssd[krb5_child[5720]]]] [get_and_save_tgt] (0x0020): 1581: [-1765328377][Server not found in Kerberos database]
[[sssd[krb5_child[5720]]]] [map_krb5_error] (0x0020): 1657: [-1765328377][Server not found in Kerberos database]
I can get it to work using 'krb5_validate = false' but that disables some nice security measure.