We can get configuration number 6.4 kerboros/ldap working just fine and SSH with that, but we want option 6.3 SSSD/kerboros/ldap for the caching features.

When 6.3 option is enabled, we can do a ldapsearch just fine with
ldapsearch -Y GSSAPI -N "(sAMAccountName=username)"

It's when we try to SSH on the server is when we are unable to get it to work. We do ssh -vvvv username@servername and get a permission denied when we do the password

In /var/log/messages we get:
GSSAPI Error: Unspecified GSS failure. Minor code may prove more information (Matching credential not found)

In /var/log/secure, we get:
Invalid user username from ipaddress
input_userauth_request: invalid user username
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=servername
pam_succeed_if(sshd:auth): error retriving information about user username
Failed password for invalid user username from ipaddress port portid SSH2

Here is the /var/sssd/sssd.conf file:
[sssd]
services = nss, pam
config_file_version = 2
debug_level = 9
domains = default

[nss]

[pam]

[domain/default]

case_sensitive = false
ldap_uri = ldap://ldapservername.domain.domain.domain
ldap_search_base = dc=domain,dc=domain,dc=domain
ldap_user_search_base = dc=domain,dc=domain,dc=domain
ldap_group_search_base = dc=domain,dc=domain,dc=domain
ldap_id_use_start_tls = true
ldap_schema = rfc2307bis
ldap_sasl_mech = GSSAPI
ldap_force_upper_case_realm = true
ldap_krb5_keytab = /etc/krb5.keytab
ldap_sasl_authid = host/servername.domain.domain.domain@DOMAIN.DOMAIN.DOMAIN

auth_provider = krb5
cache_credentials = true
krb5_realm = DOMAIN.DOMAIN.DOMAIN
krb5_server = ldapservername.DOMAIN.DOMAIN.DOMAIN
krb5_ccachedir = /tmp
krb5_auth_timeout = 15

ldap_user_object_class = user
ldap_user_modify_timestamp = whenChanged
ldap_user_home_directory = unixHomeDirectory
ldap_user_princical = userPrincipalName
ldap_user_name = sAMAccountName
ldap_user_shell = loginShell
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_group_object_class = group
ldap_group_modify_timestamp = whenChanged
ldap_group_name = sAMAccountName
ldap_group_gid_number = gidNumber

krb5_kpasswd = ldapservername.domain.domain.domain

access_provider = ldap
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_disable_referrals = true

[sudo]

[autofs]

[ssh]

I've tried changing around access_provider to simple or permit and it didn't work. I tried added ladp_access_filter to allow my id and tried objectClass=user and it didn't work. I modified the sssd.conf file based on another one I found at zews.org/rhel6-active-directory

Here is the password_auth file:
auth required pam_env.so
auth sufficient pam.unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry_3 type=
password sufficient pam_unix.so shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so

nsswitch.conf has the following:
passwd: files sss
shadow: files sss
group: files sss

ldap_child.log gives me the following:
[unpack_buffer] (0x1000): total buffer size 94
[unpack_buffer] (0x1000): realm_str size: 15
[unpack_buffer] (0x1000): got realm_str: DOMAIN.DOMAIN.DOMAIN
[unpack_buffer] (0x1000): princ_str size: 47
[unpack_buffer] (0x1000): got princ_str: host/server.domain.domain.domain@DOMAIN.DOMAIN.DOMAIN
[unpack_buffer] (0x1000): keytab_name size = 16
[unpack_buffer] (0x1000): got keytab_name: /etc/krb5.keytab
[unpack_buffer] (0x1000): lifetime: 86400
[ldap_child_get_tgt_sync] (0x0100): Principal name is: [host/server.domain.domain.domain@DOMAIN.DOMAIN.DOMAIN]

That's it. The AD side sees that we are doing the query and doesn't see anything on their end in terms of errors and such.

At a loss right now on what configuration we are doing wrong that works with option 6.3. We have a working key tab for kerboros. We know we can see AD with ldapsearch. We just can't get it to work with SSSD and SSH.