I had a VM down for a great number of days.  Apparently, it was not 30 days.  Because even though it initially didn't correct do AD authentication, I fixed one misconfiguration in /etc/krb5.conf, restarted SSSD and it did.

But that raises a bigger question.  If it's been >30 days and my machine account is no longer valid, how do I rejoin the domain?

Is it:

   realm leave (no flags)

   readlm join (with all my usual flags that I use on the initial realm join)

Spike