All,
I had a VM down for a great number of days. Apparently, it was not 30 days. Because even though it initially didn't correct do AD authentication, I fixed one misconfiguration in /etc/krb5.conf, restarted SSSD and it did.
But that raises a bigger question. If it's been >30 days and my machine account is no longer valid, how do I rejoin the domain?
Is it:
realm leave (no flags)
readlm join (with all my usual flags that I use on the initial realm join)
Spike