On Mon, Oct 23, 2017 at 4:55 PM, Jeremy Monnet <jmonnet@gmail.com> wrote:

This sounds wrong:
     [sdap_kinit_send] (0x0400): Attempting kinit (default, host/<servername>.<subdomain>.<domain>, <SUBDOMAIN>.<DOMAIN>, 86400)
with AD, you normally want to use the SHORTNAME$REALM principal, not the
host/hostname principal, because the latter is only a service principal,
not a user/computer one.

But since you're using id_provider=ad, then sssd should have already picked
up that principal..is the SHORTNAME$@REALM principal in your keytab at all?
Yes, it is 

root@servername:~# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------

Some more information (in case that would help...)

1 AD forest with multiple domains : example.com and sub1.example.com 
2 users : my_user@example.com, testuser@sub1.example.com
2 servers setup the same way (same adcli commands to get the krb5.keytab, same resolv.conf/hosts/sssd.conf etc), but 1 is ubuntu 14 with sssd 1.11.8-0ubunt, 1 is ubuntu 16 with sssd 1.13.4-1ubunt

(BTW I have about 15 other linuces (RHEL6/RHEL7/ubuntu14) that are connected only to example.com and working OK. Only these 2 servers are members of sub1.example.com with a need to authenticate also users from example.com)

On these 2 servers, authentication works for testuser@sub1.example.com. I can authenticate with my_user@example.com on the ubuntu 14 with sssd 1.11.But I cannot authenticate with my_user@example.com on the ubuntu 16 with sssd 1.13.

sssd.conf for both servers :
config_file_version = 2
debug_level =0
domains = sub1.example.com,example.com
services = nss, pam

enumerate = true
dns_discovery_domain = cy2._sites.example.com
debug_level = 9
id_provider = ad
access_provider = ad
ldap_id_mapping = false

enumerate = true
dns_discovery_domain = cy2._sites.sub1.example.com
debug_level = 7
id_provider = ad
access_provider = ad
ldap_id_mapping = false

I have played with ad_hostname, ldap_sasl_authid, ldap_sasl_realm with little succes (I am not even sure ldap_sasl_* variables are useful with id_provider =ad...)

There is only one tiny difference I see in the SPN's : my ubuntu 16 is the only of my servers that has a host/SERVERNAME SPN, all the others have HOST/SERVERNAME (Capital HOST). I cannot not understand though why that would allow the auth to the subdomain but not to the main, but I know kerberos is very sensible to the case, so just in case. And anyway, that is coherent with the keytab.