This sounds wrong:
[sdap_kinit_send] (0x0400): Attempting kinit (default, host/<servername>.<subdomain>.<domain>, <SUBDOMAIN>.<DOMAIN>, 86400)
with AD, you normally want to use the SHORTNAME$REALM principal, not the
host/hostname principal, because the latter is only a service principal,
not a user/computer one.
But since you're using id_provider=ad, then sssd should have already picked
up that principal..is the SHORTNAME$@REALM principal in your keytab at all?Yes, it isroot@servername:~# klist -kKeytab name: FILE:/etc/krb5.keytabKVNO Principal---- ------------------------------------------------------------ -------------- 2 host/servername@SUB1.EXAMPLE.COM 2 host/servername@SUB1.EXAMPLE.COM 2 host/servername@SUB1.EXAMPLE.COM 2 host/servername@SUB1.EXAMPLE.COM 2 host/servername@SUB1.EXAMPLE.COM 2 SERVERNAME$@SUB1.EXAMPLE.COM2 SERVERNAME$@SUB1.EXAMPLE.COM2 SERVERNAME$@SUB1.EXAMPLE.COM2 SERVERNAME$@SUB1.EXAMPLE.COM2 SERVERNAME$@SUB1.EXAMPLE.COM