On Tue, Oct 31, 2017 at 10:57:23AM -0600, Jeff Sadowski wrote:
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) (Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] (Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)]
I would recommend to try testing with the help of ldapsearch -Y GSSAPI: - kinit -k 'shortname$@realm' - KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI -H ldap://your.dc.server -b "" because it might be easier to take sssd out of the picture.
I would also recommend to check if the client's hostname matches how the client is registered to AD and that all names resolve back and forth.
Finally, I would check the domain_realm mappings in krb5.conf to make sure libkrb5 can infer the correct realm from the domain part of the host name.