>
> On these 2 servers, authentication works for testuser@sub1.example.com. I
> can authenticate with my_user@example.com on the ubuntu 14 with sssd
> 1.11.But I cannot authenticate with my_user@example.com on the ubuntu 16
> with sssd 1.13.

This is quite a new version, which already supports discovering trusted
domains in the same forest, so defining the root domain (example.com)
shouldn't be even required. The subdomain provider (which defaults to "ad",
same as the id_provider's value) should discover example.com on its own.

(Actually, with your setup, I would even think the explicitly defined
example.com domain is ignored at sssd would query the autodiscovered
subdomain of sub1.example.com if you ask it for any entry from example.com)

It's easier to use:
        ad_site = cy2
with a recent version. But I guess this won't work with 1.11..

> debug_level = 7
> id_provider = ad
> access_provider = ad
> ldap_id_mapping = false
>
> I have played with ad_hostname, ldap_sasl_authid, ldap_sasl_realm with
> little succes (I am not even sure ldap_sasl_* variables are useful with
> id_provider =ad...)
>
> There is only one tiny difference I see in the SPN's : my ubuntu 16 is the
> only of my servers that has a host/SERVERNAME SPN, all the others have
> HOST/SERVERNAME (Capital HOST). I cannot not understand though why that
> would allow the auth to the subdomain but not to the main, but I know
> kerberos is very sensible to the case, so just in case. And anyway, that is
> coherent with the keytab.

First, sssd should not select the host/hostname principal to connect to
AD LDAP, but it should use the SHORTNAME$@REALM principal. You can search
for messages from "select_principal_from_keytab" to see what principal did
SSSD match, for example this is how my setup looks like:

(Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]] [sdap_set_sasl_options] (0x0100): Will look for adclient.win.trust.test@WIN.TRUST.TEST in default keytab
(Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab
(Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]] [find_principal_in_keytab] (0x4000): Trying to find principal adclient.win.trust.test@WIN.TRUST.TEST in keytab.
(Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]] [find_principal_in_keytab] (0x0400): No principal matching adclient.win.trust.test@WIN.TRUST.TEST found in keytab.
(Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]] [find_principal_in_keytab] (0x4000): Trying to find principal ADCLIENT$@WIN.TRUST.TEST in keytab.
(Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]] [match_principal] (0x1000): Principal matched to the sample (ADCLIENT$@WIN.TRUST.TEST).
(Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]] [select_principal_from_keytab] (0x0200): Selected primary: ADCLIENT$
(Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]] [select_principal_from_keytab] (0x0200): Selected realm: WIN.TRUST.TEST
(Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to ADCLIENT$
(Tue Oct 24 19:58:20 2017) [sssd[be[win.trust.test]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to WIN.TRUST.TEST

I would also discourage enumerate=True, currently the performance is not
the best with large domains..

So all in all, I would check which principal does sssd choose..trimming
the config file by disabling the root domain and disabling enumeration
might help as well, at least as far as log files readability goes.

_______________________________________________