It looks like my problems with AD trust on server side went away when I upgraded to FreeIPA 4.5 using Centos 7.4 packages, but unfortunately this is only half of the way. I have alot of SLES servers 11 and 12, but it looks like SSSD that comes with SLES is not fully featured as RHEL or Centos. Basic authentication is working , but policies are not working because group membership is not available on SLES SSSD client (when checking with id command). Even on SLES 12 SP1 I cannot get it to work. In krb5_child.log I see error: [validate_tgt] (0x0040): sss_extract_and_send_pac failed, group membership for user with principal [******] might not be correct. When I try to enable PAC service starting of SSSD fails and I get: [service_startup_handler] (0x0010): Could not exec /usr/lib/sssd/sssd_pac --debug-to-files, reason: No such file or directory I installed all packages related to SSSD and all dependencies. Is PAC service necessary for group resolution? Is there any other option?