Hi,
I was playing with different offline krb5 authentication ways today when
testing Sumit's patches and I don't think the offline authentication of
subdomain users was correct. Attached are two patches -- one is just a
better error code, the other actually makes the SSSD search for the
right user entry during krb5 offline auth.
To test the first one, pause of shutdown a trusted AD while remaining
connected to the root domain AD.