Honza, can you review, please?
To reproduce, just set default_domain_suffix on an IPA trust client to
the AD domain value in the [sssd] section:
[sssd]
services = nss, pac, sudo, pam, ssh
domains = linux.test
config_file_version = 2
default_domain_suffix =
ad.example.com
Then request a host:
sss_ssh_knownhostsproxy ipa1.linux.test
btw default_domain_suffix is already ignored for the autofs responder.