Thanks for your reply! I will comment in-line below.

On Dec 18, 2013, at 02:42 AM, Sumit Bose <sbose@redhat.com> wrote:

On Wed, Dec 18, 2013 at 12:54:37AM +0000, Bryan Harris wrote:
root@client:~# klist -ke
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
5 host/server.domain.local@DOMAIN.LOCAL (DES cbc mode with CRC-32)
5 host/server.domain.local@DOMAIN.LOCAL (DES cbc mode with RSA-MD5)
5 host/server.domain.local@DOMAIN.LOCAL (ArcFour with HMAC/md5)
5 host/server.domain.local@DOMAIN.LOCAL (AES-256 CTS mode with 96-bit SHA-1 HMAC)
5 host/server.domain.local@DOMAIN.LOCAL (AES-128 CTS mode with 96-bit SHA-1 HMAC)

You need CLIENT$@AD.EXAMPLE.COM in the keytab as well. Any chance you
used -setupn with the ktpass command? If yes, please try without.

Here are the commands I used. Unless it is implied or enabled by default, I did not use the -setupn (at least not on purpose).

client = sssd Debian server hostname

setspn -A host/client.domain.local@DOMAIN.LOCAL client

ktpass /princ host/client.domain.local@DOMAIN.LOCAL /out c:\client-host.keytab /crypto all /ptype KRB5_NT_PRINCIPAL -desonly /mapuser DOMAIN\client$ /pass *

Also, when I run ktpass I get this message. Just thought I would mention in case it's important.

WARNING: Account AGEO01VMW03$ is not a user account (uacflags=0x11001).

WARNING: Resetting AGEO01VMW03$'s password may cause authentication problems if AGEO01VMW03$ is being used as a server.

PS - I have the AD server IP address in my resolv.conf (it's the only name server). Not sure if that matters or not. I can do normal DNS lookups plus I can successfully lookup things like _kerberos._tcp.domain.local. I can give more DNS details if needed.