[SSSD-users] GSSAPI Errors with AD Trust

Hi, I'm having an issue with IPA/sssd (RHEL 7.1) when accessing resources through an AD trust. The following is logged in ldap_child.log (debug_level=10): (Tue Mar 10 12:31:12 2015) [sssd[be[unix.domain.com]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC has no support for encryption type)] This error seems to occur randomly. We have over 40+ DC's in our HUB site for active directory forest/domain. All of these DC's are running either Windows 2008 R2/Windows 2012/Windows 2012 R2. The domain/forest level is still Windows 2003. The trust is established between IPA (unix.domain.com) and the forest root AD domain (domain.com). The AD users actually exist in a child domain (ad.domain.com). I conducted a test where I deleted the sssd server cache (in /var/lib/sss/db/), restarted sssd, and then did a 'getent passwd user(a)domain.com.' There were several instances where sssd was successfully using one of the AD DC's, and then after clearing the cache and restarting failed on the same AD DC with the "KDC has no support for encryption type" error. Nothing is being logged to /var/log/sssd/krb5_child.log. We are running the following versions: ipa-server-4.1.0-18.el7.x86_64 ipa-server-trust-ad-4.1.0-18.el7.x86_64 sssd-1.12.2-58.el7.x86_64 Does anyone have an idea of what may be happening here? Thanks, Josh