OK, so all the workaround config changes are either useless or harmful, but we're still left with the problem. I can provide logs, but I'd rather not provide them publicly as they provide too many internal details I'd think...

We join computers to the domain using "kinit <domain_admin_user> && net ads join -k".

The Red Hat support engineer had me enable debug in various SSSD sections, and also provide the output from ldbsearch.

Cheers,

John

--
John Beranek                         To generalise is to be an idiot.
http://redux.org.uk/                                 -- William Blake