[SSSD-users] Hostnames and failed kerberos ticket re-authorization

Hi - We've been setting up Ubuntu 18.04/20.04 systems which use sssd for authentication as part of a Windows AD domain. Because users ssh to these machines I've been assigning them easy to remember hostnames (e.g. genbank.biosci) and then using the ad_hostname field in /etc/sssd/sssd.conf for the AD hostname; e.g. ad_hostname = cns-cryo-genb1.austin.utexas.edu (The flat AD address space necessitates a not-user-friendly hostnaming convention.) The problem with this is the systems' kerberos tickets regularly go out of date and then I have run mskutil by hand to get a new krb ticket. We have a cron job which is supposed to take care of this automatically: 00 12 * * 1,4 root kinit -R -k cns-cryo-genb1$ | logger -t krbtgt But this appears not to work all of the time. In particular, this error gets logged: kinit: Preauthentication failed while getting initial credentials One of my colleagues thinks he's tracked this down to kinit uses adcli for this, but adcli doesn't know about the ad_hostname entry in sssd.conf and instead is looking up and using the system's /etc/hostname. So, I'm wondering if there is a better solution we're overlooking. Worst case, we can just make the linux hostname match the AD hostname and then use a DNS CNAME for the user's convenience, but I'm just woondering if we're going about this all wrong.