(Wed Aug  3 09:24:16 2016) [[sssd[krb5_child[20057]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
(Wed Aug  3 09:24:16 2016) [[sssd[krb5_child[20057]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts.
(Wed Aug  3 09:24:16 2016) [[sssd[krb5_child[20057]]]] [sss_krb5_prompter] (0x4000): Prompt [0][Password for sssdtester].
(Wed Aug  3 09:24:16 2016) [[sssd[krb5_child[20057]]]] [get_and_save_tgt] (0x0020): 1296: [-1765328254][Cannot read password]
(Wed Aug  3 09:24:16 2016) [[sssd[krb5_child[20057]]]] [map_krb5_error] (0x0020): 1365: [-1765328254][Cannot read password]
(Wed Aug  3 09:24:16 2016) [[sssd[krb5_child[20057]]]] [k5c_send_data] (0x0200): Received error code 1432158218
(Wed Aug  3 09:24:16 2016) [[sssd[krb5_child[20057]]]] [pack_response_packet] (0x2000): response packet size: [4]
(Wed Aug  3 09:24:16 2016) [[sssd[krb5_child[20057]]]] [k5c_send_data] (0x4000): Response sent.
(Wed Aug  3 09:24:16 2016) [[sssd[krb5_child[20057]]]] [main] (0x0400): krb5_child completed successfully

Judging by the error messages, I wonder if this is a Kerberos bug someone reported to us on the sssd-users list earlier.

You can see the whole thread here:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/thread/D3C2DDA7EDIEPZLSWXE53TFY4GGAICRN/

But Sumit's response summed up what can be done to mitigate the issue:
~~~~~~~~~~~~~~~
Thanks I was able to reproduce the issue. After discussing it with a co-worker I opened http://krbdev.mit.edu/rt/Ticket/Display.html?id=8454 because we think it is originally an issue in the responder interface of MIT Kerberos. I would like to hear back from MIT before trying to fix the SSSD side. I'm pretty sure that authentication would work again if you enable pre-authentication for the user principals on the KDC # kadmin.local kadmin.local: modprinc +requires_preauth dave(a)LA-LA.LAN Is there a reason why pre-authentication is disabled? If not it is very, very, very recommended to enable it (not only to make SSSD work), see e.g. http://superuser.com/questions/200010/how-does-kerberos-preauthentication... for some explanations. bye, Sumit
~~~~~~~~~~~~~~~

Can you try if enabling preauthentication helps you as well?

btw the upstream bug report was http://krbdev.mit.edu/rt/Ticket/Display.html?id=8454

I can confirm that preauth added for the test principal fixed the issue.
Thank you for the investigation.

(In reply to Patrik Kis from comment #9)
> I can confirm that preauth added for the test principal fixed the issue.
> Thank you for the investigation.

Thanks, then I'm moving the bug report to krb5, because it should track the upstream report http://krbdev.mit.edu/rt/Ticket/Display.html?id=8454

Do we need to add requires/conflicts into sssd after fixing krb5?
There is still a chance that someone would like to test sssd-1.14 on rhel7.2

(In reply to Lukas Slebodnik from comment #11)
> Do we need to add requires/conflicts into sssd after fixing krb5?
> There is still a chance that someone would like to test sssd-1.14 on rhel7.2

Since this issue is caused by patches that were only applied to 7.3 in RHEL, then I don't think so -- is it even possible to install 7.3 RPMs on a 7.2 system?

I don't know how to solve this at the upstream level.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2591.html