Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1683578

Summary: sssd_krb5_locator_plugin introduces delay in cifs.upcall krb5 calls [rhel-7.6.z]
Product: Red Hat Enterprise Linux 7 Reporter: RAD team bot copy to z-stream <autobot-eus-copy>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: sssd-qe <sssd-qe>
Severity: high Docs Contact:
Priority: high    
Version: 7.6CC: barry.snyder, dwysocha, grajaiya, jhrozek, lslebodn, mniranja, mzidek, pbrezina, plambri, rharwood, robin.edser, sbose, sgoveas, sssd-maint, toneata, tscherf
Target Milestone: rcKeywords: Regression, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1672527 Environment:
Last Closed: 2019-04-23 14:28:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1672527    
Bug Blocks:    

Description RAD team bot copy to z-stream 2019-02-27 09:22:28 UTC 
This bug has been copied from bug #1672527 and has been proposed to be backported to 7.6 z-stream (EUS).
Comment 6 Niranjan Mallapadi Raghavender 2019-04-10 12:37:57 UTC 
Reproducing the Issue:
=====================
sssd-libwbclient-1.16.2-13.el7.x86_64
sssd-krb5-common-1.16.2-13.el7.x86_64
sssd-ldap-1.16.2-13.el7.x86_64
sssd-proxy-1.16.2-13.el7.x86_64
sssd-tools-1.16.2-13.el7.x86_64
sssd-client-1.16.2-13.el7.x86_64
sssd-common-1.16.2-13.el7.x86_64
sssd-common-pac-1.16.2-13.el7.x86_64
sssd-krb5-1.16.2-13.el7.x86_64
sssd-dbus-1.16.2-13.el7.x86_64
sssd-1.16.2-13.el7.x86_64
sssd-kcm-1.16.2-13.el7.x86_64
python-sssdconfig-1.16.2-13.el7.noarch
sssd-ad-1.16.2-13.el7.x86_64
sssd-ipa-1.16.2-13.el7.x86_64

1. Configure sssd to use ldap provider and krb5 authentication For Users to login 

[sssd]
domains = sssd2016.com
config_file_version = 2
services = nss, pam

[domain/sssd2016.com]
krb5_realm = SSSD2016.COM
id_provider = ldap
chpass_provider = krb5
cache_credentials = True
ldap_uri = ldap://mars.sssd2016.com
ldap_search_base = DC=sssd2016,DC=COM
cache_credentials = False
ldap_referrals = False
id_provider = ldap
ldap_schema = ad
ldap_force_upper_case_realm = true
ldap_id_mapping = true
ldap_sasl_mech = gssapi
ldap_account_expire_policy = ad
ldap_use_tokengroups = true
auth_provider = krb5
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
krb5_store_password_if_offline = True
default_shell = /bin/bash
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
debug_level = 9

3. Cat /etc/krb5.conf
[root@sparks ~]# cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
# default_realm = EXAMPLE.COM
 default_ccache_name = KEYRING:persistent:%{uid}

 default_realm = SSSD2016.COM
[realms]
# EXAMPLE.COM = {
#  kdc = kerberos.example.com
#  admin_server = kerberos.example.com
# }

 SSSD2016.COM = {
 }

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
 sssd2016.com = SSSD2016.COM
 .sssd2016.com = SSSD2016.COM
[root@sparks ~]# 



2. Login as AD user using ssh so that kdcinfo.<DOMAIN> and kpasswd.<DOMAIN> files are created
under /var/lib/sss/pubconf

/var/lib/sss/pubconf
[root@sparks pubconf]# ll
total 8
-rw-r--r--. 1 root root 16 Apr 10 08:27 kdcinfo.SSSD2016.COM
-rw-r--r--. 1 root root 17 Apr 10 08:15 kpasswdinfo.SSSD2016.COM
drwxr-xr-x. 2 sssd sssd 87 Sep  5  2018 krb5.include.d


3. From another terminal as root user run the below kinit command

env SSSD_KRB5_LOCATOR_DEBUG=1 KRB5_TRACE=/dev/stdout kinit Administrator

when prompted for password specify a wrong or no password to check if the port
464 

root@sparks ~]# env SSSD_KRB5_LOCATOR_DEBUG=1 KRB5_TRACE=/dev/stdout kinit Administrator
[27555] 1554898748.181016: Getting initial credentials for Administrator
[27555] 1554898748.181018: Sending unauthenticated request
[27555] 1554898748.181019: Sending request (200 bytes) to SSSD2016.COM
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.65.207.18][88].
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[2] locate_service[1]
[sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[2]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[1]
[sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[1]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[27555] 1554898748.181020: Initiating TCP connection to stream 10.65.207.18:88
[27555] 1554898748.181021: Sending TCP request to stream 10.65.207.18:88
[27555] 1554898748.181022: Received answer (157 bytes) from stream 10.65.207.18:88
[27555] 1554898748.181023: Terminating TCP connection to stream 10.65.207.18:88
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.65.207.18][88].
[sssd_krb5_locator] Found [10.65.207.18][464].
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[2]
[sssd_krb5_locator] addr[10.65.207.18:464] family[2] socktype[1]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[27555] 1554898748.181024: Response was not from master KDC
[27555] 1554898748.181025: Received error from KDC: -1765328359/Additional pre-authentication required
[27555] 1554898748.181028: Preauthenticating using KDC method data
[27555] 1554898748.181029: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)
[27555] 1554898748.181030: Selected etype info: etype rc4-hmac, salt "", params ""
Password for Administrator:
[27555] 1554898751.324171: AS key obtained for encrypted timestamp: rc4-hmac/A247
[27555] 1554898751.324173: Encrypted timestamp (for 1554898751.707740): plain 301AA011180F32303139303431303132313931315AA10502030ACC9C, encrypted FC89D373AF3534165D28F2AE73E72B86214AEDEFEDBB216AB28508E87CA238A83A0EF767C10B1AC6E9FAE3605F88288D8865368C
[27555] 1554898751.324174: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[27555] 1554898751.324175: Produced preauth for next request: PA-ENC-TIMESTAMP (2)
[27555] 1554898751.324176: Sending request (276 bytes) to SSSD2016.COM
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.65.207.18][88].
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[2] locate_service[1]
[sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[2]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[1]
[sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[1]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[27555] 1554898751.324177: Initiating TCP connection to stream 10.65.207.18:88
[27555] 1554898751.324178: Sending TCP request to stream 10.65.207.18:88
[27555] 1554898751.324179: Received answer (1526 bytes) from stream 10.65.207.18:88
[27555] 1554898751.324180: Terminating TCP connection to stream 10.65.207.18:88
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.65.207.18][88].
[sssd_krb5_locator] Found [10.65.207.18][464].
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[2]
[sssd_krb5_locator] addr[10.65.207.18:464] family[2] socktype[1]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[27555] 1554898751.324181: Response was not from master KDC
[27555] 1554898751.324182: Salt derived from principal: SSSD2016.COMAdministrator
[27555] 1554898751.324183: AS key determined by preauth: rc4-hmac/A247
[27555] 1554898751.324184: Decrypted AS reply; session key is: aes256-cts/EF66
[27555] 1554898751.324185: FAST negotiation: unavailable
[27555] 1554898751.324186: Initializing KEYRING:persistent:0:0 with default princ Administrator
[27555] 1554898751.324187: Storing Administrator -> krbtgt/SSSD2016.COM in KEYRING:persistent:0:0
[27555] 1554898751.324188: Storing config in KEYRING:persistent:0:0 for krbtgt/SSSD2016.COM: pa_type: 2
[27555] 1554898751.324189: Storing Administrator -> krb5_ccache_conf_data/pa_type/krbtgt\/SSSD2016.COM\@SSSD2016.COM@X-CACHECONF: in KEYRING:persistent:0:0
[root@sparks ~]# env SSSD_KRB5_LOCATOR_DEBUG=1 KRB5_TRACE=/dev/stdout kinit Administrator
[27556] 1554898759.377230: Getting initial credentials for Administrator
[27556] 1554898759.377232: Sending unauthenticated request
[27556] 1554898759.377233: Sending request (200 bytes) to SSSD2016.COM
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.65.207.18][88].
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[2] locate_service[1]
[sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[2]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[1]
[sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[1]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[27556] 1554898759.377234: Initiating TCP connection to stream 10.65.207.18:88
[27556] 1554898759.377235: Sending TCP request to stream 10.65.207.18:88
[27556] 1554898759.377236: Received answer (157 bytes) from stream 10.65.207.18:88
[27556] 1554898759.377237: Terminating TCP connection to stream 10.65.207.18:88
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.65.207.18][88].
[sssd_krb5_locator] Found [10.65.207.18][464].
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[2]
[sssd_krb5_locator] addr[10.65.207.18:464] family[2] socktype[1]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[27556] 1554898759.377238: Response was not from master KDC
[27556] 1554898759.377239: Received error from KDC: -1765328359/Additional pre-authentication required
[27556] 1554898759.377242: Preauthenticating using KDC method data
[27556] 1554898759.377243: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)
[27556] 1554898759.377244: Selected etype info: etype rc4-hmac, salt "", params ""
Password for Administrator:
[27556] 1554898760.652839: AS key obtained for encrypted timestamp: rc4-hmac/4EE8
[27556] 1554898760.652841: Encrypted timestamp (for 1554898761.43279): plain 301AA011180F32303139303431303132313932315AA105020300A90F, encrypted 693DCFAEED27C776A547C57E0E3444F0801A0570D9EBDC14648BB96278A912FF810E8C65CE06DB72ADD90240DDF90033459ACF0E
[27556] 1554898760.652842: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[27556] 1554898760.652843: Produced preauth for next request: PA-ENC-TIMESTAMP (2)
[27556] 1554898760.652844: Sending request (276 bytes) to SSSD2016.COM
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.65.207.18][88].
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[2] locate_service[1]
[sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[2]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[1]
[sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[1]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[27556] 1554898760.652845: Initiating TCP connection to stream 10.65.207.18:88
[27556] 1554898760.652846: Sending TCP request to stream 10.65.207.18:88
[27556] 1554898761.718373: Received answer (122 bytes) from stream 10.65.207.18:88
[27556] 1554898761.718374: Terminating TCP connection to stream 10.65.207.18:88
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.65.207.18][88].
[sssd_krb5_locator] Found [10.65.207.18][464].
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[2]
[sssd_krb5_locator] addr[10.65.207.18:464] family[2] socktype[1]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[27556] 1554898761.718375: Response was not from master KDC
[27556] 1554898761.718376: Received error from KDC: -1765328360/Preauthentication failed
[27556] 1554898761.718379: Preauthenticating using KDC method data
[27556] 1554898761.718380: Processing preauth types: PA-ETYPE-INFO2 (19)
[27556] 1554898761.718381: Selected etype info: etype rc4-hmac, salt "", params ""
[27556] 1554898761.718382: Retrying AS request with master KDC
[27556] 1554898761.718383: Getting initial credentials for Administrator
[27556] 1554898761.718385: Sending unauthenticated request
[27556] 1554898761.718386: Sending request (200 bytes) to SSSD2016.COM (master)
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.65.207.18][88].
[sssd_krb5_locator] Found [10.65.207.18][464].
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[2] locate_service[2]
[sssd_krb5_locator] addr[10.65.207.18:464] family[2] socktype[2]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[2]
[sssd_krb5_locator] addr[10.65.207.18:464] family[2] socktype[1]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[27556] 1554898761.718387: Initiating TCP connection to stream 10.65.207.18:464
[27556] 1554898761.718388: Sending TCP request to stream 10.65.207.18:464
[27556] 1554898762.200747: Terminating TCP connection to stream 10.65.207.18:464
[27556] 1554898762.200748: Sending initial UDP request to dgram 10.65.207.18:464
[27556] 1554898765.203935: Sending retry UDP request to dgram 10.65.207.18:464
[27556] 1554898770.209022: Sending retry UDP request to dgram 10.65.207.18:464
kinit: Password incorrect while getting initial credentials

As seen above sssd_krb5_locator plugin tries AD server on port 464 . 


Update the sssd to below versions:

sssd-ipa-1.16.2-13.el7_6.7.x86_64
sssd-proxy-1.16.2-13.el7_6.7.x86_64
sssd-client-1.16.2-13.el7_6.7.x86_64
python-sssdconfig-1.16.2-13.el7_6.7.noarch
sssd-common-1.16.2-13.el7_6.7.x86_64
sssd-common-pac-1.16.2-13.el7_6.7.x86_64
sssd-ad-1.16.2-13.el7_6.7.x86_64
sssd-krb5-1.16.2-13.el7_6.7.x86_64
sssd-1.16.2-13.el7_6.7.x86_64
sssd-krb5-common-1.16.2-13.el7_6.7.x86_64
sssd-ldap-1.16.2-13.el7_6.7.x86_64


Restart sssd and Run the above kinit command

[root@qe-blade-14 pubconf]# env SSSD_KRB5_LOCATOR_DEBUG=1 KRB5_TRACE=/dev/stdout kinit Administrator
[26280] 1554899579.642990: Getting initial credentials for Administrator
[26280] 1554899579.642992: Sending unauthenticated request
[26280] 1554899579.642993: Sending request (200 bytes) to SSSD2016.COM
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.65.207.18][88].
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[2] locate_service[1]
[sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[2]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[1]
[sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[1]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[26280] 1554899579.642994: Initiating TCP connection to stream 10.65.207.18:88
[26280] 1554899579.642995: Sending TCP request to stream 10.65.207.18:88
[26280] 1554899580.128031: Received answer (157 bytes) from stream 10.65.207.18:88
[26280] 1554899580.128032: Terminating TCP connection to stream 10.65.207.18:88
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.65.207.18][88].
[sssd_krb5_locator] Found [10.65.207.18][464].
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[2]
[sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[1]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[26280] 1554899580.128033: Response was from master KDC
[26280] 1554899580.128034: Received error from KDC: -1765328359/Additional pre-authentication required
[26280] 1554899580.128037: Preauthenticating using KDC method data
[26280] 1554899580.128038: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)
[26280] 1554899580.128039: Selected etype info: etype rc4-hmac, salt "", params ""
Password for Administrator:
[26280] 1554899582.293153: AS key obtained for encrypted timestamp: rc4-hmac/4EE8
[26280] 1554899582.293155: Encrypted timestamp (for 1554899582.204260): plain 301AA011180F32303139303431303132333330325AA1050203031DE4, encrypted 76CFD1F609AC0F1AB294F2CA5B04379C69960E3332B17E22CEB10709DD201BF5F06B2776F4ECE062225328CF514D10801A259B64
[26280] 1554899582.293156: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[26280] 1554899582.293157: Produced preauth for next request: PA-ENC-TIMESTAMP (2)
[26280] 1554899582.293158: Sending request (276 bytes) to SSSD2016.COM
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.65.207.18][88].
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[2] locate_service[1]
[sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[2]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[1]
[sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[1]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[26280] 1554899582.293159: Initiating TCP connection to stream 10.65.207.18:88
[26280] 1554899582.293160: Sending TCP request to stream 10.65.207.18:88
[26280] 1554899582.293161: Received answer (122 bytes) from stream 10.65.207.18:88
[26280] 1554899582.293162: Terminating TCP connection to stream 10.65.207.18:88
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.65.207.18][88].
[sssd_krb5_locator] Found [10.65.207.18][464].
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[2]
[sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[1]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[26280] 1554899582.293163: Response was from master KDC
[26280] 1554899582.293164: Received error from KDC: -1765328360/Preauthentication failed
[26280] 1554899582.293167: Preauthenticating using KDC method data
[26280] 1554899582.293168: Processing preauth types: PA-ETYPE-INFO2 (19)
[26280] 1554899582.293169: Selected etype info: etype rc4-hmac, salt "", params ""
kinit: Password incorrect while getting initial credentials
[

As we can see sssd_krb5_locator plugin doesn't retry the AD server ip on port 464 and tries to connect on port 88.
Comment 8 errata-xmlrpc 2019-04-23 14:28:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0816