Our dhcp sets clients with dynamically configured ip into a subdomain .client.DOMAIN, while clients with static ip go to .DOMAIN. Example: I join clients to AD using sssd for authentication. realm join --automatic-id-mapping=no --membership-software=adcli DOMAIN The FQDN for this client is: kubuntu-lts.client.mpi-dortmund.mpg.de realm sets correct keytab entries with correct FQDN including subdomain .client: root@kubuntu-lts:/etc/sssd# klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 kubuntu-lts$@MPI-DORTMUND.MPG.DE (arcfour-hmac) 2 kubuntu-lts$@MPI-DORTMUND.MPG.DE (aes128-cts-hmac-sha1-96) 2 kubuntu-lts$@MPI-DORTMUND.MPG.DE (aes256-cts-hmac-sha1-96) 2 KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE (arcfour-hmac) 2 KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE (aes128-cts-hmac-sha1-96) 2 KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE (aes256-cts-hmac-sha1-96) 2