This is due to Kerberos being very fussy with DNS. Name resolution of "local" domains is processed by avahi (see /etc/nsswitch.conf) and DNS is not even given a chance. And this is where we run into trouble.
A workaround is to remove avahi daemon altogether, as Rémi put it, which makes sense in an environment like AD, where naming is primarily handled by DNS.
This is due to Kerberos being very fussy with DNS. Name resolution of "local" domains is processed by avahi (see /etc/nsswitch.conf) and DNS is not even given a chance. And this is where we run into trouble.
A workaround is to remove avahi daemon altogether, as Rémi put it, which makes sense in an environment like AD, where naming is primarily handled by DNS.