Comment 8 for bug 1893438

I repeated it with focal, and right after the join, id user@<REALM> worked, and I have no /etc/krb5.conf. There must be something else going on over there.

Can you please make these changes:
- sudo apt install sssd-dbug (if not already installed)
- /etc/sssd/sssd.conf:

[sssd]
services = nss, pam, ifp <--- add "ifp"
debug_level = 6 <--- add

[nss] <--- add
debug_level = 6 <--- add

[pam] <--- add
debug_level = 6 <--- add

[domain/...]
debug_level = 6 <--- add

Then restart sssd: sudo systemctl restart sssd

Now the /var/log/sssd/sssd_nss.log file shall have debug info.

With the "ifp" service, you can now use sssctl commands like these:
root@focal-sssd-desktop-team:~# sssctl domain-list
ad1.example.com
ad2.example.com

root@focal-sssd-desktop-team:~# sssctl domain-status ad1.example.com
Online status: Online

Active servers:
AD Global Catalog: not connected
AD Domain Controller: server1.ad1.example.com

Discovered AD Global Catalog servers:
None so far.
Discovered AD Domain Controller servers:
- server1.ad1.example.com

root@focal-sssd-desktop-team:~# sssctl user-checks <email address hidden>
user: <email address hidden>
action: acct
service: system-auth

SSSD nss user lookup result:
 - user name: <email address hidden>
 - user id: 1725801106
 - group id: 1725800513
 - gecos: John Smith
 - home directory: /<email address hidden>
 - shell: /bin/bash

SSSD InfoPipe user lookup result:
 - name: <email address hidden>
 - uidNumber: 1725801106
 - gidNumber: 1725800513
 - gecos: John Smith
 - homeDirectory: not set
 - loginShell: not set

testing pam_acct_mgmt

pam_acct_mgmt: Permission denied

PAM Environment:
 - no env -

root@focal-sssd-desktop-team:~# sssctl user-show <email address hidden>
Name: <email address hidden>
Cache entry creation date: 08/28/20 18:37:19
Cache entry last update time: 08/28/20 18:47:32
Cache entry expiration time: 08/28/20 20:17:32
Initgroups expiration time: 08/28/20 20:17:32
Cached in InfoPipe: No