Comment 0 for bug 985031

Known upstream bug, see: https://bugzilla.redhat.com/show_bug.cgi?id=811518

Quoting from the upstream description:

"If krb5_canonicalize is not present or is True in sssd.conf, then sssd asks krb5_get_init_creds_keytab() to canonicalize principals. This can change the client principal. When writing out the credential cache, we should use this changed principal, and not the original one. Failure to do this results in errors when LDAP tries to use the credential cache."

In our case, setting "krb5_canonicalize = false" in sssd.conf solved the issue, but according to `man 5 sssd-krb5` it should be false by default:

"krb5_canonicalize (boolean)
           Specifies if the host and user principal should be canonicalized. This feature is
           available with MIT Kerberos >= 1.7

           Default: false"