AD integration with SSSD

We have several domain-joined servers running RHEL7 and configured (as per the Red Hat docs) to use SSSD for identity management and authentication. Initially, everything seemed fine but we started to notice problems on the hosts acting as Samba servers for Windows clients.

After a while the Samba shares were prompting for credentials but rejected them anyway. The problem was identified as the machine account passwords expiring every 30 days which is default AD behaviour. It seems SSSD was not renewing them automatically. Disjoining and re-joining the servers to AD was one workaround but not really practical.

The other solution found in the comments here https://access.redhat.com/solutions/2221561 suggest using a cron job with the command “net ads changetrustpw". This would reset the machine password periodically before it expired after 30 days. This seemed to be a workable solution but in fact leads to SSH authentication problems due to broken trust. The error in the logs:

[sssd[krb5_child[38028]]][38028]: Cannot find key for host/hostname@domain.com kvno 79 in keytab

Has anybody else running RHEL7 servers joined to AD with realmd/SSSD encountered this?

Other links I’ve looked at so far…

Potential conflict between Samba and realmd-based setup, and resolution
https://www.linux.ncsu.edu/blog/2018/03/30/potential-conflict-between-samba-and-realmd-based-setup-and-resolution/

msktutil to reset machine password
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/message/3ISKY3DROEPLH7YKKCTT5LQ5G3ZH6ABF/

Using adcli instead of realmd to join the domain
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/thread/X7R52WLKNOAZKX3HKFUAKRHF5FZS3XKI/

Thanks