I'm trying to set up a CentOS 6.3 server to authenticate from my Active Directory domain controller using MIT Kerberos, OpenLDAP, and sssd. Pretend my domain is domain.net. I created a keytab on the Active Directory controller using
ktpass -princ host/client.domain.net@DOMAIN.NET -pass somepassword -mapuser DOMAIN\CLIENT -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out client.keytab
I copied this to the client using SSH, when I run klist -k I get
kinit -k gives no output, after running it klist gives
Default principal: host/client.domain.net@DOMAIN.NET
Valid starting Expires Service principal
<some time> <some time> krbtgt/DOMAIN.NET@DOMAIN.NET
renew until <some time>
At this point typing ldapsearch with no arguments gives the contents of the domain server as it should. After running ldapsearch klist now includes a ticket entry for ldap/controller@DOMAIN.NET.
When I start sssd, no errors are shown and nothing bad appears in the log. But when I try to get a user's information:
getent -s sss passwd bob
the log file sssd_domain.net.log says (among many many other things)
(Tue Dec 11 11:51:43 2012) [sssd[be[domain.net]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_DOMAIN.NET], expired on 
(Tue Dec 11 11:51:43 2012) [sssd[be[domain.net]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/client.domain.net@DOMAIN.NET
(Tue Dec 11 11:52:46 2012) [sssd[be[domain.net]]] [get_server_status] (0x1000): Status of server 'controller.domain' is 'name resolved'
(Tue Dec 11 11:52:46 2012) [sssd[be[domain.net]]] [get_port_status] (0x1000): Port status of port 389 for server 'controller.domain' is 'not working'
(Tue Dec 11 11:52:46 2012) [sssd[be[domain.net]]] [fo_resolve_service_send] (0x0020): No available servers for service 'LDAP'
The port is marked unusable, and nothing is returned by getent.
What's going on here? Any ideas? Repeated googlings and tweakings have found nothing.
The relevant config files are below.
Thanks for your help.