Please follow https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html and https://docs.pagure.org/SSSD.sssd/users/reporting_bugs.html it's otherwise impossible to help you..

And the log with debug_level = 9

So apart from the joined domain sssd was able to discover also these domains:
(Thu Jul 20 17:37:33 2017) [sssd[be[bouygues-construction.com]]] [sdap_domain_subdom_add] (0x0400): subdomain bc1.com is a new one, will create a new sdap domain object
(Thu Jul 20 17:37:33 2017) [sssd[be[bouygues-construction.com]]] [sdap_domain_subdom_add] (0x0400): subdomain bouygues.com is a new one, will create a new sdap domain object

But not bycn.bouygues-construction.com ..

It might be bug (which I can't find now..) where we fail to find 'subsubdomains'. What is the relationship of the domains in your forest?

bc1.com has an External Trust with bouygues.com and a TreeRoot trust with bouygues-construction.com
bouygues-construction.com has a TreeRoot trust with bc1.com, an External trust with bouygues.com and a Child trust with bycn.bouygues-construction.com
bycn.bouygues-construction.com has a External trust with bouygues.com and a Parent trust with bouygues-construction.com

In the log, I see that the request to discovers the subdomain is :
ldapsearch -x -LLL -E pr=200/noprompt -h bc1ssys206.bc1.com -p 389 -b "dc=bc1,dc=com" -s sub "(&(objectclass=trustedDomain)(trustType=2)(!(msDS-TrustForestTrustInfo=*)))" | grep name
name: bouygues-construction.com
name: bouygues.com
If I do the same request on the bouygues-construction.com domain instead of bc1.com, I got the correct result :
ldapsearch -x -LLL -E pr=200/noprompt -h bcnvsys001.bouygues-construction.com -p 389 -b "dc=bouygues-construction,dc=com" -s sub "(&(objectclass=trustedDomain)(trustType=2)(!(msDS-TrustForestTrustInfo=*)))" | grep name
name: bycn.bouygues-construction.com
name: bouygues.com
name: bc1.com

First, I'm sorry this ticket has stalled for such a long time.

Nonetheless, I think SSSD currently doesn't support your use-case. After your description, I think your setup is a variant of what is already described in https://pagure.io/SSSD/sssd/issue/2763.

Sorry about that. I think just defining a separate [domain] section for bycn.bouygues-construction.com should work, even with the same keytab since the domains trust each other.

So if you agree, I would prefer to close this ticket as a duplicate of issue #2763.

The proposed workaround doesn't works.
The ad backend for bycn.bouygues-construction.com cannot connect to the ActiveDirectory
The problem seems to be in [find_principal_in_keytab]. The code is looking for a principal matching TESTVM$@BYCN.BOUYGUES-CONSTRUCTION.COM which doesn't exist. The principal is TESTVM$@BOUYGUES-CONSTRUCTION.COM
The secondary backend is not connected and so doesn't works.
I think also that this workaround will get some problems when the two backend will try to renew the same machine account password.

I have an other question : When sssd discovers domains, how deep it follow the trust relationship ?
If we have a child of child (tree level), is it working ?

No, currently multiple subdomain levels are not supported either.

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4480

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.