Note: Maybe this is not just GPO code issue, but so far I have only seen the effect in the GPO code
If the domain name part of the domain section in sssd is different then the actual AD domain name, we can use the ad_domain option to specify the name.
But GPO code does not respect the option and still uses the name from the domain section.
join AD domain using (using realmd)
change the domain name part of the domain section in sssd.conf
set GPO to enforcing
login as AD user
When generating the target's DN SSSD uses the name from domain section name and login fails with system error.
to comment on this ticket.
Copyright © 2014-2018 Red Hat
4.0.4 — Documentation