[Samba] Samba 4.4, sssd, adcli; windows hosts cannot authenticate

[Steve Dainard]

I'm running samba 4.4.4 on el7. I'm attempting to provide a share
auth by Kerberos or for non-kerberos hosts auth by password on Linux
or Windows (7)
clients.

We have uid/gid/group memberships in AD and typically configure
Linux hosts with a kerberos/sssd/ldap configuration which uses
attributes from AD, but are not joined to domain.

I need to be able to automate the domain join with salt stack, so I'm
stuck using adcli to join the machine as it has a plain-text password
option, I then push sssd.conf, /etc/krb5.conf, and /etc/samba/smb.conf
to the samba host.

Thus far I've been able to browse shares from Linux, which
authenticates with Kerberos OK. File/directory perms are respected,
new files are created with proper uid, etc. No complaints on this
side.

When I attempt to connect from a domain joined Windows client I get
prompted for credentials, and domain credentials do not work. It seems
like the id of the user isn't passed through or looked up correctly
after Kerberos auth, and the user is labelled as a guest user. Guest
users are mapped to bad user in samba config. Here's a bit of logging
when the Windows client tries to access a
share: https://pastebin.com/pbEqj9ZR

Configs;
smb.conf: https://pastebin.com/XfeVTCDE
sssd.conf: https://pastebin.com/Z57rRwBw
krb5.conf: https://pastebin.com/JigdxgJ6

Some other interesting tidbits:
DNS is served by el6/bind, not by AD, but the AD srv records exist and
work properly for auto discovery and binding.
The samba server does not have a PTR record, although this seems to be
a requirement for KDC's not members.
The domain is ad.localdomain.com, but hosts (including the samba
server) have fqdn assigned by dhcp as <hostname>.dhcp.localdomain.com.

Any help is appreciated, usually its the Linux client that ends up
being a pain, this is the first time for me a Windows client is having
issues authing.

Thanks,
Steve