Automatic Kerberos Host Keytab Renewal with SSSD
This should happen automatically, but you need to install adcli. sssd just forks and execs adcli in order to perform the update.
I just figured out what my problem was after having this issue for months.
I didn't name my server
server.my.domain.com and instead it was just
server. After changing the name, leaving and rejoining the realm,
adcli update runs without a problem.