Joining Centos to AD: The directory service was unable to allocate a relative identifier

Ever since CentOS 7 came out joining machine to AD has been a breeze. It just works, and if it doesn't, the reason is obvious from the error message. However, now I am stuck:

# realm join [email protected] example.net -v
 * Resolving: _ldap._tcp.example.net
 * Performing LDAP DSE lookup on: 192.168.1.50
 * Successfully discovered: example.net
Password for [email protected]:
 * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.R9517Y -U [email protected] ads join example.net
Enter [email protected]'s password:
Failed to join domain: failed to join domain 'example.net' over rpc: The directory service was unable to allocate a relative identifier.
 ! Joining the domain example.net failed
realm: Couldn't join realm: Joining the domain example.net failed

It seems that the culprit is this directory service was unable to allocate a relative identifier error; but anything I can find relates to connecting to DC after joining.

Domain Controller is Windows 2016 on 192.168.1.50

Interesting (and not surprising, give that domain was successfully discovered), realm discover is successful:

# realm discover example.net
example.net
type: kerberos
realm-name: EXAMPLE.NET
domain-name: example.net
configured: no
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools

Also, if I use wrong password or use another account that doesn't have join privileges - I get the error that I expect.