Ubuntu 20.04 SSSD-KRB5 authentication with expired password problem

I need some help to troubleshoot sssd/krb5 error. Now i have Ubuntu 16.04 clients and want to upgrade it to 20.04. /etc/sssd/sssd.conf and /etc/krb5.conf are the same on both clients. All things work fine but login a user with expired password. Here some differences i found in /etc/sssd/krb5_child.log. krb5_child requests initial credentials a bit different way.

Ubuntu 20.04:

(Thu Jul  8 19:05:21 2021) [krb5_child[8507]] [sss_child_krb5_trace_cb] (0x4000): [8507] 1625760321.637719: Received error from KDC: -1765328361/Password has expired

(Thu Jul  8 19:05:21 2021) [krb5_child[8507]] [sss_child_krb5_trace_cb] (0x4000): [8507] 1625760321.637721: **Recovering from KDC error 23 using preauth mech PA-ENC-TIMESTAMP (2)**

(Thu Jul  8 19:05:21 2021) [krb5_child[8507]] [sss_child_krb5_trace_cb] (0x4000): [8507] 1625760321.637722: Preauth tryagain input types (2): (empty)

(Thu Jul  8 19:05:21 2021) [krb5_child[8507]] [sss_child_krb5_trace_cb] (0x4000): [8507] 1625760321.637723: Preauth module encrypted_timestamp (2) tryagain returned: 0/Success

(Thu Jul  8 19:05:21 2021) [krb5_child[8507]] [sss_krb5_get_init_creds_password] (0x0020): 1627: [-1765328361][Password has expired]
(Thu Jul  8 19:05:21 2021) [krb5_child[8507]] [get_and_save_tgt] (0x0020): 1704: [-1765328361][Password has expired]
(Thu Jul  8 19:05:21 2021) [krb5_child[8507]] [tgt_req_child] (0x1000): Password was expired
(Thu Jul  8 19:05:21 2021) [krb5_child[8507]] [sss_child_krb5_trace_cb] (0x4000): [8507] 1625760321.637724: Getting initial credentials for **[email protected]**

(Thu Jul  8 19:05:21 2021) [krb5_child[8507]] [sss_child_krb5_trace_cb] (0x4000): [8507] 1625760321.637725: Setting initial creds service to kadmin/changepw

Ubuntu 16.04:

(Fri Jul  9 12:41:43 2021) [[sssd[krb5_child[1321]]]] [sss_child_krb5_trace_cb] (0x4000): [1321] 1625823703.446660: Received error from KDC: -1765328361/Password has expired

(Fri Jul  9 12:41:43 2021) [[sssd[krb5_child[1321]]]] [sss_child_krb5_trace_cb] (0x4000): [1321] 1625823703.446700: Preauth tryagain input types: 16, 15, 19, 2

(Fri Jul  9 12:41:43 2021) [[sssd[krb5_child[1321]]]] [get_and_save_tgt] (0x0020): 1232: [-1765328361][Password has expired]
(Fri Jul  9 12:41:43 2021) [[sssd[krb5_child[1321]]]] [tgt_req_child] (0x1000): Password was expired
(Fri Jul  9 12:41:43 2021) [[sssd[krb5_child[1321]]]] [sss_child_krb5_trace_cb] (0x4000): [1321] 1625823703.446848: Getting initial credentials for **login\@[email protected]**

(Fri Jul  9 12:41:43 2021) [[sssd[krb5_child[1321]]]] [sss_child_krb5_trace_cb] (0x4000): [1321] 1625823703.446888: Setting initial creds service to kadmin/changepw

sssd.conf is here:

[sssd]
domains = my.domain.ru
config_file_version = 2
services = nss, pam

[domain/my.domain.ru]
ad_domain = my.domain.ru
krb5_realm = MY.DOMAIN.RU
realmd_tags = joined-with-adcli 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%d/%u
simple_allow_users = $
access_provider = ad
ad_gpo_access_control = disabled

I'd appreciate any suggestions you may have)