It appears that the solution for this lies in /etc/samba/smb.conf even if you’re not running any samba or winbind services.
Adding the line realm = MY.REALM.TLD in the [global] section fixed short hostnames for me and FQDNs not ending in the realm name.
Prior to this change, the only things that accepted the kerberos ticket and connected without a password prompt were shares accessed by FQDN where the realm name was the suffix.
How I got here:
The following will cause the gio mount command to produce a lot of debug output:
GVFS_DEBUG=1 GVFS_SMB_DEBUG=99 /usr/libexec/gvfsd -r &
My active directory / kerberos realm is “ad.mydomain.tld”, but many AD-connected servers have canonical hostnames (and SPNs) ending in “other.mydomain.tld”.
In the output following a command like gio mount smb://{server}.other.mydomain.tld/{share}, it seemed to be trying to locate a KDC for a realm “other.mydomain.tld”.
There were also messages about accessing /var/lib/samba/lock/gencache.tdb which pointed me in the samba direction.
Everything works in the few remaining older systems on CentOS 7 connected to the domain with winbind instead of sssd.
Adding the kerberos-related configuration lines to smb.conf seemed to fix it and the realm setting alone appears to be sufficient.