Still seeing:
preauth (spake) verify failure: Preauthentication failed

kvno ldap/ourdomain
kvno = 2
kvno http/ourdomain
kvno = 1

klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/ourdomain.edu@OURDOMAIN.EDU
   2 host/ourdomain.edu@OURDOMAIN.EDU
   2 host/ourdomain.edu@OURDOMAIN.EDU
   2 host/ourdomain.edu@OURDOMAIN.EDU
   2 host/ourdomain.edu@OURDOMAIN.EDU
   2 host/ourdomain.edu@OURDOMAIN.EDU
   4 host/ourclient.edu@OURCLIENT.EDU
   4 host/ourclient.edu@OURCLIENT.EDU
   5 host/ourclient.edu@OURCLIENT.EDU
   5 host/ourclient.edu@OURCLIENT.EDU
   6 host/ourclient.edu@OURCLIENT.EDU
   6 host/ourclient.edu@OURCLIENT.EDU
   7 host/ourclient.edu@OURCLIENT.EDU
   7 host/ourclient.edu@OURCLIENT.EDU


On Thu, Mar 11, 2021 at 3:47 PM Robert Kudyba <rkudyba@fordham.edu> wrote:
>     > Keytab successfully retrieved and stored in: /tmp/client.keytab
>
>     This is why SSSD isn't working. SSSD uses the host keytab in
>     /etc/krb5.keytab and you invalidated it with the above command.
>
>
> OK what do I need to do to fix this? I got this
> from https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_en-2DUS_Fedora_18_html_FreeIPA-5FGuide_Installing-5Fthe-5FIPA-5FClient-5Fon-5FLinux.html&d=DwIDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=DPUtTQx5TfzHXpznmDzOwRF-DMQCNuyTEyFZjQRbf24&s=_71xAKn9TgPKxsbm1Ei0b4VaeazS0Ax__ECpurXTUd0&e=
> (which I realize is old),

Please do not use these documents. We'd remove them if it were in our
control.

Understood. 


You can re-run your getkeytab command using /etc/krb5.keytab instead to
sync up the keys.

OK I ran: 

ipa-getkeytab -s ourdomain.edu -p host/client.ourdomain.edu -k /etc/krb5.keytab
Keytab successfully retrieved and stored in: /etc/krb5.keytab

Then I scp the keytab to the client /etc directory. Now in the krb5.log I see:

Mar 11 15:39:29 ourdomain.edu krb5kdc[369141](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 150.108.64.55: LOOKING_UP_SERVER: authtime 0, etypes {rep=UNSUPPORTED:(0)} host/client.ourdomain edu@OURDOMAIN.EDU for DNS/ds-dc31.ds.ourdomain.edu@OURDOMAIN.EDU, Server not found in Kerberos database
Mar 11 15:39:29 ourdomain.edu krb5kdc[369141](info): closing down fd 11

ssh logs:
Mar 11 15:39:27 ourdomain sshd[375517]: debug1: userauth-request for user ouruser service ssh-connection method keyboard-interactive [preauth]
Mar 11 15:39:27 ourdomain sshd[375517]: debug1: attempt 2 failures 1 [preauth]
Mar 11 15:39:27 ourdomain sshd[375517]: debug1: keyboard-interactive devs  [preauth]
Mar 11 15:39:27 ourdomain sshd[375517]: debug1: auth2_challenge: user=ouruser devs= [preauth]
Mar 11 15:39:27 ourdomain sshd[375517]: debug1: kbdint_alloc: devices 'pam' [preauth]
Mar 11 15:39:27 ourdomain sshd[375517]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth]
Mar 11 15:39:27 ourdomain sshd[375517]: Postponed keyboard-interactive for ouruser from x.x.x.x port 44136 ssh2 [preauth]
Mar 11 15:39:30 ourdomain sshd[375524]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x  user=ouruser
Mar 11 15:39:30 ourdomain sshd[375524]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=ouruser
Mar 11 15:39:30 ourdomain sshd[375524]: pam_sss(sshd:auth): received for user ouruser: 9 (Authentication service cannot retrieve authentication info)
 
> Does this have to do with your comment above about SSSD not working?

Yes. A keytab is a password and this is effectively a "bad password" error.
 
Do I have to restart any services?