I tried this on another test server, and configured NIS for the users, which are different. Same issue. All the verbose output adds a lot of log noise but I'm hoping it provides a clue.

ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

here is ssh -o PubkeyAuthentication=no -vvv -k ouruser@ourserver
OpenSSH_8.4p1, OpenSSL 1.1.1i FIPS  8 Dec 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host ourserver originally ourserver
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: not matched 'final'
debug2: match not found
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only)
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-]
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512]
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host ourserver originally ourserver
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: matched 'final'
debug2: match found
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-]
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512]
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/root/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/root/.ssh/known_hosts2'
debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 ourserver
debug1: identity file /root/.ssh/id_rsa type 0
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa_sk type -1
debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_ed25519_sk type -1
debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4
debug1: match: OpenSSH_8.4 pat OpenSSH* compat 0x04000000
debug2: fd 5 setting O_NONBLOCK
debug2: fd 4 setting O_NONBLOCK
debug1: Authenticating to ourserver:22 as 'ouruser'
debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:31
debug3: load_hostkeys: loaded 1 keys from ourserver
debug3: hostkeys_foreach: reading file "/var/lib/sss/pubconf/known_hosts"
debug3: order_hostkeyalgs: have matching best-preference key type ecdsa-sha2-nistp256-cert-v01@openssh.com, using HostkeyAlgorithms verbatim
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
debug2: ciphers stoc: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:yVm8V2ODZo0nAuvr9k2ydTJv0RtOgkl8Sp5Mkmp/F0M
debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:31
debug3: load_hostkeys: loaded 1 keys from ourserver
debug3: hostkeys_foreach: reading file "/var/lib/sss/pubconf/known_hosts"
debug1: Host 'ourserver' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:31
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /root/.ssh/id_rsa RSA SHA256:Sena4XB1wVt7x+o55Y9EI5WnQIyZ/SLFk+t6tmBFMYA
debug1: Will attempt key: /root/.ssh/id_dsa
debug1: Will attempt key: /root/.ssh/id_ecdsa
debug1: Will attempt key: /root/.ssh/id_ecdsa_sk
debug1: Will attempt key: /root/.ssh/id_ed25519
debug1: Will attempt key: /root/.ssh/id_ed25519_sk
debug1: Will attempt key: /root/.ssh/id_xmss
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug3: preferred gssapi-with-mic,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Server host/ourserver.edu@ourserver.edu not found in Kerberos database
debug3: send packet: type 50
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 60
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1

And here are the server logs from /var/log secure and you can see sssd is being used:
Feb 10 14:36:24 ourserver sshd[3024290]: debug1: Forked child 3084339.
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: Set /proc/self/oom_score_adj to 0
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: inetd sockets after dupping: 4, 4
Feb 10 14:36:24 ourserver sshd[3084339]: Connection from x.x.x.x port 34160 on 150.108.68.128 port 22 rdomain ""
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: Local version string SSH-2.0-OpenSSH_8.4
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: match: OpenSSH_8.4 pat OpenSSH* compat 0x04000000
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: SELinux support disabled [preauth]
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: permanently_set_uid: 74/74 [preauth]
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: SSH2_MSG_KEXINIT sent [preauth]
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: SSH2_MSG_KEXINIT received [preauth]
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: kex: algorithm: curve25519-sha256 [preauth]
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth]
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: kex: client->server cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none [preauth]
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: kex: server->client cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none [preauth]
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: kex: curve25519-sha256 need=32 dh_need=32 [preauth]
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: kex: curve25519-sha256 need=32 dh_need=32 [preauth]
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: rekey out after 4294967296 blocks [preauth]
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: Sending SSH2_MSG_EXT_INFO [preauth]
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: SSH2_MSG_NEWKEYS received [preauth]
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: rekey in after 4294967296 blocks [preauth]
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: KEX done [preauth]
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: userauth-request for user ouruser service ssh-connection method none [preauth]
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: attempt 0 failures 0 [preauth]
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: connection from x.x.x.x matched 'Address 192.168.0.*,127.0.0.1,10.10.1.*' at line 158
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: PAM: initializing for "ouruser"
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: PAM: setting PAM_RHOST to "x.x.x.x"
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: PAM: setting PAM_TTY to "ssh"
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: userauth-request for user ouruser service ssh-connection method gssapi-with-mic [preauth]
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: attempt 1 failures 0 [preauth]
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: userauth-request for user ouruser service ssh-connection method keyboard-interactive [preauth]
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: attempt 2 failures 0 [preauth]
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: keyboard-interactive devs  [preauth]
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: auth2_challenge: user=ouruser devs= [preauth]
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: kbdint_alloc: devices 'pam' [preauth]
Feb 10 14:36:24 ourserver sshd[3084339]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth]
Feb 10 14:36:24 ourserver sshd[3084339]: Postponed keyboard-interactive for ouruser from x.x.x.x port 34160 ssh2 [preauth]
Feb 10 14:36:28 ourserver sshd[3084344]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x  user=ouruser
Feb 10 14:36:28 ourserver proxy_child: pam_unix(sssd-shadowutils:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x  user=ouruser
Feb 10 14:36:31 ourserver sshd[3084344]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=ouruser
Feb 10 14:36:31 ourserver sshd[3084344]: pam_sss(sshd:auth): received for user ouruser: 7 (Authentication failure)
Feb 10 14:36:33 ourserver sshd[3084339]: error: PAM: Authentication failure for ouruser from x.x.x.x
Feb 10 14:36:33 ourserver sshd[3084339]: Failed keyboard-interactive/pam for ouruser from x.x.x.x port 34160 ssh2
Feb 10 14:36:33 ourserver sshd[3084339]: debug1: userauth-request for user ouruser service ssh-connection method keyboard-interactive [preauth]
Feb 10 14:36:33 ourserver sshd[3084339]: debug1: attempt 3 failures 1 [preauth]
Feb 10 14:36:33 ourserver sshd[3084339]: debug1: keyboard-interactive devs  [preauth]
Feb 10 14:36:33 ourserver sshd[3084339]: debug1: auth2_challenge: user=ouruser devs= [preauth]
Feb 10 14:36:33 ourserver sshd[3084339]: debug1: kbdint_alloc: devices 'pam' [preauth]
Feb 10 14:36:33 ourserver sshd[3084339]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth]
Feb 10 14:36:33 ourserver sshd[3084339]: Postponed keyboard-interactive for ouruser from x.x.x.x port 34160 ssh2 [preauth]

I verified the FreeIPA password in both the GUI and via ipa user-mod. The only time the user is able to log in is using the NIS password. ldapsearch -x -D and kinit username work successfully. klist displays the user details correctly.

I can see that the installation script edits /etc/ssh/sshd_config with:
Include /etc/ssh/sshd_config.d/04-ipa.conf

which has:
PubkeyAuthentication yes
KerberosAuthentication no
GSSAPIAuthentication yes
UsePAM yes
ChallengeResponseAuthentication yes
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody

When the NIS password is used successfully here are the server logs:
Feb 10 14:56:39 ourserver sshd[3085147]: debug1: userauth-request for user ouruser service ssh-connection method none [preauth]
Feb 10 14:56:39 ourserver sshd[3085147]: debug1: attempt 0 failures 0 [preauth]
Feb 10 14:56:39 ourserver sshd[3085147]: debug1: connection from x.x.x.x matched 'Address 192.168.0.*,127.0.0.1,10.10.1.*' at line 158
Feb 10 14:56:39 ourserver sshd[3085147]: debug1: PAM: initializing for "ouruser"
Feb 10 14:56:39 ourserver sshd[3085147]: debug1: PAM: setting PAM_RHOST to "x.x.x.x"
Feb 10 14:56:39 ourserver sshd[3085147]: debug1: PAM: setting PAM_TTY to "ssh"
Feb 10 14:56:39 ourserver sshd[3085147]: debug1: userauth-request for user ouruser service ssh-connection method gssapi-with-mic [preauth]
Feb 10 14:56:39 ourserver sshd[3085147]: debug1: attempt 1 failures 0 [preauth]
Feb 10 14:56:39 ourserver sshd[3085147]: debug1: userauth-request for user ouruser service ssh-connection method keyboard-interactive [preauth]
Feb 10 14:56:39 ourserver sshd[3085147]: debug1: attempt 2 failures 0 [preauth]
Feb 10 14:56:39 ourserver sshd[3085147]: debug1: keyboard-interactive devs  [preauth]
Feb 10 14:56:39 ourserver sshd[3085147]: debug1: auth2_challenge: user=ouruser devs= [preauth]
Feb 10 14:56:39 ourserver sshd[3085147]: debug1: kbdint_alloc: devices 'pam' [preauth]
Feb 10 14:56:39 ourserver sshd[3085147]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth]
Feb 10 14:56:39 ourserver sshd[3085147]: Postponed keyboard-interactive for ouruser from x.x.x.x port 35046 ssh2 [preauth]
Feb 10 14:56:42 ourserver sshd[3085152]: debug1: do_pam_account: called
Feb 10 14:56:42 ourserver sshd[3085147]: debug1: PAM: num PAM env strings 2
Feb 10 14:56:42 ourserver sshd[3085147]: Postponed keyboard-interactive/pam for ouruser from x.x.x.x port 35046 ssh2 [preauth]
Feb 10 14:56:42 ourserver sshd[3085147]: debug1: do_pam_account: called

I do see the error that sticks out is " Server host/ourserver.edu@ourserver.edu not found in Kerberos database" but we have students that log in from all over the world so do all clients need to be added? iptables, firewalld, and nftables are off and disabled. No hbac rules:
ipa hbacrule-find
--------------------
2 HBAC rules matched
--------------------
  Rule name: allow_all
  User category: all
  Host category: all
  Service category: all
  Description: Allow all users to access any host from any host
  Enabled: TRUE

  Rule name: allow_systemd-user
  User category: all
  Host category: all
  Description: Allow pam_systemd to run user@.service to create a system user session
  Enabled: TRUE
----------------------------
Number of entries returned 2

Am I missing something obvious to regulars?


On Tue, Feb 9, 2021 at 12:34 PM Robert Kudyba <rkudyba@fordham.edu> wrote:
On Tue, Feb 9, 2021 at 12:20 PM Sumit Bose via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
On Tue, Feb 09, 2021 at 11:33:15AM -0500, Robert Kudyba via FreeIPA-users wrote:
> >
> > looks like sshd is trying to read /home/ouruser/.ssh/authorized_keys and
> > is stuck. Can you read this file from the command line? Is it e.g. on
> > NFS which might not be properly mounted?
> >
> > Does it work if you skip pubkey authentication
> >
> >     ssh -o PubkeyAuthentication=no -vv -k ouruser@ourserver
> >
> > bye,
> > Sumit
> >
>
> Thanks for the suggestion. What happens is the NIS password works. The
> FreeIPA password, which I update with:
> ipa user-mod ouruser --setattr "userpassword=xxxx", fails with the below
> errors/logs
>
> Feb  9 11:10:34 ourserver sshd[381563]: debug1: Forked child 536086.
> Feb  9 11:10:34 ourserver sshd[536086]: debug1: Set
> /proc/self/oom_score_adj to 0
> Feb  9 11:10:34 ourserver sshd[536086]: debug1: rexec start in 5 out 5
> newsock 5 pipe 7 sock 8
> Feb  9 11:10:34 ourserver sshd[536086]: debug1: inetd sockets after
> dupping: 4, 4
> Feb  9 11:10:34 ourserver sshd[536086]: Connection from x.x.x.x port 53332
> on 150.108.64.156 port 22 rdomain ""
> Feb  9 11:10:34 ourserver sshd[536086]: debug1: Local version string
> SSH-2.0-OpenSSH_8.4
> Feb  9 11:10:34 ourserver sshd[536086]: debug1: Remote protocol version
> 2.0, remote software version OpenSSH_8.4
> Feb  9 11:10:34 ourserver sshd[536086]: debug1: match: OpenSSH_8.4 pat
> OpenSSH* compat 0x04000000
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: SELinux support disabled
> [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: permanently_set_uid: 74/74
> [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: list_hostkey_types:
> rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_KEXINIT sent
> [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_KEXINIT received
> [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: kex: algorithm:
> curve25519-sha256 [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: kex: host key algorithm:
> ecdsa-sha2-nistp256 [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: kex: client->server cipher:
> aes256-gcm@openssh.com MAC: <implicit> compression: none [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: kex: server->client cipher:
> aes256-gcm@openssh.com MAC: <implicit> compression: none [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: kex: curve25519-sha256
> need=32 dh_need=32 [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: kex: curve25519-sha256
> need=32 dh_need=32 [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: expecting
> SSH2_MSG_KEX_ECDH_INIT [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: rekey out after 4294967296
> blocks [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_NEWKEYS sent
> [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: Sending SSH2_MSG_EXT_INFO
> [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: expecting SSH2_MSG_NEWKEYS
> [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_NEWKEYS received
> [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: rekey in after 4294967296
> blocks [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: KEX done [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: userauth-request for user
> ouruser service ssh-connection method none [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: attempt 0 failures 0
> [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: PAM: initializing for
> "ouruser"
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: PAM: setting PAM_RHOST to
> "x.x.x.x"
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: PAM: setting PAM_TTY to
> "ssh"
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: userauth-request for user
> ouruser service ssh-connection method keyboard-interactive [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: attempt 1 failures 0
> [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: keyboard-interactive devs
>  [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: auth2_challenge:
> user=ouruser devs= [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: kbdint_alloc: devices 'pam'
> [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: auth2_challenge_start:
> trying authentication method 'pam' [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: Postponed keyboard-interactive for
> ouruser from x.x.x.x port 53332 ssh2 [preauth]
> Feb  9 11:10:39 ourserver sshd[536091]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x  user=ouruser
> Feb  9 11:10:39 ourserver sshd[536091]: pam_sss(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=ouruser
> Feb  9 11:10:39 ourserver sshd[536091]: pam_sss(sshd:auth): received for
> user ouruser: 9 (Authentication service cannot retrieve authentication info)
> Feb  9 11:10:41 ourserver sshd[536086]: error: PAM: Authentication failure
> for ouruser from x.x.x.x
> Feb  9 11:10:41 ourserver sshd[536086]: Failed keyboard-interactive/pam for
> ouruser from x.x.x.x port 53332 ssh2
> Feb  9 11:10:41 ourserver sshd[536086]: debug1: userauth-request for user
> ouruser service ssh-connection method keyboard-interactive [preauth]
> Feb  9 11:10:41 ourserver sshd[536086]: debug1: attempt 2 failures 1
> [preauth]
> Feb  9 11:10:41 ourserver sshd[536086]: debug1: keyboard-interactive devs
>  [preauth]
> Feb  9 11:10:41 ourserver sshd[536086]: debug1: auth2_challenge:
> user=ouruser devs= [preauth]
> Feb  9 11:10:41 ourserver sshd[536086]: debug1: kbdint_alloc: devices 'pam'
> [preauth]
> Feb  9 11:10:41 ourserver sshd[536086]: debug1: auth2_challenge_start:
> trying authentication method 'pam' [preauth]
> Feb  9 11:10:41 ourserver sshd[536086]: Postponed keyboard-interactive for
> ouruser from x.x.x.x port 53332 ssh2 [preauth]
>
>
> Feb  9 11:10:34 ourserver sshd[381563]: debug1: Forked child 536086.
> Feb  9 11:10:34 ourserver sshd[536086]: debug1: Set
> /proc/self/oom_score_adj to 0
> Feb  9 11:10:34 ourserver sshd[536086]: debug1: rexec start in 5 out 5
> newsock 5 pipe 7 sock 8
> Feb  9 11:10:34 ourserver sshd[536086]: debug1: inetd sockets after
> dupping: 4, 4
> Feb  9 11:10:34 ourserver sshd[536086]: Connection from x.x.x.x port 53332
> on 150.108.64.156 port 22 rdomain ""
> Feb  9 11:10:34 ourserver sshd[536086]: debug1: Local version string
> SSH-2.0-OpenSSH_8.4
> Feb  9 11:10:34 ourserver sshd[536086]: debug1: Remote protocol version
> 2.0, remote software version OpenSSH_8.4
> Feb  9 11:10:34 ourserver sshd[536086]: debug1: match: OpenSSH_8.4 pat
> OpenSSH* compat 0x04000000
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: SELinux support disabled
> [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: permanently_set_uid: 74/74
> [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: list_hostkey_types:
> rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_KEXINIT sent
> [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_KEXINIT received
> [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: kex: algorithm:
> curve25519-sha256 [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: kex: host key algorithm:
> ecdsa-sha2-nistp256 [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: kex: client->server cipher:
> aes256-gcm@openssh.com MAC: <implicit> compression: none [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: kex: server->client cipher:
> aes256-gcm@openssh.com MAC: <implicit> compression: none [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: kex: curve25519-sha256
> need=32 dh_need=32 [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: kex: curve25519-sha256
> need=32 dh_need=32 [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: expecting
> SSH2_MSG_KEX_ECDH_INIT [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: rekey out after 4294967296
> blocks [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_NEWKEYS sent
> [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: Sending SSH2_MSG_EXT_INFO
> [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: expecting SSH2_MSG_NEWKEYS
> [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: SSH2_MSG_NEWKEYS received
> [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: rekey in after 4294967296
> blocks [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: KEX done [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: userauth-request for user
> ouruser service ssh-connection method none [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: attempt 0 failures 0
> [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: PAM: initializing for
> "ouruser"
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: PAM: setting PAM_RHOST to
> "x.x.x.x"
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: PAM: setting PAM_TTY to
> "ssh"
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: userauth-request for user
> ouruser service ssh-connection method keyboard-interactive [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: attempt 1 failures 0
> [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: keyboard-interactive devs
>  [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: auth2_challenge:
> user=ouruser devs= [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: kbdint_alloc: devices 'pam'
> [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: debug1: auth2_challenge_start:
> trying authentication method 'pam' [preauth]
> Feb  9 11:10:35 ourserver sshd[536086]: Postponed keyboard-interactive for
> ouruser from x.x.x.x port 53332 ssh2 [preauth]
> Feb  9 11:10:39 ourserver sshd[536091]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x  user=ouruser
> Feb  9 11:10:39 ourserver sshd[536091]: pam_sss(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=ouruser
> Feb  9 11:10:39 ourserver sshd[536091]: pam_sss(sshd:auth): received for
> user ouruser: 9 (Authentication service cannot retrieve authentication info)
> Feb  9 11:10:41 ourserver sshd[536086]: error: PAM: Authentication failure
> for ouruser from x.x.x.x
> Feb  9 11:10:41 ourserver sshd[536086]: Failed keyboard-interactive/pam for
> ouruser from x.x.x.x port 53332 ssh2
> Feb  9 11:10:41 ourserver sshd[536086]: debug1: userauth-request for user
> ouruser service ssh-connection method keyboard-interactive [preauth]
> Feb  9 11:10:41 ourserver sshd[536086]: debug1: attempt 2 failures 1
> [preauth]
> Feb  9 11:10:41 ourserver sshd[536086]: debug1: keyboard-interactive devs
>  [preauth]
> Feb  9 11:10:41 ourserver sshd[536086]: debug1: auth2_challenge:
> user=ouruser devs= [preauth]
> Feb  9 11:10:41 ourserver sshd[536086]: debug1: kbdint_alloc: devices 'pam'
> [preauth]
> Feb  9 11:10:41 ourserver sshd[536086]: debug1: auth2_challenge_start:
> trying authentication method 'pam' [preauth]
> Feb  9 11:10:41 ourserver sshd[536086]: Postponed keyboard-interactive for
> ouruser from x.x.x.x port 53332 ssh2 [preauth]
>
> With the NIS password the logs show this:

Hi,

did you drop what happened before or is this the only debug output for
the NIS password?

The below here are just logs from /var/log/secure for the user that  successfully logs in with his/her NIS password.

By "drop what happened before" do you mean the original log snip? Yes I removed those in an attempt to shorten the message content.

> Feb  9 11:16:57 debug1: do_pam_account: called
> Feb  9 11:16:57 ourserver sshd[536226]: debug1: PAM: num PAM env strings 2
> Feb  9 11:16:57 ourserver sshd[536226]: Postponed keyboard-interactive/pam
> for cai from 150.108.68.26 port 53646 ssh2 [preauth]
> Feb  9 11:16:57 ourserver sshd[536226]: debug1: do_pam_account: called
> Feb  9 11:16:57 ourserver sshd[536226]: Accepted keyboard-interactive/pam
> for cai from 150.108.68.26 port 53646 ssh2
> Feb  9 11:16:57 ourserver sshd[536226]: debug1: monitor_child_preauth: cai
> has been authenticated by privileged process
> Feb  9 11:16:57 ourserver sshd[536226]: debug1: monitor_read_log: child log
> fd closed
> Feb  9 11:16:57 ourserver sshd[536226]: debug1: audit_event: unhandled
> event 2
> Feb  9 11:16:57 ourserver sshd[536226]: debug1: temporarily_use_uid:
> 5879/200 (e=0/0)
> Feb  9 11:16:57 ourserver sshd[536226]: debug1: ssh_gssapi_storecreds: Not
> a GSSAPI mechanism
> Feb  9 11:16:57 ourserver sshd[536226]: debug1: restore_uid: 0/0
> Feb  9 11:16:57 ourserver sshd[536226]: debug1: SELinux support disabled
> Feb  9 11:16:57 ourserver sshd[536226]: debug1: PAM: establishing
> credentials
> Feb  9 11:16:57 ourserver systemd[536237]: pam_unix(systemd-user:session):
> session opened for user cai(uid=5879) by (uid=0)
>
> What options should be set in /etc/ssh/sshd_config? Is sssd necessary for
> this to work with the FreeIPA password

 
Yes, SSSD must be configured and runnnig. ssd does appear to be working fine and in /etc/ipa/ca.crt and the service is running correctly:

[domain/ourdomain.edu]

id_provider = ipa
ipa_server_mode = True
ipa_server = ourdomain.edu
ipa_domain = ourdomain.edu
ipa_hostname = ourdomain.edu
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
[sssd]
services = nss, pam, ifp, ssh, sudo

domains = ourdomain.edu
[nss]
homedir_substring = /home
memcache_timeout = 600

[ifp]
allowed_uids = ipaapi, root

systemctl status sssd
* sssd.service - System Security Services Daemon
     Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2021-01-29 14:31:34 EST; 1 weeks 3 days ago