It seems to be an interop problem between the server and client. The
RHEL 9 server is wrapping the secret with AES but the client is trying
to use TripleDES (and only supports 3DES).
Upstream ticket
https://pagure.io/freeipa/issue/6524 changed from a
hardcoded wrapping algorithm to be more flexible but this is apparently
not backwards compatible.
I'm not deeply familiar with this wrapping code so I don't know if there
is a workaround yet.
Any chance you can file a RHEL-8 bug against ipa for this while I
continue looking?
thanks
rob