Thank you. I've run the following command on the broken client. In this instance
'ipa.ipa.domain.edu' is the IPA server. 'IPA$(a)DOMAIN.EDU' was used simply
because it's what I saw in the logs.
KRB5CCNAME=/var/lib/sss/db/ccache_IPA.DOMAIN.EDU /usr/sbin/ipa-getkeytab -r -s
ipa.ipa.domain.edu -p 'IPA$(a)DOMAIN.EDU' -k
/var/lib/sss/keytabs/domain.edu.keytab-test
The result is:
`Failed to load translations
Failed to parse result: Insufficient access rights
Failed to get keytab`