[root@ipa-client ~]# cat /etc/sssd/sssd.conf
[domain/ipa.domain.acme.com]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.domain.acme.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa-client.ipa.domain.acme.com
chpass_provider = ipa
ipa_server = _srv_, va-prod-ipa01.ipa.domain.acme.com
ldap_tls_cacert = /etc/ipa/ca.crt

krb5_auth_timeout = 30
#debug_level = 9
ldap_search_timeout = 30

[sssd]
services = nss, sudo, pam, ssh

domains = ipa.domain.acme.com
[nss]
homedir_substring = /home
debug_level = 10
[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

[secrets]

[session_recording]


[root@ipa-client ~]# cat /etc/krb5.conf
#File modified by ipa-client-install

includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = IPA.DOMAIN.ACME.COM
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  dns_canonicalize_hostname = false
  ticket_lifetime = 24h
  forwardable = true
  udp_preference_limit = 0
  #default_ccache_name = KEYRING:persistent:%{uid}
  # temp workaround for kernel limitations
  default_ccache_name = FILE:/tmp/krb5cc_%{uid}


[realms]
  IPA.DOMAIN.ACME.COM = {
    pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
    pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem

  }


[domain_realm]
  .ipa.DOMAIN.ACME.com = IPA.DOMAIN.ACME.COM
  ipa.DOMAIN.ACME.com = IPA.DOMAIN.ACME.COM
  ipa-client.ipa.DOMAIN.ACME.com = IPA.DOMAIN.ACME.COM


         
[root@ipa-client ~]# cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_ipa_DOMAIN_ACME_com 
[domain_realm]
.DOMAIN.ACME.com = DOMAIN.ACME.COM
DOMAIN.ACME.com = DOMAIN.ACME.COM
[capaths]
DOMAIN.ACME.COM = {
  IPA.DOMAIN.ACME.COM = DOMAIN.ACME.COM
}
IPA.DOMAIN.ACME.COM = {
  DOMAIN.ACME.COM = DOMAIN.ACME.COM
}
[root@va-prod-agent04 ~]#