Robert Kudyba via FreeIPA-users wrote:
I believe we've made some progress but not quite there yet. Just to recap, any NEW user created via CLI or GUI can connect via ssh. All imported NIS users can only log in with their NIS password. I change the user's password in the UI and check the Password checkbox in User authentication type and click Save. I successfully added a client: ipa host-add-managedby --hosts=ourdomain.edu client.ourdomain.edu Host name: client.ourdomain.edu Platform: x86_64 Operating system: 5.10.9-201.fc33.x86_64 Principal name: host/client.ourdomain.edu(a)OURDOMAIN.EDU Principal alias: host/client.ourdomain.edu(a)OURDOMAIN.EDU Managed by: client.ourdomain.edu, ourdomain.edu ------------------------- Number of members added 1 ------------------------- [root@ourdomain ~]# ipa-getkeytab -s ourdomain.edu -p host/ client.ourdomain.edu -k /tmp/client.keytab 
> Keytab successfully retrieved and stored in: /tmp/client.keytab

This is why SSSD isn't working. SSSD uses the host keytab in
/etc/krb5.keytab and you invalidated it with the above command.

> Based on this SF discussion
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__serverfault.com_questions_609086_freeipa-2Dcommand-2Dline-2Dtools-2Ddo-2Dnot-2Dwork-2Dno-2Dkerberos-2Dcredentials-2Davailable&d=DwIDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=0bz4qE4zqmbW11Rk7h8PTgnoBihH-_JyksGK2nNOEVk&s=0ErLwhzlJCc-b2Uthn_hCdS5BkSjf-qOMvso8C-PDrg&e= >,
> I changed: in  /etc/krb5.conf
> default_ccache_name = FILE:/tmp/krb5cc_%{uid}

I don't think this is necessary.