The in-memory keytab is something SSSD copies the keys from
/etc/krb5.keytab into for own internal operations, it is OK to not being
able to access it.

Your problem is different. 'Pre-authentication failed' is Kerberos speak
for a wrong key (or password) used by the client. This means you have
different key in the keytab (/etc/krb5.keytab) and in the KDC database.

What you need to do:
   - check which key version number is in your /etc/krb5.keytab with
     klist -k -t /etc/krb5.keytab -- your output above shows that KVNO
     value is '2'.

   - use the following to query for a KVNO number as seen by the KDC:
     kinit admin
     kvno -S host myipaserver

If the output of 'kvno' command shows different number, you need to
synchronize the keytab and the key in the IPA KDC database. To do that,
you can use ipa-getkeytab command:

kinit admin
ipa-getkeytab -s myipaserver -k /path/to/krb5.keytab-on-container-volume -p host/myipaserver

This will force re-generation of the host keytab for myipaserver machine
and will store new keys in the krb5.keytab file that is on the container
volume. After this SSSD should be able to use it.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland