have you enabled the migration mode with

    ipa config-mod --enable-migration=True

I've tried it with True and False. At what point should this be changed to False?
 
With this authentication with SSSD should fall back to LDAP
authentication if the Kerberos keys are not available and this would
trigger a creation of the Kerberos keys for the user trying to log in.

The fallback appears to be NIS. 

The good news is the user can log in to the GUI, i.e.i https://ourserver/ipa/ui and change their password but I do see this error in the Apache error log which sounds like this issue:
[Wed Mar 03 13:53:07.526386 2021] [wsgi:error] [pid 16169:tid 16554] [remote xx.xx.xx.xx:63098] ipa: DEBUG: Destroyed connection context.ldap2_140265125387520
[Wed Mar 03 13:53:07.563873 2021] [:warn] [pid 16174:tid 16239] [client xx.xx.xx.xx:63098] failed to set perms (3140) on file (/run/ipa/ccaches/admin@OURDOMAIN.EDU-jhCS0U)!, referer: https://ourdomain.edu/ipa/ui/
[Wed Mar 03 13:53:07.564720 2021] [wsgi:error] [pid 16170:tid 16545] [remote xx.xx.xx.xx:63098] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
[Wed Mar 03 13:53:07.564838 2021] [wsgi:error] [pid 16170:tid 16545] [remote xx.xx.xx.xx:63098] ipa: DEBUG: WSGI jsonserver_session.__call__:
[Wed Mar 03 13:53:07.570164 2021] [:warn] [pid 16174:tid 16285] [client xx.xx.xx.xx:63076] failed to set perms (3140) on file (/run/ipa/ccaches/adminOURDOMAIN.EDU-jhCS0U)!, referer: https://ourdomain.edu/ipa/ui/

Now from ssh -vvv -k this is what we see:
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:0)
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:0)
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /ouruser/.ssh/id_rsa RSA SHA256:2ucGhU53Ue6Z8BbwowH5U3ykOoVL8F8oN1NbPUCt2vU
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Trying private key: /ouruser/.ssh/id_dsa
debug3: no such identity: /ouruser/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /ouruser/.ssh/id_ecdsa
debug3: no such identity: /ouruser/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /ouruser/.ssh/id_ecdsa_sk
debug3: no such identity: /ouruser/.ssh/id_ecdsa_sk: No such file or directory
debug1: Trying private key: /ouruser/.ssh/id_ed25519
debug3: no such identity: /ouruser/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /ouruser/.ssh/id_ed25519_sk
debug3: no such identity: /ouruser/.ssh/id_ed25519_sk: No such file or directory
debug1: Trying private key: /ouruser/.ssh/id_xmss
debug3: no such identity: /ouruser/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication

Is this a clue?
Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:0)
 
From the ssh server logs, set to debug:
Mar  3 14:00:46 ourserver sshd[79161]: debug1: attempt 0 failures 0 [preauth]
Mar  3 14:00:46 ourserver sshd[79161]: debug1: PAM: initializing for "ouruser"
Mar  3 14:00:46 ourserver sshd[79161]: debug1: PAM: setting PAM_RHOST to "x.x.x.x"
Mar  3 14:00:46 ourserver sshd[79161]: debug1: PAM: setting PAM_TTY to "ssh"
Mar  3 14:00:46 ourserver sshd[79161]: debug1: userauth-request for user ouruser service ssh-connection method publickey [preauth]
Mar  3 14:00:46 ourserver sshd[79161]: debug1: attempt 1 failures 0 [preauth]
Mar  3 14:00:46 ourserver sshd[79161]: debug1: userauth_pubkey: test pkalg rsa-sha2-512 pkblob RSA SHA256:2ucGhU53Ue6Z8BbwowH5U3ykOoVL8F8oN1NbPUCt2vU [preauth]
Mar  3 14:00:46 ourserver sshd[79161]: debug1: temporarily_use_uid: 6915/200 (e=0/0)
Mar  3 14:00:46 ourserver sshd[79161]: debug1: trying public key file /home/ouruser/.ssh/authorized_keys
Mar  3 14:00:46 ourserver sshd[79161]: debug1: Could not open authorized keys '/home/ouruser/.ssh/authorized_keys': No such file or directory
Mar  3 14:00:46 ourserver sshd[79161]: debug1: restore_uid: 0/0
Mar  3 14:00:46 ourserver sshd[79161]: debug1: temporarily_use_uid: 99/99 (e=0/0)
Mar  3 14:00:46 ourserver sshd[79161]: debug1: restore_uid: 0/0
Mar  3 14:00:46 ourserver sshd[79161]: debug1: temporarily_use_uid: 99/99 (e=0/0)
Mar  3 14:00:46 ourserver sshd[79161]: debug1: restore_uid: 0/0
Mar  3 14:00:46 ourserver sshd[79161]: Failed publickey for ouruser from x.x.x.x port 40248 ssh2: RSA SHA256:2ucGhU53Ue6Z8BbwowH5U3ykOoVL8F8oN1NbPUCt2vU
Mar  3 14:00:46 ourserver sshd[79161]: debug1: userauth-request for user ouruser service ssh-connection method keyboard-interactive [preauth]
Mar  3 14:00:46 ourserver sshd[79161]: debug1: attempt 2 failures 1 [preauth]
Mar  3 14:00:46 ourserver sshd[79161]: debug1: keyboard-interactive devs  [preauth]
Mar  3 14:00:46 ourserver sshd[79161]: debug1: auth2_challenge: user=ouruser devs= [preauth]
Mar  3 14:00:46 ourserver sshd[79161]: debug1: kbdint_alloc: devices 'pam' [preauth]
Mar  3 14:00:46 ourserver sshd[79161]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth]
Mar  3 14:00:46 ourserver sshd[79161]: Postponed keyboard-interactive for ouruser from x.x.x.x port 40248 ssh2 [preauth]
Mar  3 14:00:50 ourserver sshd[79168]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x  user=ouruser
Mar  3 14:00:50 ourserver sshd[79168]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=ouruser
Mar  3 14:00:50 ourserver sshd[79168]: pam_sss(sshd:auth): received for user ouruser: 9 (Authentication service cannot retrieve authentication info)
Mar  3 14:00:52 ourserver sshd[79161]: error: PAM: Authentication failure for ouruser from x.x.x.x
Mar  3 14:00:52 ourserver sshd[79161]: Failed keyboard-interactive/pam for ouruser from x.x.x.x port 40248 ssh2
Mar  3 14:00:52 ourserver sshd[79161]: debug1: userauth-request for user ouruser service ssh-connection method keyboard-interactive [preauth]
Mar  3 14:00:52 ourserver sshd[79161]: debug1: attempt 3 failures 2 [preauth]
Mar  3 14:00:52 ourserver sshd[79161]: debug1: keyboard-interactive devs  [preauth]
Mar  3 14:00:52 ourserver sshd[79161]: debug1: auth2_challenge: user=ouruser devs= [preauth]
Mar  3 14:00:52 ourserver sshd[79161]: debug1: kbdint_alloc: devices 'pam' [preauth]
Mar  3 14:00:52 ourserver sshd[79161]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth]

Here are the server logs on a successful login with the NIS password:
Mar  3 14:06:09 ourserver sshd[79292]: Accepted keyboard-interactive/pam for ouruser from xx.xx.xx.xx port 40252 ssh2
Mar  3 14:06:09 ourserver sshd[79292]: debug1: monitor_child_preauth: ouruser has been authenticated by privileged process
Mar  3 14:06:09 ourserver sshd[79292]: debug1: monitor_read_log: child log fd closed
Mar  3 14:06:09 ourserver sshd[79292]: debug1: audit_event: unhandled event 2
Mar  3 14:06:09 ourserver sshd[79292]: debug1: temporarily_use_uid: 6915/200 (e=0/0)
Mar  3 14:06:09 ourserver sshd[79292]: debug1: ssh_gssapi_storecreds: Not a GSSAPI mechanism
Mar  3 14:06:09 ourserver sshd[79292]: debug1: restore_uid: 0/0
Mar  3 14:06:09 ourserver sshd[79292]: debug1: SELinux support disabled
Mar  3 14:06:09 ourserver sshd[79292]: debug1: PAM: establishing credentials
Mar  3 14:06:09 ourserver systemd[79307]: pam_unix(systemd-user:session): session opened for user ouruser(uid=6915) by (uid=0)
Mar  3 14:06:10 ourserver sshd[79292]: pam_unix(sshd:session): session opened for user ouruser(uid=6915) by (uid=0)
Mar  3 14:06:10 ourserver sshd[79292]: User child is on pid 79320
Mar  3 14:06:10 ourserver sshd[79320]: debug1: PAM: establishing credentials

So it clearly says it's "Not a GSSAPI mechanism".

/etc/nsswitch.conf (which is a symbolic link to /etc/authselect/nsswitch.conf)
passwd:     sss files systemd
group:      sss files systemd
netgroup:   sss files
automount:  sss files
services:   sss files
sudoers:    files sss
shadow:     files nis
hosts:      files nis mdns4_minimal [NOTFOUND=return] dns myhostname mymachines

And /etc/authselect/user-nsswitch.conf has
passwd:      files nis systemd
shadow:     files nis
group:       files nis systemd
hosts:      files nis mdns4_minimal [NOTFOUND=return] dns myhostname mymachines

Why is the Kerberos login failing?