Thank you, EKU clientAuth was missing, including it got p11_child working.
However still no luck with using the key with sssd and pkinit. kinit works fine with the
key, but login (tty and lightdm) never asks for the pin. Instead it ask for a password two
times and accepts the second as a local user-no-kerberos-login, when the key is plugged
in, and only one time when the key is not plugged in, giving me a kerberos login with
ticket.
I looked into the code and did some debugging and found that krb5_child signals
SSS_CERT_AUTH_PROMPTING (code 12) to pam_sss, which it does not know how to handle. But I
may be totally mistaken here. And anyway without clue.