Furthermore the authentication recently stopped working (I do not use domain accounts every day…). In sssd journal found
[sssd[krb5_child[3013]]][3013]: Encryption type not permitted
To workaround kerberos issues with encryption algorithms, I set the LEGACY policy in /etc/crypto-policies/config as follow:
# This file should contain a single keyword, the crypto policy to
# be applied by default to applications. The available policies are
# restricted to the following profiles.
#
# * LEGACY: ensures maximum compatibility with legacy systems (64-bit
# security)
#
# * DEFAULT: A reasonable default for today's standards (80-bit security).
#
# * FUTURE: A level that will provide security on a conservative level that is
# believed to withstand any near-term future attacks (128-bit security).
#
# After modifying this file, you need to run update-crypto-policies
# for the changes to propagate.
#
LEGACY