Haven’t tried, but Davide mentioned adding and option in sssd.conf file (or a custom template), or ignore the message:
The “tkey query failed” lines correspond to failed PTR updates. They can be disabled by setting
dyndns_update_ptr = falsein sssd.confHowever “tsig verify failure” lines still remain. It seems not to be a real issue though:
Unfortunately also TSIG failure is reported as an error, even if server reported success and nsupdate understands it. – 1394320 – sssd can't update PTR dns record in AD leading to kerberos problems