Brand new Debian box (tried Buster, then when that didn;' work, upgraded tp unstable - meh, it's a test box to get things sorted out before production use).
Minimal setup (unchecked everything in TaskSel step during install; later used TaskSel to add X11/Mate).
su'd to root
apt install'd aptitude, realmd, packagekit
(packagekit grabbed the needed dependencies, such as sssd and samba (at least parts of them, and maybe part of KRB5 (the keytab thing-y), and [mostly] configured them)
Ran "realm join MY.DOMAIN -U my_add-to-domain_user"
getent passwd domain_user successfully returns data on the domain user:
acutech@21260-debianvm:~$ getent passwd glerp@my.domain
glerp@my.domain:*:495633057:495600513:glerp:/home/glerp@my.domain:/bin/bash
....
But the domain user can't log in via ssh (a local user can ssh in).
techman@21260-debianvm:~$ ssh -l glerp@my.domain 21260-debianvm
glerp@my.domain@21260-debianvm's password:
Connection closed by 127.0.1.1 port 22
Here are a few relevant lines from /var/log/auth.log:
Feb 21 17:04:54 21260-debianvm sshd[5284]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=glerp@my.domain
Feb 21 17:04:54 21260-debianvm sshd[5284]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=glerp@my.domain
Feb 21 17:04:54 21260-debianvm sshd[5284]: pam_sss(sshd:account): Access denied for user glerp@my.domain: 6 (Permission denied)
Feb 21 17:04:54 21260-debianvm sshd[5284]: Failed password for glerp@my.domain from 127.0.0.1 port 59998 ssh2
Feb 21 17:04:54 21260-debianvm sshd[5284]: fatal: Access denied for user glerp@my.domain by PAM account configuration [preauth]