diff --git a/system_setup/sync_client_software.sh b/system_setup/sync_client_software.sh
index 7a44ed1..098c2df 100755
--- a/system_setup/sync_client_software.sh
+++ b/system_setup/sync_client_software.sh
@@ -10,6 +10,16 @@ if [ "$EUID" -ne 0 ]; then
     echo "Press any key to continue" && read -n 1 -s -r && exit 1
 fi
 
+# Ensure krb5_validate = False in sssd.conf to restore offline auth
+# (SSSD >= 2.10.1 skips the CAP_DAC_READ_SEARCH raise in offline mode, so validate_tgt
+#  fails with EACCES before the cached-credential fallback is reached)
+_SSSD_CONF="/etc/sssd/sssd.conf"
+if [ -f "${_SSSD_CONF}" ] && ! grep -q "^krb5_validate" "${_SSSD_CONF}"; then
+    echo "Patching sssd.conf: adding 'krb5_validate = False' to restore offline authentication"
+    sed -i "/^\[domain\/${DOMAIN}\]/a krb5_validate = False" "${_SSSD_CONF}"
+    systemctl restart sssd
+fi
+
 #Check Token
 if [ "${DAVTOKEN_USER}." == "." ]; then
     echo "Error: Script cannot be executed standalone, must be run with a matching sudo rule and needs a prereserved environment from logon-script."