I was able to remove this by overwriting the attribute
"ipa user-mod --setattr krblastadminunlock= waynev"

grant@ef-idm01:~[20221123-7:50][#1022]$ ipa user-show --all --raw waynev | grep -i krblastadminunlock
grant@ef-idm01:~[20221123-7:51][#1023]$

I’ll have the user test and we’ll see if this resolves the 'no ssh login to IPA servers' issue for this user.
If it’s a no, I will change his password.

thanx

- grant