[Freeipa-users] FreeIPA Client <--> AD / Kerberos

In which scenarios do I need IPA clients to be able to connect to Windows AD DCs directly (Kerberos 44/464 TCP/UDP)? I thought it was needed for passwordless logins because https://access.redhat.com/webassets/avalon/d/Red_Hat_Enterprise_Linux-8-I... says Kerberos. Jakubs blog post https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-larg... says "For password-based authentication requests, the IPA clients connect directly to the AD servers using Kerberos." Will I lose the ability to log in password-based if these ports are blocked by the firewall? Cheers, Ronald