Several things.    Some backgroun -- in our company, we have thousands of OL8.x and hundreds of RHEL 8.x Linux servers directly AD integrated to our corp AD domain.

I compared our sssd.conf with yours.  I think you want to add the 'ifp' service for *L8.  It's the infopipe service.  Used by support utilities such as sssctl domain-list, etc.

I thought you had to have a sssd.conf stanza for each service you enable.  For instance, we have this:

[nss]
debug_level = 0x0100
#debug_level = 9
filter_groups = root
filter_users = root

[pam]
pam_verbosity = 3
#debug_level = 9
offline_credentials_expiration = 3

[ifp]

Because we have 

[sssd]

...

services = nss,pam,ifp

From your ldap_child.log, it looks like your SASL bind and then the LDAP query is working.  Which is surprising to me.  We set up

ldap_sasl_authid = host/<fqdn>@<ad domain>

in our sssd.conf file.  But I'm guessing if that's not explicitly set, it uses HOSTNAME$@REALM.  At least that's what it appears from your ldap_child.log. It appears to use:  TEST0003$@ourlab.se

Several things to try to narrow down where the failure is occuring.  

1. try 'kinit -k'  on the command line.   That uses the first entry in /etc/krb5.keytab file to attempt to authenticate as this machine account.  It's not a perfect test, since it's acquiring a TGT ticket instead of a service ticket.

2. If that succeeds, try kvno -S host TEST0003

     That should report the KVNO of your machine account credentials, as stored in AD.  This is a better test, as you're acquiring a service ticket here.  (Like sssd does).

3. Try 'adcli testjoin -D ourlab.se -v'.  This tests the sssd connectivity, similar to how sssd does it.

if all that works, your problem is not with LDAP or your SASL binding.  So then,

4. try 'getent passwd aron.kelemen@ourlab.se'.  That should return the entry for this user.  If this fails, possibly your /etc/nsswitch.conf file isn't set up right or maybe your attribute mapping in AD isn't agreeing with your sssd.conf setting.  (We use the MS-supported RFC2307bis AD schema extension)..

5. If that's good, then probably the problem is something in your PAM stack.  Specifically, the auth phase.   In our /etc/pam.d/sshd file, we have:

#%PAM-1.0
auth       substack     password-auth
auth       include      postlogin

...

and in password-auth, we have:

auth        required                                     pam_env.so
# OL7/8 version. Per I/T's stated policy for service & process accounts, lock-out time = 30 mins
auth        required                                     pam_faillock.so preauth silent deny=5 unlock_time=1800
auth        sufficient                                   pam_sss.so forward_pass
auth        sufficient                                   pam_unix.so nullok try_first_pass
auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
auth        required                                     pam_faillock.so authfail deny=5 unlock_time=1800
auth        required                                     pam_deny.so

Spike