-----Original Message----- I got another idea which could help you. By default we use tokengroups for obtaining group membership it is faster. But it caused some problems in your case so you can try do disable this feature.
Try to put "ldap_use_tokengroups = false" into domain section of sssd.conf. It is workaround which can help nevertheless we want to fix your initial bug.
BUM! It works!
Neverthless, if I can help to fix the bug, tell me how to test the RPM with extra debug messages under RHEL 7.1.
Thanks again --