-----Original Message-----
So far it looks like a bug in SSSD. Are you using ID mapping?
(ldap_id_mapping either True or unset).
# cat /etc/sssd/sssd.conf
[sssd]
domains =
MYDOMAIN.COM
config_file_version = 2
services = nss, pam
default_domain_suffix=
MYDOMAIN.COM
debug_level = 7
[pam]
debug_level = 7
[
domain/MYDOMAIN.COM]
ad_domain =
MYDOMAIN.COM
krb5_realm =
MYDOMAIN.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
# use_fully_qualified_names = True
fallback_homedir = /home/AD/%u
override_homedir = /home/AD/%u
access_provider = simple
simple_allow_groups = ITAD
debug_level = 7