-----Original Message----- So far it looks like a bug in SSSD. Are you using ID mapping? (ldap_id_mapping either True or unset).
# cat /etc/sssd/sssd.conf
[sssd] domains = MYDOMAIN.COM config_file_version = 2 services = nss, pam default_domain_suffix= MYDOMAIN.COM debug_level = 7
[pam] debug_level = 7
[domain/MYDOMAIN.COM] ad_domain = MYDOMAIN.COM krb5_realm = MYDOMAIN.COM realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True # use_fully_qualified_names = True fallback_homedir = /home/AD/%u override_homedir = /home/AD/%u access_provider = simple simple_allow_groups = ITAD debug_level = 7