Alexey, Thank you for the effort thus far and the feedback, but I'd like to offer a few points.
- As referenced, these systems are ephemeral, so joining them to AD to use the AD provider isn't sustainable.
Out of curiosity: did you consider a pool of pre-enrolled hosts whose identity (host principal key) ephemeral systems could assume?
What is different is these OS instances are Rocky 9.5 Linux containers deployed as stateless systems. So, given that my question becomes what is different? Is there something the daemon is missing in a stateless configuration?
Required domain information (SID/name) is cached. I bet if you "stop sssd; rm -rf /var/lib/sss/db/*; start sssd" on a "stateful" system you will face the same issue.
I'll test with the recommendations given and perhaps the results may provide additional breadcrumbs.
Keep in mind that those settings should be consistent over the entire fleet of client hosts. Otherwise you'll end up with a different ID for a given SID on different hosts.
Another workaround could be: to forcefully trigger 'getent -s sss passwd name' at node startup.