And it's done!
All I had to do was to fix my common-account to bypass pam_unix if pam_sss was successful.
In my case pam_sss was already in there, only further down the stack. Just had to move it
up and adapt the return behavior. This is my final common-account:
# moved to here
account [success=2 default=ignore] pam_sss.so
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
account sufficient pam_localuser.so
# was here
# account [default=bad success=ok user_unknown=ignore] pam_sss.so
I hope this helps someone. But beware: a proper solution like LDAP+Kerberos IS the right
way to go.