Version:

-bash-4.2$ atomic host status
State: idle
Deployments:
● rhel-atomic-host:rhel-atomic-host/7/x86_64/standard
       Version: 7.3.2 (2017-01-13 22:00:41)
        Commit: 96826a0d917d7ff10f9fd0289581649f2ffbddd76f3b80efd3d95cc11915cacb
        OSName: rhel-atomic-host


Docker images:

[root@atomic-00 ~]# atomic images list
   REPOSITORY                         TAG                                               IMAGE ID       CREATED            VIRTUAL SIZE   TYPE      
   sssd-enabled                       latest                                            1b1c0ea58e21   2017-01-17 06:08   208.79 MB      docker    
*  <none>                             <none>                                            3973bae74d48   2017-01-17 05:50   195.4 MB       docker    
   lslebodn/sssd-docker               extras-rhel-7.3-docker-candidate-20170116051835   d534ba69e6ef   2017-01-16 10:33   357.42 MB      docker    
   registry.access.redhat.com/rhel7   latest                                            e8e3aaf82af5   2016-11-30 22:16   192.53 MB      docker   

sssd-docker version:


[root@atomic-00 ~]# atomic images info rhel7/sssd
Image Name: registry.access.redhat.com/rhel7/sssd:latest
BZComponent: sssd-docker
Name: rhel7/sssd
Release: 13
Version: 7.3
architecture: x86_64
authoritative-source-url: registry.access.redhat.com
build-date: 2017-01-16T05:24:20.922961
com.redhat.build-host: ip-10-29-120-149.ec2.internal
com.redhat.component: sssd-docker
description: The System Security Services Daemon (SSSD) provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides Name Service Switch (NSS) and Pluggable Authentication Modules(PAM) interfaces toward the system and a pluggable back end system to connect to multiple different account sources.
distribution-scope: public
install: docker run --rm=true --privileged --net=host -v /:/host -e NAME=${NAME} -e IMAGE=${IMAGE} -e HOST=/host ${IMAGE} /bin/install.sh
io.k8s.description: The System Security Services Daemon (SSSD) provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides Name Service Switch (NSS) and Pluggable Authentication Modules(PAM) interfaces toward the system and a pluggable back end system to connect to multiple different account sources.
io.k8s.display-name: System Security Services Daemon (SSSD)
io.k8s.openshift.tags: security sssd authentication authorisation LDAP kerberos krb5 Active Directory IdM
io.openshift.tags: base rhel7
name: rhel7/sssd
release: 13
run: docker run -d --restart=always --privileged --net=host --name ${NAME} -e NAME=${NAME} -e IMAGE=${IMAGE}    -v /etc/ipa/:/etc/ipa/:ro       -v /etc/krb5.conf:/etc/krb5.conf:ro     -v /etc/krb5.conf.d/:/etc/krb5.conf.d/  -v /etc/krb5.keytab:/etc/krb5.keytab:ro       -v /etc/nsswitch.conf:/etc/nsswitch.conf:ro     -v /etc/openldap/:/etc/openldap/:ro     -v /etc/pam.d/:/etc/pam.d/:ro   -v /etc/passwd:/etc/passwd.host:ro      -v /etc/pki/nssdb/:/etc/pki/nssdb/:ro   -v /etc/ssh/:/etc/ssh/:ro     -v /etc/sssd/:/etc/sssd/:ro     -v /etc/systemd/system/sssd.service.d:/etc/systemd/system/sssd.service.d:ro     -v /etc/sysconfig/authconfig:/etc/sysconfig/authconfig:ro       -v /etc/sysconfig/network:/etc/sysconfig/network:ro   -v /etc/sysconfig/sssd:/etc/sysconfig/sssd:ro   -v /etc/yp.conf:/etc/yp.conf:ro         -v /var/cache/realmd/:/var/cache/realmd/        -v /var/lib/authconfig/last/:/var/lib/authconfig/last/:ro       -v /var/lib/ipa-client/sysrestore/:/var/lib/ipa-client/sysrestore/:ro         -v /var/lib/samba/:/var/lib/samba/      -v /var/lib/sss/:/var/lib/sss/  -v /var/log/sssd/:/var/log/sssd/        -v /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket   ${IMAGE} /bin/run.sh
stop: docker kill -s TERM ${NAME}
summary: System Security Services Daemon (SSSD) provides centralized user authentication for Atomic Host.
uninstall: docker run --rm=true --privileged --net=host -v /:/host -e NAME=${NAME} -e IMAGE=${IMAGE} -e HOST=/host ${IMAGE} /bin/uninstall.sh
vcs-ref: 7a04c34a349e5176745bb048dc047395e820b681
vcs-type: git
vendor: Red Hat, Inc.
version: 7.3


Following test cases were run and passed.


Test Result	Test Case	Defect	Duration	Executed by	Executed
Passed	[Revision: 1452154] RHEL7-58014 - IDM-SSSD-TC: SSSD-Container: Permit specific ad user login to Atomic host		0.000 s
	Mallapadi Niranjan (mniranja)	2017-01-17
01:29
Passed	[Revision: 1452166] RHEL7-58015 - IDM-SSSD-TC: SSSD-Container: verify AD user can sudo on atomc host with sudo provider as AD		1.760 s
	Mallapadi Niranjan (mniranja)	2017-01-17
01:31
Passed	[Revision: 1452135] RHEL7-58012 - IDM-SSSD-TC: SSSD-Container: Disjoin Atomic host from AD Domain using realm leave Cli		0.759 s
	Mallapadi Niranjan (mniranja)	2017-01-17
01:25
Passed	[Revision: 1452138] RHEL7-58013 - IDM-SSSD-TC: SSSD-Container: Verify uninstall container leaves domain		18.213 s
	Mallapadi Niranjan (mniranja)	2017-01-17
01:26
Passed	[Revision: 1451844] RHEL7-58007 - IDM-SSSD-TC: SSSD-Container: Realm join with membership software samba		16.984 s
	Mallapadi Niranjan (mniranja)	2017-01-17
00:16
Passed	[Revision: 1451848] RHEL7-58008 - IDM-SSSD-TC: SSSD-Container: Verify sssd selinux label		53.844 s
	Mallapadi Niranjan (mniranja)	2017-01-17
00:18
Passed	[Revision: 1451840] RHEL7-58006 - IDM-SSSD-TC: SSSD-Container : Discover Windows Domain on atomic host using realm cli		34.786 s
	Mallapadi Niranjan (mniranja)	2017-01-17
00:14
Passed	[Revision: 1451850] RHEL7-58009 - IDM-SSSD-TC: SSSD-Container: Query AD users using ID command		7.720 s
	Mallapadi Niranjan (mniranja)	2017-01-17
00:18
Passed	[Revision: 1452099] RHEL7-58010 - IDM-SSSD-TC: SSSD-Container: Query AD user using id command from new container		0.000 s
	Mallapadi Niranjan (mniranja)	2017-01-17
01:19
Passed	[Revision: 1452122] RHEL7-58011 - IDM-SSSD-TC: SSSD-Container: Join AD Domain using adcli as membership-software		35.829 s
	Mallapadi Niranjan (mniranja)	2017-01-17
01:23

IPA-server-Version:  ipa-server-4.4.0-14.el7_3.4.x86_64
IPA-client version:  ipa-client-4.4.0-14.el7_3.4.x86_64
Atomic host status:
State: idle
Deployments:
● rhel-atomic-host:rhel-atomic-host/7/x86_64/standard
       Version: 7.3.2 (2017-01-13 22:00:41)
        Commit: 96826a0d917d7ff10f9fd0289581649f2ffbddd76f3b80efd3d95cc11915cacb
        OSName: rhel-atomic-host

SETUp:
==================
-bash-4.2# systemctl stop sssd
-bash-4.2# cat /etc/resolv.conf
nameserver 10.16.96.37

INSTALL:
=================
-bash-4.2# atomic install sssd
docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=sssd -e HOST=/host sssd /bin/install.sh
Initializing configuration context from host ...
Client hostname: clientdocker.testrelm.test
Realm: TESTRELM.TEST
DNS Domain: testrelm.test
IPA Server: auto-hv-01-guest09.testrelm.test
BaseDN: dc=testrelm,dc=test
Skipping synchronizing time with NTP server.
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=TESTRELM.TEST
    Issuer:      CN=Certificate Authority,O=TESTRELM.TEST
    Valid From:  Mon Jan 16 15:10:17 2017 UTC
    Valid Until: Fri Jan 16 15:10:17 2037 UTC

Enrolled in IPA realm TESTRELM.TEST
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM.TEST
trying https://auto-hv-01-guest09.testrelm.test/ipa/json
Forwarding 'schema' to json server 'https://auto-hv-01-guest09.testrelm.test/ipa/json'
trying https://auto-hv-01-guest09.testrelm.test/ipa/session/json
Forwarding 'ping' to json server 'https://auto-hv-01-guest09.testrelm.test/ipa/session/json'
Forwarding 'ca_is_enabled' to json server 'https://auto-hv-01-guest09.testrelm.test/ipa/session/json'
Systemwide CA database updated.
Hostname (clientdocker.testrelm.test) does not have A/AAAA record.
Incorrect reverse record(s):
10.76.33.239 is pointing to dhcp200-239.lab.eng.pnq.redhat.com. instead of clientdocker.testrelm.test.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://auto-hv-01-guest09.testrelm.test/ipa/session/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring testrelm.test as NIS domain.
Client configuration complete.

Copying new configuration to host ...
Full path required for exclude: net:[4026531956].
Service sssd.service configured to run SSSD container.
-bash-4.2# docker exec -i sssd kinit admin
Error response from daemon: No such container: sssd
-bash-4.2# systemctl start sssd
-bash-4.2# systemctl sssd status
Unknown operation 'sssd'.
-bash-4.2# systemctl status sssd
● sssd.service - System Security Services Daemon in container
   Loaded: loaded (/etc/systemd/system/sssd.service; disabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/sssd.service.d
           └─journal.conf
   Active: active (exited) since Tue 2017-01-17 02:37:05 EST; 17s ago
  Process: 14123 ExecStart=/usr/bin/atomic run --name=sssd sssd (code=exited, status=0/SUCCESS)
 Main PID: 14123 (code=exited, status=0/SUCCESS)

Jan 17 02:37:03 clientdocker.testrelm.test systemd[1]: Starting System Security Services Daemon in container...
Jan 17 02:37:04 clientdocker.testrelm.test atomic[14123]: docker run -d --restart=always --privileged --net=host...enld
Jan 17 02:37:04 clientdocker.testrelm.test atomic[14123]: This container uses privileged security switches:
Jan 17 02:37:04 clientdocker.testrelm.test atomic[14123]: INFO: --net=host
Jan 17 02:37:04 clientdocker.testrelm.test atomic[14123]: Processes in this container can listen to ports (and p...ork.
Jan 17 02:37:04 clientdocker.testrelm.test atomic[14123]: INFO: --privileged
Jan 17 02:37:04 clientdocker.testrelm.test atomic[14123]: This container runs without separation and should be c...tem.
Jan 17 02:37:05 clientdocker.testrelm.test atomic[14123]: e69230b92c702b1d794943d65fe8a31a69a78b500911e676b8fb17...0a6d
Jan 17 02:37:05 clientdocker.testrelm.test atomic[14123]: For more information on these switches and their secur...un'.
Jan 17 02:37:05 clientdocker.testrelm.test systemd[1]: Started System Security Services Daemon in container.
Hint: Some lines were ellipsized, use -l to show in full.
-bash-4.2# docker exec -i sssd kinit admin
Password for admin: Secret123

KLIST:
==============
-bash-4.2# docker exec -i sssd klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin

Valid starting     Expires            Service principal
01/17/17 07:37:35  01/18/17 07:37:32  krbtgt/TESTRELM.TEST
-bash-4.2# docker exec -i sssd kdestroy
-bash-4.2# docker exec -i sssd klist
klist: Credentials cache keyring 'persistent:0:0' not found
-bash-4.2# docker exec -i sssd kinit admin
Password for admin: Secret123

-bash-4.2# docker exec -i sssd klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin

Valid starting     Expires            Service principal
01/17/17 07:37:58  01/18/17 07:37:55  krbtgt/TESTRELM.TEST

CLIENT VERSION:
====================
-bash-4.2# docker exec -i sssd rpm -q ipa-client
ipa-client-4.4.0-14.el7_3.4.x86_64

SSH:
=====================
-bash-4.2# ssh -o GSSAPIAuthentication=yes admin@`hostname` whoami
Could not chdir to home directory /home/admin: No such file or directory
admin

UNINSTALL:
=====================
-bash-4.2# atomic uninstall sssd
docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=sssd -e HOST=/host sssd /bin/uninstall.sh
Initializing configuration context from host ...
Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
Unconfiguring the NIS domain.
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
Copying new configuration to host ...
Removing /etc/ipa/nssdb/pwdfile.txt
Removing /etc/ipa/nssdb/secmod.db
Removing /etc/ipa/nssdb/cert8.db
Removing /etc/ipa/nssdb/key3.db
Removing /etc/ipa/ca.crt
Removing /etc/ipa/default.conf
Removing /etc/sssd/systemctl-lite-enabled/sssd.service
Removing /etc/sssd/systemctl-lite-enabled/rhel-domainname.service
Removing /etc/sssd/sssd.conf
Removing /var/lib/ipa-client/sysrestore/69364e48e709ca3b-nsswitch.conf
Removing /var/lib/ipa-client/sysrestore/sysrestore.index
Removing /var/lib/ipa-client/sysrestore/e251fbeffe9583a3-krb5.conf
Removing /var/lib/ipa-client/sysrestore/sysrestore.state
Removing /var/lib/ipa-client/sysrestore/6f17853412338ede-ldap.conf
Removing /var/lib/ipa-client/sysrestore/14d10dd149b4ace6-ssh_config
Removing /var/lib/ipa-client/sysrestore/f1bb0822e96d0e7f-sshd_config
Removing /var/lib/sss/pipes/private/sbus-dp_testrelm.test.123
Removing /var/lib/sss/pipes/private/sbus-monitor
Removing /var/lib/sss/pipes/private/sbus-dp_testrelm.test.13
Removing /var/lib/sss/pipes/private/sbus-dp_testrelm.test
Removing /var/lib/sss/pipes/private/pam
Removing /var/lib/sss/mc/passwd
Removing /var/lib/sss/mc/group
Removing /var/lib/sss/db/cache_testrelm.test.ldb
Removing /var/lib/sss/db/ccache_TESTRELM.TEST
docker rmi sssd
Untagged: sssd:latest

AD users can be found on IPA-client configured using sssd-container image: 
(TRUST setup-2 way)
==========================================================

-bash-4.2# docker exec -i sssd id idviewuser1
uid=577602341(idviewuser1) gid=577602341(idviewuser1) groups=577602341(idviewuser1),577600513(domain users),577602566(adgroup1)

Verified the bug on the basis of observations in Comment#2 , Comment#4 and Comment#5, thus changing the status of bug to "VERIFIED".

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0145