There are several issues with SIGTERM handling in the data_provider_be code:

(1) https://github.com/SSSD/sssd/pull/821 has left krb5_finalize() defined but not used.

(2) I see no reason to have be_process_finalize() at all: default server handler default_quit() frees main_ctx. And be_ctx is linked to main_ctx so will be freed by default handler as well (please, correct me if I am wrong).

(3) Moreover, it is just wrong to install two libtevent SIGTERM handlers both of which do orderly_shutdown()->exit(). Naturally only one of handlers will be executed (as process will be terminated with exit()) and libtevent docs doesn't say anything about order of execution. But chances are, be_process_finalize() is executed first (and exits) so default_quit() is not executed, main_ctx is not freed (and destructors are not executed)

So, my proposals are:
1) to get rid of krb5_finalize(), be_process_finalize() and be_process_install_sigterm_handler() completely.
2) to improve debug messages in default_quit()/orderly_shutdown() -- I do not understand why message is logged only to journal (sss_log) and only if status == 0. That makes reading of *.log difficult.