Description of problem:

The sssd.conf(5) says:

       pwfield (string)
           The value that NSS operations that return users or groups will
return for the “password” field.

           This option can also be set per-domain.

           Default: “*” (remote domains) or “x” (the files domain)

However, for users returned via proxy files id_provider, * is returned. That in
turn breaks PAM authentication.

Version-Release number of selected component (if applicable):

sssd-2.2.3-20.el8.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have system without SSSD configured and started.
2. Set password for user test: passwd test
3. Test that PAM authentication or user test works:
   echo $THE_PASSWORD | pamtester sssd-shadowutils test authenticate
   If you don't like to use pamtester from EPEL, just use ssh test@localhost.
4. getent passwd test, check that the output is
   test:x:1000:1000::/home/test:/bin/bash
5. Configure SSSD, create /etc/sssd/sssd.conf with:

[sssd]
 domains = PROXY_PROXY
 services = nss

[domain/PROXY_PROXY]
 id_provider = proxy
 proxy_lib_name = files
 proxy_pam_target = sssd-shadowutils

6. chmod 600 /etc/sssd/sssd.conf or SSSD refuses to start.
7. systemctl restart sssd
8. getent passwd test
9. echo $THE_PASSWORD | pamtester sssd-shadowutils test authenticate

Actual results:

test:*:1000:1000::/home/test:/bin/bash

Password: pamtester: Authentication failure

Expected results:

test:x:1000:1000::/home/test:/bin/bash

Password: pamtester: successfully authenticated

Additional info:

It is possible to force the expected behaviour by adding line

 pwfield = x

to the [domain/...] section. But SSSD should obey what it says in the man page,
and it should not as easily break PAM authentication of unrelated services.