Issue

My IPA clients are unable to perform public key/certificate based authentication of Active Directory users. The AD users are in the Default Trust View, where their PIV certificate is populated. Everything worked fine last week after I upgraded to CentOS 7.7 and sssd 1.16.4.21. The issue only appeared after a user's PIV certificate was updated (which was subsequently uploaded into the Default Trust View replacing their previous certificate). AD users ARE able to authenticate via certificate/PIV card to the IPA Servers; I can also kinit as an AD user from an IPA client, however the "id <ad_user>" command produces a "no such user" message (correctly resolves the AD user on the IPA servers, though).

Steps to Reproduce

1. IPA Server setup in one-way trust with AD on Server 2016
2. AD user PIV certificate uploaded via IPA self-service page to Default Trust View
3. (from macOS client not joined to the AD) >> ssh -I /usr/local/lib/opensc-pkcs11.so <ad_user>@ipa-client.ipa.ad.domain

Actual behavior

AD user cannot login to IPA client via ssh.

Expected behavior

AD user successfully establishes an ssh login to the IPA client.

Version/Release/Distribution

$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
On Client:
ipa-client-4.6.5-11.el7.centos.x86_64

On Server:
ipa-server-4.6.5-11.el7.centos.x86_64
ipa-client-4.6.5-11.el7.centos.x86_64
389-ds-base-1.3.9.1-10.el7.x86_64
pki-ca-10.5.16-3.el7.noarch
krb5-server-1.15.1-37.el7_7.2.x86_64

Additional info:

I have a feeling that the issue is somewhere in SSSD, but I'm raising the issue here in case I'm wrong. Testing has shown that the sss_ssh_authorizedkeys function (when run on IPA clients) CAN identify IPA users that have keys or certificates associated with their account, but fails to match any users identified in the AD trust. The same function works correctly and identifies the AD users when run on the IPA servers.