SSSD filters out the `administrators` group (GID 700) when sssd.conf's min_id set to the default value of 1000.
The simp docs state that SIMP is is preconfigured to grant SSH to members of the administrators group. This is coded into SIMP by adding the (administrators) group to /etc/security/access.conf in simp::admin.
The gidNumber of the LDAP group administrators is hard-coded to 700 in simp_openldap/templates/etc/openldap/default.ldif.erb
The default min_id for the SSSD LDAP domain is set to 1000 in simp::sssd::client
Consequently, on newly-kickstarted EL7 clients that configured with the SIMP default settings and LDAP groups, users in the administrators group cannot log in via SSH without further intervention.
Under these conditions, SSH access can be made to work correctly by logging directly into the local system and running the id command on an affected user.
After applying the id workaround, SSH access will persist across reboots and sss_cache -E, but removing the SSSD db files under /var/lib/sss/db will reset the problem.