Linux-SSSD: always getting incorrect password when su'ing to domain users, but why?

I've built a new Linux environment at my work place. I've configured sssd and bound it to one of the Active Directory domains of the company.

I can tell that the sssd is partially working, let me show you:

I've cleaned the sssd cache on the local machine, restarted sssd and queried for a domain user:

[root@pnd01 ~]# sss_cache -E
[root@pnd01 ~]# service sssd restart
Stopping sssd:                                             [  OK  ]
Starting sssd:                                             [  OK  ]
[root@pnd01 ~]# id itai.ganot
uid=10238(itai.ganot) gid=10012(XXXX_ops) groups=10012(XXXX_ops)
[root@pnd01 ~]#

Here's the sssd.conf file:

[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = AD


[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
override_shell = /bin/bash


[pam]
reconnection_retries = 3

[domain/AD]
enumerate = true
id_provider = ldap
auth_provider = krb5
ldap_uri = ldap://10.X.X.12 ,ldap://10.X.X.11 
ldap_schema = rfc2307
ldap_default_bind_dn = CN=testuser,CN=Users,DC=eyedcny,DC=local
ldap_default_authtok_type = password
ldap_default_authtok = Aa123456
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_name = sAMAccountName
ldap_group_object_class = group
ldap_force_upper_case_realm = true
ldap_tls_reqcert = never
ldap_account_expire_policy = ad
ldap_search_base = CN=RND Users,DC=eyedcny,DC=local
krb5_server = 10.X.X.12 ,10.X.X.11
krb5_realm = EYEDCNY.LOCAL
krb5_kpassword = default
ldap_referrals = false
case_sensitive = false
[root@pnd01 ~]# 

The problem is that whenever I try to su from one normal user account to another, I get an incorrect password, even though the password is the correct one for sure.

As you can see here, the user is not taken from /etc/passwd but from the sync with AD:

[root@pnd01 ~]# grep itai.ganot /etc/passwd
[root@pnd01 ~]# su - itai.ganot
[itai.ganot@pnd01 ~]$ su - itai.ganot
Password: 
su: incorrect password
[itai.ganot@pnd01 ~]$

Edit #1: Here are the relevant lines from /var/log/secure with the error i'm getting:

Apr 13 14:49:27 pnd02 su: pam_unix(su-l:auth): authentication failure; logname=root uid=10238 euid=0 tty=pts/0 ruser=itai.ganot rhost=  user=itai.ganot
Apr 13 14:49:27 pnd02 su: pam_sss(su-l:auth): authentication failure; logname=root uid=10238 euid=0 tty=pts/0 ruser=itai.ganot rhost= user=itai.ganot
Apr 13 14:49:27 pnd02 su: pam_sss(su-l:auth): received for user itai.ganot: 4 (System error)

Edit #2: Another thing which is worth mentioning:

[root@pnd01 ~]# authconfig --enablesssd --enablesssdauth --enablelocauthorize --update
authconfig: Invalid LDAP URI.
[root@pnd01 ~]#

I'm not sure why I get this error or where does it look for the LDAP URI, because if it's looking on the one configured in /etc/sssd/sssd.conf then the right URI is configured there.

Can you please try to find the reason for this behavior?

Feel free to ask for any logs you need, and I'll edit my answer to include them.

I'm not sure why I'm getting downvoted. The troubhleshooting guide exactly lists where to look and what logs to enable. Please don't expect answers without the proper data.

I didn't downvote you mate.

Probably because your answer looks a lot like spam