Question

Have a fairly simple setup of one AD server with various linux hosts. We attached the linux hosts to our domain by using:

realm discover domain.example.com
realm join domain.example.com -U user.adm

Our /etc/sssd/sssd.conf looks like:

[sssd]
domains = domain.example.com
config_file_version = 2
services = nss, pam

[domain/domain.example.com]
ad_domain = domain.example.com
krb5_realm = DOMAIN.EXAMPLE.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = false
fallback_homedir = /home/%u@%d
access_provider = simple
simple_allow_groups = linuxaccess@domain.example.com

From here we can login as AD users that are a part of the linuxaccess group. I attempted to reset a password but get:

[username.lin@hostname ~] passwd
Current Password:
New password:
Retype new password:
Password change failed. Server message: Access denied
passwd: Authentication token manipulation error

/var/log/secure shows:

Oct 12 14:39:48 computer passwd: pam_unix(passwd:chauthtok): user "username.lin" does not exist in /etc/passwd
Oct 12 14:40:01 computer passwd: pam_unix(passwd:chauthtok): user "username.lin" does not exist in /etc/passwd
Oct 12 14:40:01 computer passwd: pam_sss(passwd:chauthtok): Password change failed for user username.lin: 20 (Authentication token manipulation error)

Thoughts on why changing passwords do not appear to be supported or what the misconfiguration could be? Guessing something in pam.d but not confident.