Sssd cache issues with authorized_keys

I'm running a server with CentOS 7.4.1708 and all patches applied. sssd is version 1.15.2.

I have a working sssd setup which enables me to sign in using SSH public keys stored in Active Directory.

The config

The instance is successfully joined and this is my /etc/sssd/sssd.conf:

[sssd]
domains = EXAMPLE.COM
default_domain_suffix = EXAMPLE.COM
config_file_version = 2
debug_level = 7
services = nss, pam, ssh

[domain/EXAMPLE.COM]
ad_domain = EXAMPLE.COM
debug_level = 7
krb5_realm = EXAMPLE.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
ldap_user_ssh_public_key = sshPublicKey
ad_access_filter = DOM:EXAMPLE.COM:(memberOf:1.2.840.113556.1.4.1941:=CN=ACL_DEV_APAC_developers,OU=ACL,OU=Group,OU=EXAMPLE,DC=EXAMPLE,DC=COM)

[ssh]
debug_level = 7

[nss]
debug_level = 7

My /etc/ssh/sshd_config includes

AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody

The problem

User are able to log in only once during cache lifetime (by default 90 minutes), otherwise they are denied access. See the log at https://pastebin.com/Jqc52MWH. For logs with debug_level = 9 see https://pastebin.com/0uQ8MCuS

Running sss_ssh_authorizedkeys myadmin works perfectly when run with a clean/timed-out cache (even multiple times in a row). When I log in via ssh and try to run it directly after then nothing is returned for the user logged in but I can query a (new/fresh) user right away.

The workaround

adding entry_cache_user_timeout = 5 to [domain/EXAMPLE.COM] in /etc/sssd/sssd.conf enables a login every 5 seconds. Faster logins are not possible. A lower timeout lengthens the login time.

Solution

Anyone a solution to this problem?