Comment 2 for bug 1885724

No this is the strange part; rc file sourced is of admin user and even tried with admin project yet the same.. for the user is disabled message that is about a user which is enabled not disabled.

Moreover, another keystone log message i found is about the identity policy that caught my eye at the very first place;

WARNING py.warnings [req-cb32dbe9-1264-4552-9f9c-77e815958758 8f5644850ee64d7a96f751b64a49a416 a7878ba89d7a498abd3998860819b644 - default default] /usr/lib/python3.6/site-packages/oslo_policy/policy.py:964: UserWarning: Policy identity:list_groups failed scope check. The token used to make the request was project scoped but the policy requires ['system', 'domain'] scope. This behavior may change in the future where using the intended scope is required
  warnings.warn(msg)

as I remember STEIN offers changes those were not available in early versions so thought may be the main reason but some how at the time of updating the case here didn't notice those messages are not there.. may be it'll give you some clue so shared now.

let me know where to look further.

Thanks.