Comment 2 for bug 1689387

Did you change the apparmor profile to be in enforcing mode? By default it's in complain mode as far as I can see:

lrwxrwxrwx 1 root root 16 Jun 19 20:48 /etc/apparmor.d/force-complain/usr.sbin.sssd -> ../usr.sbin.sssd

That being said, I can see at least one more missing rule, this time for the chown capability:
[ 1690.540498] audit: type=1400 audit(1497905549.525:43): apparmor="ALLOWED" operation="capable" profile="/usr/sbin/sssd" pid=9946 comm="sssd" capability=0 capname="chown"