Comment 6 for bug 2000407

They actually had me pull /etc/nsswitch.conf, and that's what the problem was. Per this doc, I didn't mess with that file at all:

https://wiki.ubuntu.com/Enterprise/Authentication/sssd

Specifically from there:

"SSSD automatically modifies the PAM files and /etc/nsswitch.conf with pam-auth-update. You do not need any other NSS or PAM backend such as pam-ldap."

Someone in the other bug suggested pam-ldap was installed after, but gong through my shell history, here's the apt installs in order:

apt install ldap-utils
apt install sssd libpam-sss libnss-sss
apt -y install vim
apt install openssh-server
apt install ldb-tools
apt install authconfig
apt install ldap-auth-config
apt -y install libnss-ldap libpam-ldap ldap-utils
apt -y install sssd-ldap sssd-krb5 ldap-utils krb5-user

I don't know if that's useful, if there's some check to do to make sure that file is in the right state?

The contents of /etc/nsswitch were the following:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat systemd ldap
group: compat systemd ldap
shadow: compat
gshadow: files

hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files

protocols: db files
services: db files sss
ethers: db files
rpc: db files

netgroup: nis sss
automount: sss