Authenticating via SSSD but Unix Auth logs a failure

I have WinAD authentication working on all 20+ of our Debian 11 servers. We also have a handful of CentOS/Rocky servers working correctly. Login to one of the Debian machines causes the following logs:

Mar 22 07:53:06 pcap-1 sshd[1107]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.18.224.2  user=ross
Mar 22 07:53:06 pcap-1 sshd[1107]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.18.224.2 user=ross

I've modified nsswitch.conf (after my baseline config of the whole server, the 'sss' is generated to be at the end of each line shown below, I manually moved them to the front)

passwd:         sss files systemd
group:          sss files systemd
shadow:         files
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns myhostname
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       sss nis
automount:      sss

We want unix auth to still be in place in the event we need to login with our local admin account, but still allow AD users in.

Why is unix auth being attempted before sss?

The clue is actually in the (very helpful) log you posted: pam_unix and pam_sss. So these logs come from the PAM system.

If you look in /etc/pam.d you’ll see various files configuring how logins work, and I suspect that in many of them, pam_unix will appear before pam_sss.

It’s been a long time since I played with PAM, so I won’t try to advise you here except to caution you that changing these files without really understanding them could prevent you from logging in.

There’s nothing inherently wrong with the system trying the UNIX login before AD. I’m not sure that reordering them will provide any practical advantage, except to suppress a (harmless) message – until you try to login with a UNIX account, in which case you’ll get a (harmless) AD login failure message first.