Unfortunately, I think that error bubbles up from nginx, though I can’t actually find that string anywhere. I tried to replicate and got something slightly different. If you check the file /var/lib/ondemand-nginx/config/puns/$USER.conf you’ll see something like user jeff 'jeff'; as the first line. /var/log/ondemand-nginx/$USER/error.log may have something in there. I believe this is thrown when nginx tries to start process’ as this user.
My guess is that you’ll see errors thrown from sssd or pam too in journalctl or /var/log/messages.
The fact that these users can ssh gives me pause and that you temporarily fix the issue even more so. We’ve seen ‘user not found’ type issues before but it’s generally because the LDAP queries are misconfigured. Our libraries just bubble up what errors we come across. And ‘not found’ is more typical of an LDAP where “doesn’t exist”, though similar, is from some other library.
I would suggest these questions for debugging: what’s the difference in authentication from SSH and OOD (mod_authnz_pam and pwauth are additional hops?). This always works for you, and sometimes for these other users. Could there be caching somewhere that’s failing? What system errors are being thrown (/var/log/httpd/, sssd, ipa, mod_authnz_pam)?
In fact, I can’t even replicate your issue, because if I try on a test instance I get can't find user for foo, which is sightly different. We were somehow able to find the user through getpwnam but failed at some other location. Maybe another argument for caching in some layer?