What is changing /etc/sssd/sssd.conf?

I have an Ansible playbook that writes to /etc/sssd/sssd.conf this Jinja template (variables are defined somewhere else): # This line is just to check that the file is written correctly [sssd] domains = {{ domain }} config_file_version = 2 services = nss, pam [domain/{{ domain }}] id_provider = ad auth_provider = ad ad_domain = {{ domain }} ad_server = {{ ad_server }} krb5_realm = {{ domain | upper }} cache_credentials = true krb5_store_password_if_offline = true default_shell = /bin/bash ldap_id_mapping = true use_fully_qualified_names = false fallback_homedir = /home/EXAMPLE/%u access_provider = simple simple_allow_groups = {{ simple_allow_groups }} simple_allow_users = {{ simple_allow_users }} ignore_group_members = true enumerate = False ldap_purge_cache_timeout = 0 subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout Then the playbook restarts sssd, and does some realm leave and realm join operations. After running the playbook, this is the content of /etc/sssd/sssd.conf on the server: # This line is just to check that the file is written correctly [sssd] domains = example.abc config_file_version = 2 services = nss, pam [domain/example.abc] default_shell = /bin/bash krb5_store_password_if_offline = True cache_credentials = True krb5_realm = EXAMPLE.ABC realmd_tags = manages-system joined-with-adcli id_provider = ad fallback_homedir = /home/%u@%d ad_domain = example.abc use_fully_qualified_names = True ldap_id_mapping = True access_provider = ad What is changing /etc/sssd/sssd.conf, and how?