I know it's been a while but it took me a bit of testing and initially I thought I did a good job but I just found out I had a small flaw in the logic. You were right it's pam module issue not IPA or SSH. What happened is when deploying our harden Ubuntu images we are appending pam_tally2 line to block a user after 9 unsuccessful attempts. So two thing happen, our harden image was lacking account required pam_tally2 so after successful login, the tally is reset and the appended lines from IPA deployment didn't take into consideration there is a counter so it's been basically going line by line in required and therefore counting each failure twice that's why not after 9 but often after 4,5 attempts user got locked out and you couldn't see it with kinit as it's not pam enabled binary. Learning pam syntax and all different modules took me some time but finally, I've settled with the following configuration in common-auth module. Basically, I've used success=5 to do GO TO syntax and you can read it if NOT localuser then do pam_sss and all the other stuff and make sure you do pam_deny if you provided the wrong password to pam_sss module, otherwise the sufficient syntax in pam_tall2 is not enough to break execution. Otherwise, jump next 5 lines and do the same but for pam_unix module.
auth [success=5 default=ignore] pam_localuser.so auth required pam_sss.so forward_pass ignore_unknown_user ignore_authinfo_unavail auth optional pam_faildelay.so delay=2000000 auth optional pam_cap.so auth sufficient pam_tally2.so onerr=fail audit silent deny=9 unlock_time=300 auth requisite pam_deny.so auth required pam_unix.so nullok auth optional pam_faildelay.so delay=2000000 auth optional pam_cap.so auth sufficient pam_tally2.so onerr=fail audit silent deny=9 unlock_time=300 auth requisite pam_deny.so
Thanks everyone in pointing me in the right direction.