In recent postings, there’s been some (quite correct!) inferences about my
situation. Let me dispel any confusion, so you’re aware of my perspective.
I work for a Fortune 500 company in their IT department. Our company and
team has done Linux and UNIX AD integration using 2 ½ commercial products
for over 12 years now. (that third product was used only in a very limited
Our team has oversight for about 30,000 Linux servers – 17K of them that
are AD-integrated and 13K in the process of getting there.
So, my team and our server support organization has a wealth of experience
with the Linux client configurations of AD integration. We know our
company incident procedures and that escalation process. Thus, I can say
with confidence (for instance) that Linux sysadmins are engaged in the
infrequent occurrence that AD integration is bulloxed on a particular Linux
So, while we have a wealth of experience in AD/LDAP Linux and app
integration, we are frankly newbies to sssd. I fully admit to my
inexperience in sssd configuration and setup. However, I have been using
it and evaluating it for almost a year. I have it working on RHEL7, RHEL8
and (just last week) RHEL6.
I have gone through all anticipated test cases and – except for one totally
obscure edge case -- sssd appears like it can do everything the commercial
AD integration products can do. I say that – although I have two open sssd
cases with our OS vendor.
1. One has been discussed already on this forum – “realm permit”
segfaulting (but only on RHEL8). Our OS vendor has provided a work-around
2. I believe the second bug is not a “bug” at all – but it’s due to
my lack of understanding of AD and my inexperience with sssd. I’m
currently working that with our OS vendor as well.
Incidentally, if it appears that I’m singularly focused on AD – that’s
because I am. That’s all my company uses for its back-end authentication
mechanism. I’m also singularly focused on RHEL and RHEL-derived Linux
servers, for similar reasons.
Thus, when I suggest an RFE, I’m speaking from my perspective only and my
company’s Linux perspective. I fully realize that other companies have
different escalation policies, different authentication back-ends and
different situations. I fully realize that any RFE I suggest would be
half-baked (at best) – if accepted, it would surely be re-written to be
more generic and useful for a larger target audience.