In recent postings, there’s been some (quite correct!) inferences about my situation. Let me dispel any confusion, so you’re aware of my perspective.
I work for a Fortune 500 company in their IT department. Our company and team has done Linux and UNIX AD integration using 2 ½ commercial products for over 12 years now. (that third product was used only in a very limited scope).
Our team has oversight for about 30,000 Linux servers – 17K of them that are AD-integrated and 13K in the process of getting there.
So, my team and our server support organization has a wealth of experience with the Linux client configurations of AD integration. We know our company incident procedures and that escalation process. Thus, I can say with confidence (for instance) that Linux sysadmins are engaged in the infrequent occurrence that AD integration is bulloxed on a particular Linux server.
So, while we have a wealth of experience in AD/LDAP Linux and app integration, we are frankly newbies to sssd. I fully admit to my inexperience in sssd configuration and setup. However, I have been using it and evaluating it for almost a year. I have it working on RHEL7, RHEL8 and (just last week) RHEL6.
I have gone through all anticipated test cases and – except for one totally obscure edge case -- sssd appears like it can do everything the commercial AD integration products can do. I say that – although I have two open sssd cases with our OS vendor.
1. One has been discussed already on this forum – “realm permit” segfaulting (but only on RHEL8). Our OS vendor has provided a work-around for this.
2. I believe the second bug is not a “bug” at all – but it’s due to my lack of understanding of AD and my inexperience with sssd. I’m currently working that with our OS vendor as well.
Incidentally, if it appears that I’m singularly focused on AD – that’s because I am. That’s all my company uses for its back-end authentication mechanism. I’m also singularly focused on RHEL and RHEL-derived Linux servers, for similar reasons.
Thus, when I suggest an RFE, I’m speaking from my perspective only and my company’s Linux perspective. I fully realize that other companies have different escalation policies, different authentication back-ends and different situations. I fully realize that any RFE I suggest would be half-baked (at best) – if accepted, it would surely be re-written to be more generic and useful for a larger target audience.