On Wed, 16 Jul 2014, Dmitri Pal wrote:
Potentially what you want is to be able to generate SSSD cache db on
one
system and copy it around.
There is no such functionality and the problem with building one is
creating password hashes in such database in bulk (requires passwords in
clear which is a nonstarter). When users log in one by one passwords can
be captured and hashed for further use. It is hard to do in bulk.
I'd argue that there's normally no need to do internal authentication within
an HPC cluster, user information alone is sufficient. Internally, you can
rely on the integrity of the cluster to get by with trusted auth between the
nodes, and HostbasedAuthentication or similar.
May be what you can do is make users log into the gateway node and
then
once a while copy its sssh caches to other nodes in the cluster but SSSD
on those nodes would be outdated for that period of time. I do not know
how usable it is. A new user would have to wait for this period after he
authenticated and before he actually can submit a job. May be you already
have a mechanism to queue these things. May be you can somehow detect that
user is new and queue the SSSD cache update together with his actual job.
I'm not clear what benefit you get from running SSSD internally, vs a cluster
local NIS/LDAP fed data from an SSSD front node.
jh