I have a CentOS 8 HPC cluster setup with a login node that is connected to an active directory via sssd/kerberos. Only the login node is accessible from the user network. Users use their normal domain account to access the login node. All the cluster traffic is within a separate network, which is routed through the login node.

Internally the cluster uses SSH keys for authentication. However, so far this only works for the clusters local users listed in passwd. Now I would like the login node to provide the AD user mapping for uid/gid to the compute nodes within the cluster. I.e the AD users log into the login node with their AD account / kerberos and within the cluster use SSH keys.

What would be the best way to archive this? I thought about replicating the AD users with an LDAP server on the login node and from there provide them to the cluster nodes. The cluster is stateless, so joining the domain with sssd/kerberos on each node at boot does not seem to be an option.

1 Answers1


After trying different approaches I found a solution that works for me. I configured sssd to use AD as an ldap provider on the nodes. Using the obfuscated_password this works without joining the domain. My sssd.conf looks like this now:

config_file_version = 2
services = nss, pam, ssh
domains = domain.com
full_name_format = %1$s

id_provider = ldap
auth_provider= ldap
cache_credentials = True
ldap_uri = ldap://ad.domain.com:389
ldap_search_base = DC=domain,DC=com
ldap_schema = ad
ldap_user_search_base = OU=...,DC=domain,DC=com
ldap_default_bind_dn = CN=user,OU=...,DC=domain,DC=com
ldap_default_authtok_type = obfuscated_password
ldap_default_authtok = xxxxxxx
ldap_tls_cacert = /etc/pki/tls/cert.pem
ldap_tls_reqcert = allow
ldap_id_mapping = True
ldap_referrals = False
ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
ldap_user_ssh_public_key = altSecurityIdentities
ldap_use_tokengroups = True
ldap_user_name = sAMAccountName
ldap_group_name = sAMAccountName
default_shell = /bin/bash
fallback_homedir = /home/%u@%d
override_homedir = /home/%u@%d