Thank you for all the comments and suggestions,

2013/10/30 Jakub Hrozek <>
>On Wed, Oct 30, 2013 at 12:18:44PM +0200, Sami K wrote:
>> Any idea when would RHEL6 sssd be rebased?
> Not in RHEL-6.5 :-) Currently it's not clear if RHEL6 will rebase. (And
> details about future RHEL updates are not usually disclosed on public
> mailing list).

I guessed that much, just trying to make incentive to rebase if it solves problems :)

2013/10/31 Lukas Slebodnik <>
On (30/10/13 11:40), Sumit Bose wrote:
>On Wed, Oct 30, 2013 at 12:18:44PM +0200, Sami K wrote:
>sorry for that, please use the configure option
>--disable-cifs-idmap-plugin to get around this. It is already tracked to
>make the cifsidmap support optional

Thanks, this worked.
It is possible to create src.rpm directly from tarball (sssd>1.10)
or git repository with script "".
This script is located in subdirectory "contrib/fedora/"

And this was even better - thanks for the tip. Script worked great after a small change:
[root@testm1 contrib]# diff -u fedora/ rhel/
--- fedora/    2013-11-01 11:53:53.128687041 +0200
+++ rhel/    2013-11-01 12:00:00.587957406 +0200
@@ -108,10 +108,10 @@
-git archive --format=tar.gz --prefix="$NAME"/ \
-            --output "$RPMBUILD/SOURCES/$NAME.tar.gz" \
+git archive --format=tar --prefix="$NAME"/ \
             --remote="file://$SRC_DIR" \
-            HEAD
+            HEAD \
+            | gzip > "$RPMBUILD/SOURCES/$NAME.tar.gz"
 cp "$SRC_DIR"/contrib/*.patch "$RPMBUILD/SOURCES"
git archive in RHEL6 does not have support for tar.gz format:
[testm1 contrib]# git --version
git version 1.7.1

Then you can rebuild src.rpm with rpmbuild or mock without any problem,
because cifs-plugin is automatically disabled for older distributions
in spec file.

Last note, if you wanted to use newer version on RHEL6 I would
suggest to build sssd from 1.11 branch. Master branch needn't be very
stable for production release and 1.11 branch does not have cifs plugin.

In other news, I seem to be unable to produce the same performance level as in F19 on RHEL6, tried with sssd-1.11.3. So either configuration error on my part or something else, have to investigate further. Also the suggested option "ignore_group_members" really makes the difference except it is not suitable for us in all environments. Apache pam module for 'require group' asks specifically for group members (tried it out) so no luck there. We really should not use that method anymore but we have bunch of legacy sites and modifying all of them would be a mess.


- Sami