diff --git a/hieradata/org/lsst.yaml b/hieradata/org/lsst.yaml
index add996f1df..de0d24f3a3 100644
--- a/hieradata/org/lsst.yaml
+++ b/hieradata/org/lsst.yaml
@@ -27,6 +27,9 @@ lookup_options:
   profile::core::ipset::set:
     merge:
       strategy: "deep"
+  sssd::domains:
+    merge:
+      strategy: "deep"
 
 timezone::timezone: "UTC"
 chrony::leapsectz: "right/UTC"
@@ -78,11 +81,12 @@ easy_ipa::ipa_master_fqdn: "ipa1.tuc.lsst.cloud"
 # easy_ipa client options
 easy_ipa::ipa_role: "client"
 easy_ipa::configure_ntp: false
-easy_ipa::install_epel: false
+easy_ipa::configure_sshd: false
 easy_ipa::install_autofs: false
-easy_ipa::install_sssdtools: false
+easy_ipa::install_epel: false
 easy_ipa::install_kstart: false
-easy_ipa::configure_sshd: false
+easy_ipa::install_sssd: false
+easy_ipa::install_sssdtools: false
 ssh::client_options:
   GlobalKnownHostsFile: "/var/lib/sss/pubconf/known_hosts"
   PubkeyAuthentication: "yes"
@@ -211,3 +215,29 @@ profile::core::ipset::set:
       - "139.229.0.0/16"
       - "198.19.0.0/16"
       - "10.0.0.0/8"
+
+# sssd ipa client setup -- do not use on ipa servers
+sssd::domains:
+  "%{lookup('easy_ipa::domain')}":
+    cache_credentials: true
+    krb5_store_password_if_offline: true
+    ipa_domain: "%{lookup('easy_ipa::domain')}"
+    id_provider: "ipa"
+    auth_provider: "ipa"
+    access_provider: "ipa"
+    ldap_tls_cacert: "/etc/ipa/ca.crt"
+    ipa_hostname: "%{facts.fqdn}"
+    chpass_provider: "ipa"
+    ipa_server:
+      - "_srv_"
+      - "%{lookup('easy_ipa::ipa_master_fqdn')}"
+    dns_discovery_domain: "%{lookup('easy_ipa::domain')}"
+sssd::services:
+  nss:
+    homedir_substring: "/home"
+  sudo: {}
+  pam: {}
+  ssh: {}
+sssd::package_name:
+  - "sssd"
+  - "sssd-tools"  # not installed by default
diff --git a/hieradata/org/lsst/role/ipamaster.yaml b/hieradata/org/lsst/role/ipamaster.yaml
index 23381ab49a..182b6759d5 100644
--- a/hieradata/org/lsst/role/ipamaster.yaml
+++ b/hieradata/org/lsst/role/ipamaster.yaml
@@ -3,6 +3,7 @@ classes:
   - "profile::core::common"
   - "easy_ipa"
 
+profile::core::common::manage_sssd: false
 profile::icinga::agent::host_template: "IpaTemplate"
 easy_ipa::ipa_role: "master"
 easy_ipa::install_ipa_server: true
@@ -13,3 +14,8 @@ easy_ipa::webui_force_https: true
 easy_ipa::configure_dns_server: false
 easy_ipa::ipa_server_fqdn: "%{facts.fqdn}"
 easy_ipa::ip_address: "%{facts.networking.ip}"
+
+# enable easy_ipa management of sssd packages on servers
+easy_ipa::install_sssd: true
+easy_ipa::install_sssdtools: true
+easy_ipa::sssdtools: true
diff --git a/hieradata/org/lsst/role/ipareplica.yaml b/hieradata/org/lsst/role/ipareplica.yaml
index a651c61d9d..8f00e2613e 100644
--- a/hieradata/org/lsst/role/ipareplica.yaml
+++ b/hieradata/org/lsst/role/ipareplica.yaml
@@ -3,6 +3,7 @@ classes:
   - "profile::core::common"
   - "easy_ipa"
 
+profile::core::common::manage_sssd: false
 profile::icinga::agent::host_template: "IpaTemplate"
 easy_ipa::ipa_role: "replica"
 easy_ipa::configure_replica_ca: true
@@ -14,3 +15,8 @@ easy_ipa::webui_force_https: true
 easy_ipa::configure_dns_server: false
 easy_ipa::ipa_server_fqdn: "%{facts.fqdn}"
 easy_ipa::ip_address: "%{facts.networking.ip}"
+
+# enable easy_ipa management of sssd packages on servers
+easy_ipa::install_sssd: true
+easy_ipa::install_sssdtools: true
+easy_ipa::sssdtools: true
diff --git a/hieradata/site/cp.yaml b/hieradata/site/cp.yaml
index c5aee2a30d..a4b5cdba8b 100644
--- a/hieradata/site/cp.yaml
+++ b/hieradata/site/cp.yaml
@@ -1,5 +1,11 @@
 ---
 easy_ipa::ipa_master_fqdn: "ipa1.cp.lsst.org"
+# sssd ipa client setup -- do not use on ipa servers
+sssd::domains:
+  "lsst.cloud":
+    ipa_server:
+      - "_srv_"
+      - "%{lookup('easy_ipa::ipa_master_fqdn')}"
 
 rsyslog::config::actions:
   #Send copy to logs to GKE Graylog instance
diff --git a/hieradata/site/dev.yaml b/hieradata/site/dev.yaml
index c302320515..b27e7d4002 100644
--- a/hieradata/site/dev.yaml
+++ b/hieradata/site/dev.yaml
@@ -1,6 +1,12 @@
 ---
 easy_ipa::ipa_master_fqdn: "ipa1.dev.lsst.org"
-#
+# sssd ipa client setup -- do not use on ipa servers
+sssd::domains:
+  "lsst.cloud":
+    ipa_server:
+      - "_srv_"
+      - "%{lookup('easy_ipa::ipa_master_fqdn')}"
+
 rsyslog::config::actions:
 #Send copy to logs to Ruka Cluster
   graylogCloud:
diff --git a/hieradata/site/ls.yaml b/hieradata/site/ls.yaml
index ebedc73ee4..909bb06c0d 100644
--- a/hieradata/site/ls.yaml
+++ b/hieradata/site/ls.yaml
@@ -1,6 +1,12 @@
 ---
 easy_ipa::ipa_master_fqdn: "ipa1.ls.lsst.org"
-#
+# sssd ipa client setup -- do not use on ipa servers
+sssd::domains:
+  "lsst.cloud":
+    ipa_server:
+      - "_srv_"
+      - "%{lookup('easy_ipa::ipa_master_fqdn')}"
+
 rsyslog::config::actions:
 #Send copy to logs to GKE Graylog instance
   graylogCloud:
diff --git a/site/profile/manifests/core/common.pp b/site/profile/manifests/core/common.pp
index 5f6b970c77..18d8dfb4a0 100644
--- a/site/profile/manifests/core/common.pp
+++ b/site/profile/manifests/core/common.pp
@@ -16,6 +16,7 @@
   Boolean $deploy_icinga_agent = false,
   Boolean $manage_puppet_agent = true,
   Boolean $manage_chrony = true,
+  Boolean $manage_sssd = true,
 ){
   include accounts
   include augeas
@@ -49,4 +50,10 @@
   if $manage_chrony {
     include chrony
   }
+
+  if $manage_sssd {
+    include sssd
+    # run ipa-install-* script before trying to managing sssd.conf
+    Class[easy_ipa] -> Class[sssd]
+  }
 }