diff --git a/ad-auth/tasks/sssd.yml b/ad-auth/tasks/sssd.yml
index 5135af4c39e12e9758153a2532b30846e75f434c..b570aee14d73ddbae4dafe1d1f3fa2290372fcef 100644
--- a/ad-auth/tasks/sssd.yml
+++ b/ad-auth/tasks/sssd.yml
@@ -100,6 +100,15 @@
   tags:
     - sssd
 
+# taken out of Debian's post install hooks
+- name: ensure sssd is configured in nsswitch.conf
+  shell: "sed -i --regexp-extended '/^(passwd|group|shadow|netgroup|services):/ {
+  /\\bsss\\b/! s/$/ sss/  } ' /etc/nsswitch.conf"
+  args:
+    warn: false
+  tags:
+    - sssd
+
 - name: ensure sssd is enabled and running
   service:
     name: sssd