diff --git a/roles/ipaclient/README.md b/roles/ipaclient/README.md
index 9f3e733a07c48252dde1af105f3b4108c1ef62b4..5a8fff838885d5c49704d8b0fa1e0d43fefbfea7 100644
--- a/roles/ipaclient/README.md
+++ b/roles/ipaclient/README.md
@@ -183,6 +183,7 @@ Variable | Description | Required
 `ipaclient_no_ssh` | The bool value defines if OpenSSH client will be configured. `ipaclient_no_ssh` defaults to `no`. | no
 `ipaclient_no_sshd` | The bool value defines if OpenSSH server will be configured. `ipaclient_no_sshd` defaults to `no`. | no
 `ipaclient_no_sudo` | The bool value defines if SSSD will be configured as a data source for sudo. `ipaclient_no_sudo` defaults to `no`. | no
+`ipaclient_subid` | The bool value defines if SSSD will be configured as a data source for subid. `ipaclient_subid` defaults to `no`. | no
 `ipaclient_no_dns_sshfp` | The bool value defines if DNS SSHFP records will not be created automatically. `ipaclient_no_dns_sshfp` defaults to `no`. | no
 `ipaclient_force` | The bool value defines if settings will be forced even in the error case. `ipaclient_force` defaults to `no`. | no
 `ipaclient_force_ntpd` | The bool value defines if ntpd usage will be forced. This is not supported anymore and leads to a warning. `ipaclient_force_ntpd` defaults to `no`. | no
diff --git a/roles/ipaclient/defaults/main.yml b/roles/ipaclient/defaults/main.yml
index 3b13d11b3395b8ec121bd0622a56b1819ed38775..b6e912f22cbf01fe20ecb235f8ff1d5704985993 100644
--- a/roles/ipaclient/defaults/main.yml
+++ b/roles/ipaclient/defaults/main.yml
@@ -13,6 +13,7 @@ ipaclient_ssh_trust_dns: no
 ipaclient_no_ssh: no
 ipaclient_no_sshd: no
 ipaclient_no_sudo: no
+ipaclient_subid: no
 ipaclient_no_dns_sshfp: no
 ipaclient_force: no
 ipaclient_force_ntpd: no
diff --git a/roles/ipaclient/library/ipaclient_setup_nss.py b/roles/ipaclient/library/ipaclient_setup_nss.py
index 3dc0dccb12f2aa7e2938651e377dda1359e62161..a14305835da62c51d861accdb8ef1459157a81f0 100644
--- a/roles/ipaclient/library/ipaclient_setup_nss.py
+++ b/roles/ipaclient/library/ipaclient_setup_nss.py
@@ -125,6 +125,10 @@ options:
     description: Do not configure SSSD as data source for sudo
     type: bool
     required: no
+  subid:
+    description: Configure SSSD as data source for subid
+    type: bool
+    required: no
   fixed_primary:
     description: Configure sssd to use fixed server as primary IPA server
     type: bool
@@ -208,6 +212,7 @@ def main():
             no_ssh=dict(required=False, type='bool'),
             no_sshd=dict(required=False, type='bool'),
             no_sudo=dict(required=False, type='bool'),
+            subid=dict(required=False, type='bool'),
             fixed_primary=dict(required=False, type='bool'),
             permit=dict(required=False, type='bool'),
             no_krb5_offline_passwords=dict(required=False, type='bool'),
@@ -251,6 +256,7 @@ def main():
     options.conf_sshd = not options.no_sshd
     options.no_sudo = module.params.get('no_sudo')
     options.conf_sudo = not options.no_sudo
+    options.subid = module.params.get('subid')
     options.primary = module.params.get('fixed_primary')
     options.permit = module.params.get('permit')
     options.no_krb5_offline_passwords = module.params.get(
@@ -430,19 +436,17 @@ def main():
             # Modify nsswitch/pam stack
             # pylint: disable=deprecated-method
             argspec = getargspec(tasks.modify_nsswitch_pam_stack)
+            the_options = {
+                "sssd": options.sssd,
+                "mkhomedir": options.mkhomedir,
+                "statestore": statestore,
+            }
             if "sudo" in argspec.args:
-                tasks.modify_nsswitch_pam_stack(
-                    sssd=options.sssd,
-                    mkhomedir=options.mkhomedir,
-                    statestore=statestore,
-                    sudo=options.conf_sudo
-                )
-            else:
-                tasks.modify_nsswitch_pam_stack(
-                    sssd=options.sssd,
-                    mkhomedir=options.mkhomedir,
-                    statestore=statestore
-                )
+                the_options["sudo"] = options.conf_sudo
+            if "subid" in argspec.args:
+                the_options["subid"] = options.subid
+
+            tasks.modify_nsswitch_pam_stack(**the_options)
 
             if hasattr(paths, "AUTHSELECT") and paths.AUTHSELECT is not None:
                 # authselect is used
diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml
index fa33f89a6c0b4c1d109664ac1c34702ee2d6ef93..e76842fc29c05acbf7daf551600acb6a678dbfc2 100644
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -378,6 +378,7 @@
         no_ssh: "{{ ipaclient_no_ssh }}"
         no_sshd: "{{ ipaclient_no_sshd }}"
         no_sudo: "{{ ipaclient_no_sudo }}"
+        subid: "{{ ipaclient_subid }}"
         fixed_primary: "{{ ipassd_fixed_primary
                            | default(ipasssd_fixed_primary) }}"
         permit: "{{ ipassd_permit | default(ipasssd_permit) }}"
diff --git a/roles/ipareplica/README.md b/roles/ipareplica/README.md
index a32ddb158474b8bbbd5acd476540537384d7ee94..8d70b45b4f6d31d2e862238e586b632a8c2db76f 100644
--- a/roles/ipareplica/README.md
+++ b/roles/ipareplica/README.md
@@ -200,6 +200,7 @@ Variable | Description | Required
 `ipaclient_no_ssh` | The bool value defines if OpenSSH client will be configured. (bool, default: false) | no
 `ipaclient_no_sshd` | The bool value defines if OpenSSH server will be configured. (bool, default: false) | no
 `ipaclient_no_sudo` | The bool value defines if SSSD will be configured as a data source for sudo. (bool, default: false) | no
+`ipaclient_subid` | The bool value defines if SSSD will be configured as a data source for subid. (bool, default: false) | no
 `ipaclient_no_dns_sshfp` | The bool value defines if DNS SSHFP records will not be created automatically. (bool, default: false) | no
 
 Certificate system Variables
diff --git a/roles/ipaserver/README.md b/roles/ipaserver/README.md
index a9254ec533215278ad14fe406ca60c6b133f6a99..18317fb9f0bbaf3357724c0fbeecc1ae4242b009 100644
--- a/roles/ipaserver/README.md
+++ b/roles/ipaserver/README.md
@@ -252,6 +252,7 @@ Variable | Description | Required
 `ipaclient_no_ssh` | The bool value defines if OpenSSH client will be configured. `ipaclient_no_ssh` defaults to `no`. | no
 `ipaclient_no_sshd` | The bool value defines if OpenSSH server will be configured. `ipaclient_no_sshd` defaults to `no`. | no
 `ipaclient_no_sudo` | The bool value defines if SSSD will be configured as a data source for sudo. `ipaclient_no_sudo` defaults to `no`. | no
+`ipaclient_subid` | The bool value defines if SSSD will be configured as a data source for subid. `ipaclient_subid` defaults to `no`. | no
 `ipaclient_no_dns_sshfp` | The bool value defines if DNS SSHFP records will not be created automatically. `ipaclient_no_dns_sshfp` defaults to `no`. | no
 
 Certificate system Variables