Linux and Active Directory with SSSD

1. Install necessary packages:
   • sudo dnf install oddjob oddjob-mkhomedir krb5-workstation samba-common-tools samba-libs
2. Join the domain:
   • sudo realm join --user=<username> <domain>
3. Edit /etc/sssd/sssd.conf as shown, specifically:
   • access_provider = simple
   • simple_allow_groups = <group>[, <group>]
   • ldap_group_nesting_level = 5
   • use_fully_qualified_names = False
   • fallback_homedir = /home/%u
4. Restart SSSD: systemctl restart sssd
5. Run sudo visudo and add the following line for each group which should have sudo access:
   • %<group> ALL=(ALL) NOPASSWD: ALL

If you wish to set a user’s home directory and/or shell, they can be set in Active Directory Users and Computers if you enable Advanced view and look at the user’s Attribute Editor tab:

• loginShell
• unixHomeDirectory

sssd.conf

[sssd]
domains = int.example.com
config_file_version = 2
services = nss, pam

[domain/int.example.com]
ad_domain = int.example.com
krb5_realm = INT.EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
krb5_store_password_if_offline = True
id_provider = ad
auth_provider = ad
access_provider = simple
ldap_group_nesting_level = 5
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
default_shell = /bin/bash
simple_allow_groups = RBAC-Linux-Admin, RBAC-Linux-User