Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux Active Directory Domain Example

For SSSD to work with an Active Directory domain, both the Active Directory domain and the local system have to be configured specially to communicate with one another.


The Microsoft Active Directory documentation has complete procedures for configuring the Active Directory domain.
  1. Using authconfig, set the Linux client to use Active Directory as its LDAP identity provider. For example:
    authconfig --enableldap --enableldapauth --ldapserver=ldap:// --enablekrb5 --krb5realm AD-REALM.EXAMPLE.COM --krb5kdc --krb5adminserver --update
    The authconfig command is described in Section 29.4, “Command Line Version”.
  2. Create the Active Directory Domain Services role.
  3. Add the Identity Management for UNIX service to the Active Directory Domain Services role. Use the Unix NIS domain as the domain name in the configuration.
  4. On the Active Directory server, create a new Computer object with the name of the Linux client.
    1. In the Administrative Tools menu, select the Active Directory Users and Computers application.
    2. Expand the Active Directory root object, such as
    3. Right-click Computers, and select the New and the Computer item.
    4. Enter the name for the Linux client, such as rhel-server, and click OK.
    5. Expand the Computers object.
    6. Right-click the rhel-server object, and select Properties.
    7. In the UNIX Attributes, enter the name of the Linux NIS domain and the IP address of the Linux server.
      Click OK.
  5. From the command prompt on the Active Directory server, create a machine account, password, and UPN for the Linux host principal.
    C:\> setspn -A host/ rhel-server
    Registering ServicePrincipalNames for CN=rhel server,CN=Computers,DC=ad,DC=example,DC=com
    Updated object						
    C:\> setspn -L rhel-server 
    Registered ServicePrincipalNames for CN=rhel server,CN=Computers,DC=ad,DC=example,DC=com:
    C:\> ktpass /princ host/ /out rhel-server.keytab /crypto all /ptype KRB5_NT_PRINCIPAL -desonly /mapuser AD\rhel-server$ +rndPass
    Targeting domain controller:
    Using legacy password setting method
    Successfully mapped host/rhel 
    ... 8< ...
  6. Copy the keytab from the Active Directory server to the Linux client, and save it as /etc/krb5.keytab.
  7. On the Linux system, reset the permissions and owner for the keytab file.
    [root@rhel-server ~]# chown root:root /etc/krb5.keytab 
    [root@rhel-server ~]# chmod 0600 /etc/krb5.keytab
  8. Restore the SELinux file permissions for the keytab.
    [root@rhel-server ~]# restorecon /etc/krb5.keytab
  9. Verify that the host can connect to the Active Directory domain.
    [root@rhel-server ~]# kinit -k -t /etc/krb5.keytab host/
  10. On the Active Directory server, create a a group for the Linux users.
    1. Create a new group named unixusers.
    2. Open the unixusers group and open the Unix Attributes tab.
    3. Configure the Unix settings:
      • The NIS domain
      • The UID
      • The login shell, to /bin/bash
      • The home directory, to /home/aduser
      • The primary group name, to unixusers
  11. Then, configure the SSSD domain on the Linux machine.

    Example 30.2. An Active Directory 2008 Domain

    [root@rhel-server ~]# vim /etc/sssd/sssd.conf
    config_file_version = 2
    domains =
    services = nss, pam
    cache_credentials = true
    enumerate = false
    id_provider = ldap
    auth_provider = krb5
    chpass_provider = krb5
    access_provider = ldap
    ldap_sasl_mech = GSSAPI
    ldap_sasl_authid = host/ 
    ldap_schema = rfc2307bis
    ldap_user_search_base = ou=user accounts,dc=ad,dc=example,dc=com
    ldap_user_object_class = user
    ldap_user_home_directory = unixHomeDirectory
    ldap_user_principal = userPrincipalName
    ldap_user_name = sAMAccountName
    ldap_group_search_base = ou=groups,dc=ad,dc=example,dc=com
    ldap_group_object_class = group
    ldap_access_order = expire
    ldap_account_expire_policy = ad
    ldap_force_upper_case_realm = true
    ldap_disable_referrals = true
    #krb5_server =
    krb5_realm = AD-REALM.EXAMPLE.COM
    These options are described in the man page for LDAP domain configuration, sssd-ldap(5).
  12. Restart SSSD.
    [root@rhel-server ~]# service sssd restart