Chapter 7. Configuring a RHEL host to use AD as an authentication provider

As a system administrator, you can use Active Directory (AD) as the authentication provider for a Red Hat Enterprise Linux (RHEL) host without joining the host to AD.

This can be done if, for example:

  • You do not want to grant AD administrators the control over enabling and disabling the host.
  • The host, which can be a corporate PC, is only meant to be used by one user in your company.

Implement this procedure only in the rare cases where this approach is preferred.

Consider fully joining the system to AD or Red Hat Identity Management (IdM) instead. Joining the RHEL host to a domain makes the setup easier to manage. If you are concerned about client access licences related to joining clients into AD directly, consider leveraging an IdM server that is in a trust agreement with AD. For more information about an IdM-AD trust, see Planning a cross-forest trust between IdM and AD and Installing a trust between IdM and AD.

This procedure enables the user named AD_user to log in to the rhel_host system using the password set in the Active Directory (AD) user database in the domain. In this example, the EXAMPLE.COM Kerberos realm corresponds to the domain.


  • You have root access to rhel_host.
  • The AD_user user account exists in the domain.
  • The Kerberos realm is EXAMPLE.COM.
  • rhel_host has not been joined to AD using the realm join command.


  1. Create the AD_user user account locally without assigning a password to it:

    # useradd AD_user
  2. Open the /etc/nsswitch.conf file for editing, and make sure that it contains the following lines:

    passwd:     sss files systemd
    group:      sss files systemd
    shadow:     files sss
  3. Open the /etc/krb5.conf file for editing, and make sure that it contains the following sections and items:

    # To opt out of the system crypto-policies configuration of krb5, remove the
    # symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
    includedir /etc/krb5.conf.d/
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmind.log
        dns_lookup_realm = false
        ticket_lifetime = 24h
        renew_lifetime = 7d
        forwardable = true
        rdns = false
        pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
        spake_preauth_groups = edwards25519
        default_realm = EXAMPLE.COM
        default_ccache_name = KEYRING:persistent:%{uid}
     EXAMPLE.COM = {
         kdc =
         admin_server =
    [domain_realm] = EXAMPLE.COM = EXAMPLE.COM
  4. Create the /etc/sssd/sssd.conf file and insert the following sections and lines into it:

        services = nss, pam
        domains = EXAMPLE.COM
        id_provider = files
        auth_provider = krb5
        krb5_realm = EXAMPLE.COM
        krb5_server =
  5. Change the permissions on the /etc/sssd/sssd.conf file:

    # chmod 600 /etc/sssd/sssd.conf
  6. Start the Security System Services Daemon (SSSD):

    # systemctl start sssd
  7. Enable SSSD:

    # systemctl enable sssd
  8. Open the /etc/pam.d/system-auth file, and modify it so that it contains the following sections and lines:

    # Generated by authselect on Wed May  8 08:55:04 2019
    # Do not modify this file manually.
    auth        required                           
    auth        required                            delay=2000000
    auth        [default=1 ignore=ignore success=ok] uid >= 1000 quiet
    auth        [default=1 ignore=ignore success=ok]
    auth        sufficient                          nullok try_first_pass
    auth        requisite                           uid >= 1000 quiet_success
    auth        sufficient                          forward_pass
    auth        required                           
    account     required                           
    account     sufficient                         
    account     sufficient                          uid < 1000 quiet
    account     [default=bad success=ok user_unknown=ignore]
    account     required                           
    password    requisite                           try_first_pass local_users_only
    password    sufficient                          sha512 shadow nullok try_first_pass use_authtok
    password    sufficient                          use_authtok
    password    required                           
    session     optional                            revoke
    session     required                           
    -session    optional                           
    session     [success=1 default=ignore]          service in crond quiet use_uid
    session     required                           
    session     optional                           
  9. Copy the contents of the /etc/pam.d/system-auth file into the /etc/pam.d/password-auth file. Enter yes to confirm the overwriting of the current contents of the file:

    # cp /etc/pam.d/system-auth /etc/pam.d/password-auth
    cp: overwrite '/etc/pam.d/password-auth'? yes

Verification steps

  1. Request a Kerberos ticket-granting ticket (TGT) for AD_user. Enter the password of AD_user as requested:

    # kinit AD_user
    Password for AD_user@EXAMPLE.COM:
  2. Display the obtained TGT:

    # klist
    Ticket cache: KEYRING:persistent:0:0
    Default principal: AD_user@EXAMPLE.COM
    Valid starting     Expires            Service principal
    11/02/20 04:16:38  11/02/20 14:16:38  krbtgt/EXAMPLE.COM@EXAMPLE.COM
    	renew until 18/02/20 04:16:34

AD_user has successfully logged in to rhel_host using the credentials from the EXAMPLE.COM Kerberos domain.