How to authenticate the local users also through sssd by mapping local user to the Kerberos principal of particular centralised user ?

Resolution

• Configure the sections of your sssd.conf with options explained as below :

[sssd]
 domains = example.com
 config_file_version = 2
 services = nss,pam

[domain/example.com]

 id_provider = proxy
 proxy_lib_name = files
 auth_provider = krb5
 krb5_server = kdc.example.com
 krb5_realm = EXAMPLE.COM
 krb5_map_user = abhinay:reddy 
 krb5_store_password_if_offline = True
 cache_credentials = True

• As per this configuration, the identities are read from old UNIX files by proxying nss_files through SSSD’s proxy provider. Authentication is performed using the krb5 provider, with a KDC server set to kdc.example.com and Kerberos realm as EXAMPLE.COM.

• Here in above configuration, the options like krb5_server and krb5_realm should be redirected to AD hostname and AD realm respectively since the kerberos provider here is AD.

krb5_server = < AD Hostname >  and 
krb5_realm = < AD realm > 

• The krb5_map_user parameter takes a form of username:primary and in this particular case maps a UNIX user abhinay to a Kerberos principal which would in this case be reddy@EXAMPLE.COM.

• So the local user abhinay will be able to authenticate with the credentials of AD user reddy through sssd.

• Also make sure to modify the auth section of both the files /etc/pam.d/system-auth and /etc/pam.d/password-auth of the pam configuration as below so that the authentications work as expected :

auth     required  pam_env.so
auth     [default=2 success=ok] pam_localuser.so
auth     sufficient pam_unix.so nullok try_first_pass
auth     [success=done ignore=ignore default=die] pam_sss.so use_first_pass
auth     requisite pam_succeed_if.so uid >= 1000 quiet_success
auth     sufficient pam_sss.so forward_pass
auth     required pam_deny.so