Step 1: Check resolving

cat /etc/resolv.conf

here should be some think like

search domain.local


Step 2: Install Software


sudo apt-get install sssd realmd sssd-tools libnss-sss libpam-sss adcli packagekit

dnf -y install realmd adcli sssd oddjob oddjob-mkhomedir samba-common-tools krb5-workstation authselect-compat

Step 3: Make sure DNS follows files on hosts field


passwd: compat sss

group: compat sss

shadow: compat


netgroup: nis sss

sudoers: files sss

hosts: files dns mdns4_minimal [NOTFOUND=return]

Step 4: Join Domain

realm join --user=DomainAdmin

Step 5: Check join settings

realm list

type: kerberos

realm-name: BIOPACK.BE


configured: kerberos-member

server-software: active-directory

client-software: sssd

required-package: oddjob

required-package: oddjob-mkhomedir

required-package: sssd

required-package: adcli

required-package: samba-common-tools


login-policy: allow-realm-logins

Step 6: Check ID to make sure you resolve users

id administrator

id: administrator: no such user



Step 7: Configure SSSD - Edit lines accordingly

vim /etc/sssd/sssd.conf

default_shell = /usr/bin/zsh

use_fully_qualified_names = False

fallback_homedir = /home/%d/%u

#create these new lines

case_sensitive = False

enumerate = True

ldap_idmap_range_min = 9700000

ldap_idmap_range_max = 2009700000

ldap_idmap_range_size = 2000000000

ad_gpo_access_control = permissive

Stop the service: service sssd stop
Then delete the cache files from /var/lib/sss/db
then restart service:
service sssd start
if you don't do this, the service will most likely crash

gpo access control can mess with ssh and other services, so if you're not using it, then disable or set it to permissive mode. More here:

Step 8: Have home directories made automatically


vim /etc/pam.d/common-session

add to bottom of the file:

session required umask=0022 skel=/etc/skel


authselect select sssd with-mkhomedir

systemctl enable --now oddjobd.service

Step 9: Restrict which users on the domain that can authenticate

Allow all domain Access

realm permit --all

Remove all domain Access

realm deny --all

Allow only the groups that should have access

realm permit -g "group name"@domainname

Grant access to specific users

realm permit user@domainname

Deny access to specified uses

realm permit -x user@domainname

Step 10: Disable unneeded sockets

systemctl disable sssd-nss.socket

systemctl disable sssd-pam-prov.socket

systemctl disable sssd-pam.socket