Troubles with sssd and Active Directory Integration
Solution 1:
Try below settings, They work pretty well in my environment.
Make changes to /etc/sssd/sssd.conf
[root@localhost ~]# cat /etc/sssd/sssd.conf |grep -v ^# |grep -v ^$
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = default
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/default]
ldap_default_authtok_type = password
ldap_id_use_start_tls = False
cache_credentials = True
ldap_group_object_class = group
ldap_search_base = dc=example,dc=com
chpass_provider = krb5
ldap_default_authtok = RedHat1!
id_provider = ldap
auth_provider = krb5
ldap_default_bind_dn = cn=Administrator,cn=Users,dc=example,dc=com
ldap_user_gecos = displayName
debug_level = 0
ldap_uri = ldap://10.65.208.43/
krb5_realm = EXAMPLE.COM
krb5_kpasswd = 10.65.208.43
ldap_schema = rfc2307bis
ldap_force_upper_case_realm = True
ldap_user_object_class = person
ldap_tls_cacertdir = /etc/openldap/cacerts
krb5_server = 10.65.208.43
- Run the authconfig-tui tool. Select ldap under the "User Information" section and Kerberos under the "Authentication" Section.
- On the ldap Settings step. Leave the use TLS option unselected put the AD servers fully qualified domain name in and the base DN.
- On the kerberos Settings page enter the AD servers Realm, also list the AD servers fully qualified domain name for the KDC and Admin Server.
This will result in restarting sssd daemon.
Verify :-
[root@localhost ~]# id user1
Make sure you have IDMU installed on your AD box & users have unix attributes set.