Example configuration files for libkrb5 and sssd for authentication with Active Directory
| # This is an example of krb5.conf for authentication with Active Directory | |
| # Tested on libkrb5-3 1.15-1+deb9u1 | |
| [libdefaults] | |
| default_realm = EXAMPLE.COM | |
| dns_lookup_realm = true | |
| dns_lookup_kdc = true | |
| forwardable = true | |
| # Values for next three parameters should be used from Default Domain Policy GPO | |
| # Default Domain Policy \ Computer Configuration \ Policies \ Windows Settings \ ... | |
| # ... \ Security Settings Account Policies \ Kerberos Policy | |
| # Maximum lifetime for user ticket | |
| ticket_lifetime = 10h | |
| # Maximum lifetime for user ticket renewal | |
| renew_lifetime = 7d | |
| # Maximum tolerance for computer clock synchronization | |
| clockskew = 300 | |
| [realms] | |
| EXAMPLE.COM = { | |
| admin_server = dc01.example.com | |
| kdc = dc01.example.com | |
| kdc = dc02.example.com | |
| kdc = dc03.example.com | |
| kdc = dc04.example.com | |
| kdc = dc05.example.com | |
| } |
| # This is an example of sssd.conf for authentication with Active Directory | |
| # Tested on sssd 1.15.0-3 | |
| [sssd] | |
| debug_level = 0 | |
| domains = example.com | |
| config_file_version = 2 | |
| services = nss, pam, sudo | |
| [nss] | |
| debug_level = 0 | |
| [pam] | |
| debug_level = 0 | |
| pam_id_timeout = 60 | |
| [domain/example.com] | |
| debug_level = 0 | |
| ad_domain = example.com | |
| ad_server = dc01.example.com, dc02.example.com, _srv_ | |
| # ad_backup_server = dc03.example.com, dc04.example.com, dc05.example.com | |
| ad_hostname = hostname.example.com | |
| krb5_realm = EXAMPLE.COM | |
| realmd_tags = manages-system joined-with-adcli | |
| id_provider = ad | |
| krb5_store_password_if_offline = True | |
| default_shell = /bin/bash | |
| ldap_id_mapping = True | |
| fallback_homedir = /home/%d/%u | |
| sudo_provider = none | |
| use_fully_qualified_names = False | |
| cache_credentials = True | |
| krb5_auth_timeout = 60 | |
| ldap_opt_timeout = 60 | |
| access_provider = simple | |
| simple_allow_groups = domain users@example.com |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment