Last active
August 19, 2022 06:06
-
-
Save skokhanovskiy/45766c1a23439eee815508feb8c5661c to your computer and use it in GitHub Desktop.
Example configuration files for libkrb5 and sssd for authentication with Active Directory
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This is an example of krb5.conf for authentication with Active Directory | |
| # Tested on libkrb5-3 1.15-1+deb9u1 | |
| [libdefaults] | |
| default_realm = EXAMPLE.COM | |
| dns_lookup_realm = true | |
| dns_lookup_kdc = true | |
| forwardable = true | |
| # Values for next three parameters should be used from Default Domain Policy GPO | |
| # Default Domain Policy \ Computer Configuration \ Policies \ Windows Settings \ ... | |
| # ... \ Security Settings Account Policies \ Kerberos Policy | |
| # Maximum lifetime for user ticket | |
| ticket_lifetime = 10h | |
| # Maximum lifetime for user ticket renewal | |
| renew_lifetime = 7d | |
| # Maximum tolerance for computer clock synchronization | |
| clockskew = 300 | |
| [realms] | |
| EXAMPLE.COM = { | |
| admin_server = dc01.example.com | |
| kdc = dc01.example.com | |
| kdc = dc02.example.com | |
| kdc = dc03.example.com | |
| kdc = dc04.example.com | |
| kdc = dc05.example.com | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This is an example of sssd.conf for authentication with Active Directory | |
| # Tested on sssd 1.15.0-3 | |
| [sssd] | |
| debug_level = 0 | |
| domains = example.com | |
| config_file_version = 2 | |
| services = nss, pam, sudo | |
| [nss] | |
| debug_level = 0 | |
| [pam] | |
| debug_level = 0 | |
| pam_id_timeout = 60 | |
| [domain/example.com] | |
| debug_level = 0 | |
| ad_domain = example.com | |
| ad_server = dc01.example.com, dc02.example.com, _srv_ | |
| # ad_backup_server = dc03.example.com, dc04.example.com, dc05.example.com | |
| ad_hostname = hostname.example.com | |
| krb5_realm = EXAMPLE.COM | |
| realmd_tags = manages-system joined-with-adcli | |
| id_provider = ad | |
| krb5_store_password_if_offline = True | |
| default_shell = /bin/bash | |
| ldap_id_mapping = True | |
| fallback_homedir = /home/%d/%u | |
| sudo_provider = none | |
| use_fully_qualified_names = False | |
| cache_credentials = True | |
| krb5_auth_timeout = 60 | |
| ldap_opt_timeout = 60 | |
| access_provider = simple | |
| simple_allow_groups = domain users@example.com |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment