Example configuration files for libkrb5 and sssd for authentication with Active Directory

krb5.conf

# This is an example of krb5.conf for authentication with Active Directory
# Tested on libkrb5-3 1.15-1+deb9u1

[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
forwardable = true

# Values for next three parameters should be used from Default Domain Policy GPO
# Default Domain Policy \ Computer Configuration \ Policies \ Windows Settings \ ...
# ... \ Security Settings Account Policies \ Kerberos Policy
# Maximum lifetime for user ticket
ticket_lifetime = 10h
# Maximum lifetime for user ticket renewal
renew_lifetime = 7d
# Maximum tolerance for computer clock synchronization
clockskew = 300

[realms]
EXAMPLE.COM = {
    admin_server = dc01.example.com
    kdc = dc01.example.com
    kdc = dc02.example.com
    kdc = dc03.example.com
    kdc = dc04.example.com
    kdc = dc05.example.com
}

sssd.conf

# This is an example of sssd.conf for authentication with Active Directory
# Tested on sssd 1.15.0-3

[sssd]
debug_level = 0
domains = example.com
config_file_version = 2
services = nss, pam, sudo

[nss]
debug_level = 0

[pam]
debug_level = 0
pam_id_timeout = 60

[domain/walletone.local]
debug_level = 0
ad_domain = example.com
ad_server = dc01.example.com, dc02.example.com, _srv_
# ad_backup_server = dc03.example.com, dc04.example.com, dc05.example.com
ad_hostname = hostname.example.com
krb5_realm = EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
fallback_homedir = /home/%d/%u
sudo_provider = none
use_fully_qualified_names = False
cache_credentials = True
krb5_auth_timeout = 60
ldap_opt_timeout = 60
access_provider = simple
simple_allow_groups = domain users@example.com