stonith/sssd.conf

## sssd.conf
[sssd]
config_file_version = 2
domains = test.local
services = nss, pam
debug_level = 0
reconnection_retries = 3

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/test.local]
debug_level = 6
# Unless you know you need referrals, turn them off
ldap_referrals = false
# Uncomment if you need offline logins
cache_credentials = true
enumerate = false

id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap

# Uncomment if service discovery is not working
#ldap_uri = ldap://host.test.local
#ldap_tls_reqcert = demand
#ldap_tls_cacert = /etc/ssl/certs/ca-bundle.crt

# Comment out if not using SASL/GSSAPI to bind
#ldap_sasl_mech = GSSAPI
# Uncomment and adjust if the default principal host/fqdn@REALM is not available
#ldap_sasl_authid = nfs/client.ad.example.com@AD.EXAMPLE.COM

# Define these only if anonymous binds are not allowed and no keytab is available
# Enabling use_start_tls is very important, otherwise the bind password is transmitted
# over the network in the clear
#ldap_id_use_start_tls = True
ldap_default_bind_dn = CN=Bind User,CN=Users,DC=test,DC=local
ldap_default_authtok_type = password
ldap_default_authtok = ***********

ldap_id_mapping = True
ldap_schema = AD

ldap_user_search_base = CN=Users,DC=test,DC=local
ldap_user_object_class = user

override_homedir=/home/%d/%u
default_shell=/bin/bash
ldap_user_principal = userPrincipalName

#ldap_group_search_base = CN=Users,DC=test,DC=local
#ldap_group_object_class = group

ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true

# Uncomment if dns discovery of your AD servers isn't working.
#krb5_server = server.ad.example.com
krb5_realm = TEST.LOCAL
krb5_use_enterprise_principal = true

# Probably required with sssd 1.8.x and newer
krb5_canonicalize = false
	[sssd]
	config_file_version = 2
	domains = test.local
	services = nss, pam
	debug_level = 0
	reconnection_retries = 3

	[nss]
	filter_groups = root
	filter_users = root
	reconnection_retries = 3

	[pam]
	reconnection_retries = 3

	[domain/test.local]
	debug_level = 6
	# Unless you know you need referrals, turn them off
	ldap_referrals = false
	# Uncomment if you need offline logins
	cache_credentials = true
	enumerate = false

	id_provider = ldap
	auth_provider = krb5
	chpass_provider = krb5
	access_provider = ldap

	# Uncomment if service discovery is not working
	#ldap_uri = ldap://host.test.local
	#ldap_tls_reqcert = demand
	#ldap_tls_cacert = /etc/ssl/certs/ca-bundle.crt

	# Comment out if not using SASL/GSSAPI to bind
	#ldap_sasl_mech = GSSAPI
	# Uncomment and adjust if the default principal host/fqdn@REALM is not available
	#ldap_sasl_authid = nfs/client.ad.example.com@AD.EXAMPLE.COM

	# Define these only if anonymous binds are not allowed and no keytab is available
	# Enabling use_start_tls is very important, otherwise the bind password is transmitted
	# over the network in the clear
	#ldap_id_use_start_tls = True
	ldap_default_bind_dn = CN=Bind User,CN=Users,DC=test,DC=local
	ldap_default_authtok_type = password
	ldap_default_authtok = ***********

	ldap_id_mapping = True
	ldap_schema = AD

	ldap_user_search_base = CN=Users,DC=test,DC=local
	ldap_user_object_class = user

	override_homedir=/home/%d/%u
	default_shell=/bin/bash
	ldap_user_principal = userPrincipalName

	#ldap_group_search_base = CN=Users,DC=test,DC=local
	#ldap_group_object_class = group

	ldap_access_order = expire
	ldap_account_expire_policy = ad
	ldap_force_upper_case_realm = true

	# Uncomment if dns discovery of your AD servers isn't working.
	#krb5_server = server.ad.example.com
	krb5_realm = TEST.LOCAL
	krb5_use_enterprise_principal = true

	# Probably required with sssd 1.8.x and newer
	krb5_canonicalize = false