Steps needed to set up AD authentication with PAM and SSSD for students.

  # install required stuff
  apt install sssd adcli
  
  # join the domain; <user> should have permission to create computers
  adcli join -v -U <user> -D fri1.uni-lj.si

Basic ''/etc/krb5.conf'', not sure if really needed.

  [libdefaults]
      default_realm = FRI1.UNI-LJ.SI
  
      kdc_timesync = 1
      ccache_type = 4
      forwardable = true
      proxiable = true

A ''/etc/sssd/sssd.conf'' that works. Could probably be optimized further.

  [sssd]
  config_file_version = 2
  services = nss, pam
  
  domains = fri1.uni-lj.si
  default_domain_suffix = student.uni-lj.si
  
  [nss]
  default_shell = /bin/bash
  override_homedir = /home/%u
  
  [domain/fri1.uni-lj.si]
  id_provider = ad
  access_provider = ad
  sudo_provider = none
  
  ad_enabled_domains = student.uni-lj.si
  cache_credentials = true
  krb5_store_password_if_offline = true
  
  # limit to @student.uni-lj.si
  ldap_user_search_base = OU=FRI,DC=student,DC=uni-lj,DC=si?base?
  # strip domain part from users/groups
  full_name_format = %1$s