Steps needed to set up AD authentication with PAM and SSSD for students.
# install required stuff apt install sssd adcli # join the domain; <user> should have permission to create computers adcli join -v -U <user> -D fri1.uni-lj.si
Basic /etc/krb5.conf
, not sure if really needed.
[libdefaults] default_realm = FRI1.UNI-LJ.SI kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true
A /etc/sssd/sssd.conf
that works. Could probably be optimized further.
[sssd] config_file_version = 2 services = nss, pam domains = fri1.uni-lj.si default_domain_suffix = student.uni-lj.si [nss] default_shell = /bin/bash override_homedir = /home/%u [domain/fri1.uni-lj.si] id_provider = ad access_provider = ad sudo_provider = none ad_enabled_domains = student.uni-lj.si cache_credentials = true krb5_store_password_if_offline = true # limit to @student.uni-lj.si ldap_user_search_base = OU=FRI,DC=student,DC=uni-lj,DC=si?base? # strip domain part from users/groups full_name_format = %1$s