Here's what I did to get user accounts to authenticate against Active Directory.
The RHEL guide for this is at: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/ch-Configuring_Authentication.html
Here's the definitions of what I'm writing:
example.com - Active Directory domain-name
EXAMPLE.COM - realm-name
server.example.com - Linux computer you're joining to the Active Directory domain
1. Install realmd (probably already installed) ... if not, yum install realmd
2. realm discover example.com
# realm discover example.com
example.com
type: kerberos
realm-name: EXAMPLE.COM
domain-name: example.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common
login-formats: %U
login-policy: allow-realm-logins
3. Get the exact realm-name from the command above
4. realm join <realm-name> -U <domain admin>
realm join EXAMPLE.COM -U domainadmin
5. reboot the linux box
6. login to the linux box ... as root at this point
7. Look back at step 2. In login-formats, %U is specific ... that means just the userid needs to be entered when logging into linux instead of DOMAIN\userid ... step 8 shows how to do that.
8. To login as just the userid instead of DOMAIN\userid
vi /etc/sssd/sssd.conf
use_fully_qualified_names = False
systemctl restart sssd
9. realm discover example.com ... make sure login-formats = %U
# realm discover example.com
example.com
type: kerberos
realm-name: EXAMPLE.COM
domain-name: example.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common
login-formats: %U
login-policy: allow-realm-logins
example.com
type: kerberos
realm-name: EXAMPLE.COM
domain-name: example.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common
login-formats: %U
login-policy: allow-realm-logins
10. id <active directory login> (this is an active directory user ... NOT linux) ... you should get back the Active Directory information on the user
11. Make the users you want sudo capable
vi /etc/group
wheel:x:10:aduser1,aduser2,aduser3
12. Now the annoying part ... you MUST specify who's allowed to login via the AD userid
To allow ALL users: realm permit --all
To allow a specific user: realm permit user@example.com
13. Reboot
To allow ALL users: realm permit --all
To allow a specific user: realm permit user@example.com
13. Reboot
14. Login via console or ssh with your ad user
