Realmd and SSSD Active Directory Authentication

Introduction to SSSD and Realmd

Starting from Red Hat 7 and CentOS 7, SSSD or ‘System Security Services Daemon’  and realmd have been introduced. SSSD’s main function is to access a remote identity and authentication resource through a common framework that provides caching and offline support to the system. SSSD provides PAM and NSS integration and a database to store local users, as well as core and extended user data retrieved from a central server. 

The main reason to transition from Winbind to SSSD is that SSSD can be used for both direct and indirect integration and allows to switch from one integration approach to another without significant migration costs. The most convenient way to configure SSSD or Winbind in order to directly integrate a Linux system with AD is to use the realmd service. Because it allows callers to configure network authentication and domain membership in a standard way. The realmd service automatically discovers information about accessible domains and realms and does not require advanced configuration to join a domain or realm.

The realmd system provides a clear and simple way to discover and join identity domains. It does not connect to the domain itself but configures underlying Linux system services, such as SSSD or Winbind, to connect to the domain.

Realmd Pam SSSD

Please read through this Windows integration guide from Red Hat if you want more information. This extensive guide contains a lot of useful information about more complex situations.

Realmd / SSSD Use Cases

How to join an Active Directory domain?

  1. First of all start you will need to install the required packages:
  2. Configure ntp to prevent time sync issues:
  3. Join the server to the domain:
  4. Also add the default domain suffix to the sssd configuration file:

    Add the following beneath [sssd]

  5. Finally move the computer object to an organizational unit in Active Directory.

How to leave an Active Directory domain?

I saw multiple times that although the computer object was created in Active Directory it was still not possible to login with an ad account. The solution was each time to remove the server from the domain and then just add it back.

How to permit only one Active Directory group to logon

As it can be very useful to only allow one Active Directory group. For example a group with Linux system administrators.

 How to give sudo permissions to an Active Directory group



Example sssd.conf Configuration

The following is an example sssd.conf configuration file. I’ve seen it happen once that somehow access_provider was set to ad. I haven’t got the chance to play with that setting, as simple worked almost every time for now.

As Sean suggests in the comments, it’s not a good idea to set krb5_store_password_if_offline to True since the passwords are stored in the keyring in plaintext. Alternatively “cache_credentials = Yes” stores passwords in the db using SHA512 hash and that may be more appropriate if this functionality is needed.


Required security permissions in AD

A few months ago, we had a problem where some users were no longer able to authenticate. After an extended search we discovered the reason was a hardening change in permissions on some ou’s in our AD. My colleague Jenne and I discovered that the Linux server computer objects need minimal permissions on the ou which contains the users that want to authenticate on your Linux servers. After testing almost all obvious permissions, we came to the conclusions that the computer objects need “Read remote access information”!


How to debug SSSD and realmd?

The logfile which contains information about successful or failed login attempts is /var/log/secure. It contains information related to authentication and authorization privileges. For example, sshd logs all the messages there, including unsuccessful login. Be sure to check that logfile if you experience problems logging in with an Active Directory user. 

How to clear the SSSD cache?

As suggested by AP in the comments, you can manage your cache with the sss_cache command.  It can be used to clear the cache and update all records:

The sss_cache command can also clear all cached entries for a particular domain:
If the administrator knows that a specific record (user, group, or netgroup) has been updated, then sss_cachecan purge the records for that specific account and leave the rest of the cache intact:

Please refer to the official documentation for more information.

In case the above doesn’t help, you can also remove the cache ‘hte hard way’:

Just wanted to add this command which also helped me in one case somehow. 

Final Words

I hope this guide helps people towards a better Windows Linux integration. Let me know if you think there is a better way to do the above or if you have some useful information you think I should add to this guide.




  1. Hi,

    It’s a very helpful instruction. I was able to join or leave domain with what you mentioned earlier. But experiencing some difficulties with the user identification. After joining the domain successfully, I was trying to use the command “id” to identify the domain users but failed. And of course, it won’t let me to “ssh” into the system against the AD accounts. Please help!

    BTW, the Linux can ping / find DC and I have tried to disable the firewalld on the linux to ensure there is no blocking issue from the linux end. Thanks,

    # id domainuser@domain
    id: domainuser@domain: no such user

    1. Hey Gary,

      I’m not really sure how I can help you. What happens if you execute ‘realm list’? The procedure listed above worker for me many times. I suggest you open a post on the CentOS forums. Let me know how it worked out for you and if I need to add some stuff to my documentation!

      1. Hi, Willemdh

        Thanks for the quick reply. After joining the domain ( successfully, the output for realm will be as the follows. Even though, I still could not “id“…..

        [tigeruser@shell etc]# sudo realm list
        type: kerberos
        realm-name: MYDOMAIN.COM
        configured: kerberos-member
        server-software: active-directory
        client-software: sssd
        required-package: oddjob
        required-package: oddjob-mkhomedir
        required-package: sssd
        required-package: adcli
        required-package: samba-common
        login-policy: allow-realm-logins

    2. Gary,

      Are you sill experiencing this issue? Can you compare your sssd.conf with the one I added to the blog post as example?


  2. @Gary Chang
    I would check the /etc/krb5.conf
    look for the make sure the following are in there.
    restart sssd. if that doesnt work reboot.
    Also install kinit and try kinit username

    default_realm =

    DOMAIN.COM = {
    kdc =
    admin_server =

    Another thing is in your /etc/sssd/sssd.conf
    do you have use_fully_qualified_names set as True or False?

  3. Excellent write-up! Very helpful and even more importantly; concise.

    Small note:

    For adding an AD group to sudoers, instead of “%adgroup@domain ALL=(ALL) ALL”, one could also use “%domain\\adgroup ALL=(ALL) ALL”

  4. Has anyone gotten this to work on Ubuntu (more specifically 16.04)? I’m trying to figure out how to do the closest config between Centos 7 and Ubuntu 16.04 so I can standardize my instruction sets for other staff.

    1. I’m not using Ubuntu. Feel free to notify me with the necessary Ubuntu commands and I’ll see if I can add it to the blog post. Tx

  5. Hi,
    Very nice tutorial !
    I’m using CentOS7 and I noticed that even if
    ldap_id_mapping = True
    is set my uid/gid are not retrieved from AD
    I get numbers like 677272815 instead of the 10XXX I set on AD accounts.
    BTW do you a way to automatically increment these ids ?
    Thank you again

    1. Chris,
      Microsoft has deprecated the Identity Management for UNIX extension to Active Directory which was used to be used to manage POSIX attributes in the AD for use by UNIX clients. SSSD now performs this role, mapping Windows user and group ids to UNIX. POSIX attributes will no longer be required in AD, and the automatic id mapping is not compatible with the old POSIX attributes ie, once you enable automatic id mapping, existing POSIX attributes are ignored. Group memberships may need to be fixed if POSIX group memberships don’t match the Windows group memberships. Windows group memberships will be used with id mapping). Additionally, all uid numbers will be changed when automatic id mapping is enabled on a host.

  6. This just plain does not work for me 🙂

    getent passwd is working and all users are listed, but, there is no way to make ‘ su – ‘ or ‘ssh mydomainuser@host’ work. Did you run in to this issue at all ?

  7. There appears to be a re-occurrence of an old bug in the most recent version of realmd that requires samba-common-tools to be installed as well as it appears that it is not installed with samba-common as a dependency. I used the posted process multiple times throughout 2016 but as of today it does not work on CentOS7 unless samba-common-tools is also installed.

    I referenced a bugzilla thread here for RedHat which I never encountered before on CentOS7;

    1. Zman, thanks for letting us know. I just checked and samba-common-tools seems to be installed on my systems, so never had this problem. I’ll add it to the post. Thanks.

  8. Great tuto!
    Is there a config example to limit access from “all” ad/ldap users to special usergroup and without sudo rights like normal domain user?

      1. The syntac what i looking for was
        realm permit -g activedirectorygroup@domain

        Thank you very much!

  9. I can’t install realms on centos7 it says no package available even though I have the latest spell release. which repo I need for realms ?

  10. Hello Willem,

    Great Tutorial! Really appreciate it .

    I have a question regarding the offline authentication that sssd supports. I have set the option cache_credentials to true in sssd.conf, but wanted to see if this option works in real time scenario where the remote identification server is offline or down. Kindly let me know your thoughts on how to test this feature.


  11. Nice tutorial!

    Seeking help to make it work with samba. Added samba install in yum command. I’m used to do config with winbind (though it is often a fight to make all working!), So i don’t know how to config smb.conf in respect of SSSD. I like the fact the SSSD can cache credentials, a very good thing when DCs are accessible through WAN.

    So for now, i can ssh to the CentOS 7.3.1611 server with AD user credentials. The user@domain directory is created under /home/ (oddjob-mkhomedir failed me many times on the past!!! Always a nightmare to config and a moving target!). So the problem now is to populate correctly /etc/samba/smb.conf and have ACL working right using AD creds.

    Somebody did it? Many thanks in advance!


    1. just setup the samba client as usual and when you mount the cifs share to the linux server just make sure to specify the ower and group (as the uid and gid numbers instead of names) in the command or the fstab options at the time of mounting the folder.

      //windows_server/windows_share cifs rw,dir_mode=0775,file_mode=0775,credentials=/root/.cred_file,uid=XXXXX,gid=XXXXXXXXXXX 0 0

  12. Great tutorial, I have only a problem with allow one Active Directory group ( realm permit -g activedirectorygroup@domain) ; I can not login with ssh, /var/log/secure contains this error:

    May 5 10:00:44 ohpc1 sshd[10769]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=
    May 5 10:01:44 ohpc1 sshd[10769]: Failed password for from port 51438 ssh2
    May 5 10:01:44 ohpc1 sshd[10769]: fatal: Access denied for user by PAM account configuration [preauth]

    1. The problem is that groups enumeration is too slow, solved with ignore_group_members = True in sssd.conf.

  13. I joined properly to the domain. Login working with ad user, home direcotry auto created etc..:

    Now i wanted to limit who can use sudo.
    I tried your method and was not working:
    Domain: test.local
    Group: testgroup

    %testgroup@test.local ALL=(ALL) ALL
    %testgroup@test ALL=(ALL) ALL
    %test\\testgroup ALL=(ALL) ALL
    %domain\\testgroup ALL=(ALL) ALL

    Please NOTE!
    I also use ldap_id_mapping=False in sssd.conf
    (it means no auto ID mapping applied)

    I tried the sudo with one of the testgroup member but it was NOT working. 🙁

    testgroup has manual ID unix attribute also as the user has it.
    User is member of the testgroup also in the member tab and also in the unix attribute tab in the AD testgroup properties.

    However the client linux tells users is not allowed to use sudoers.

    What can be wrong?

    1. No idea, I can only say that %adgroup@domain ALL=(ALL) ALL works for giving sudo permissions to my adgroup for all the CentOS servers I joined to the domain over the last 3 years… Did you check /var/log/secure ? Did you try clearing the cache?

  14. Thanks for the instructions.
    How can we restrict user name to short name (user) instead of (user@domain ) ? I tried use_fully_qualified_names = False but then it would not start sssd service.

    Have you tried it?


    1. Hey Kamlesh,

      No I didn’t try it, as I had no need for it. Glad you like the instructions. If you ever find out how to do it, let me know how and I’ll add it to the instructions.



    2. Hello Kamlesh, I had the same issue.

      The detail event message stated that the directory was not found.
      I found out that the issue is solved by leaving out the statement:

      # default_domain_suffix = addomain
      # use_fully_qualified_names = True
      use_fully_qualified_names = False

      It worked in my case

  15. Do you know how to make JUST authentication work with CentOS 7? I’m trying to get some linux servers from one domain, to be able to authenticate to another, so I don’t want to join the domain. I was able to do this with CentOS 5 and 6, but I haven’t been able to get it to work with 7. Any thoughts?

      1. I simply want it to do an LDAP connection to active directory. I don’t want it to actually join the domain. I’m trying to allow a server on domain X to allow users on domain Y to logon. No DHCP, no DNS, no time, no anything except logon. realm join doesn’t allow joining to a different domain. I used to be able to do this with properly configured kerberos and sssd, but it no longer works with CentOS7.

  16. Hello all,
    I’ve configured samba and sssd and it work fine for existing users. But for new AD users, home folder is not created. Indeed, I successfully log with the new id using ssh and homedir is automatically created… Because I dont expect to explain my new users to log onto a linux server with ssh before use their home share (…), I hope there’s a solution for these problem ??
    Please help ……. 😉
    (I use Centos7)

    1. Sorry lolo, but I’m not sure if there is a way to create the home folder without logging over ssh. Let us know if you find a way to do this.

  17. Hi,

    I am getting following error msg after joining domain.

    when check ing thru “systemctl status sssd” below msg.

    Sep 15 20:19:56 [sssd[ldap_child[1666]: Client ‘HCL-CLN-IP32$@.CONTO.COM’ not found in Kerberos database
    Sep 15 20:21:24 [sssd[ldap_child[1685]: Failed to initialize credentials using keytab [default]: Client ‘HCL-CLN-IP32$@.CONTO.COM’ not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection.

    in log file
    (Fri Sep 15 20:23:43 2017) [[sssd[ldap_child[1717]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client ‘HCL-CLN-IP32$@CONTO.COM’ not found in Kerberos database

    Any idea what could be wrong.

  18. Hello. Can you tell more details about permissions in AD for OU? I am having issues that moving from default Computers OU Linux machine to another OU, users can’t login anymore. I hope that your suggestion for permissions might help but for which account i should set them?


  19. Hi! Trying my luck on this site….
    I have a Centos 7 successfully joined my AD domain with realmd. However I am only able to login with domain users via ssh and are not able to login via Gnome GUI (nor able to do a su to a domain user).
    In the /var/log/secure I get these errors:
    su: pam_sss(su:auth): received for user austle: 10 (User not known to the underlying authentication module)
    gdm-password: pam_sss(gdm-password:auth): received for user austle: 10 (User not known to the underlying authentication module)

    Any idea what could be wrong in this case?


    1. Hey Atlesb,

      Thanks for sharing your experience. As I have never ever used a Linux desktop distribution, I’m afraid I can’t help you out here. But maybe someone else succeeded in getting sssd to work with Gnome gui. If you ever find out, please let me know, then I add it to this blog post.



  20. Thank you for the nice explanation,
    I already have joined Debian to AD using the same method mentioned above, but I followed another article which led me to here.

    IN /etc/sssd/sssd.conf,
    I can allow/deny AD users by:
    access_provider = simple
    simple_allow_groups = any group.

    but what I am trying to do is to control this from AD not from sssd.conf by setting the access_provider = ad

  21. I have an AD group with a space in the name and I can’t find the proper syntax to add the group to my access.conf file.

    Any ideas? The same syntax that works in the sudoers file doesn’t work in access.conf.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">

18 + two =

This site uses Akismet to reduce spam. Learn how your comment data is processed.