sssd-ad 5 File Formats and Conventions sssd-ad the configuration file for SSSD This manual page describes the configuration of the AD provider for sssd 8 . For a detailed syntax reference, refer to the FILE FORMAT section of the sssd.conf 5 manual page. The AD provider is a back end used to connect to an Active Directory server. This provider requires that the machine be joined to the AD domain and a keytab is available. The AD provider supports connecting to Active Directory 2008 R2 or later. Earlier versions may work, but are unsupported. The AD provider accepts the same options used by the sssd-ldap 5 identity provider and the sssd-krb5 5 authentication provider with some exceptions described below. However, it is neither necessary nor recommended to set these options. The AD provider can also be used as an access and chpass provider. No configuration of the access provider is required on the client side. By default, the AD provider will map UID and GID values from the objectSID parameter in Active Directory. For details on this, see the ID MAPPING section below. If you want to disable ID mapping and instead rely on POSIX attributes defined in Active Directory, you should set ldap_id_mapping = False Refer to the section DOMAIN SECTIONS of the sssd.conf 5 manual page for details on the configuration of an SSSD domain. ad_domain (string) Specifies the name of the Active Directory domain. This is optional. If not provided, the configuration domain name is used. For proper operation, this option should be specified as the lower-case version of the long version of the Active Directory domain. ad_server, ad_backup_server (string) The comma-separated list of IP addresses or hostnames of the AD servers to which SSSD should connect in order of preference. For more information on failover and server redundancy, see the FAILOVER section. This is optional if autodiscovery is enabled. For more information on service discovery, refer to the SERVICE DISCOVERY section. ad_hostname (string) Optional. May be set on machines where the hostname(5) does not reflect the fully qualified name used in the Active Directory domain to identify this host. This field is used to determine the host principal in use in the keytab. It must match the hostname for which the keytab was issued. override_homedir (string) Override the user's home directory. You can either provide an absolute value or a template. In the template, the following sequences are substituted: %u login name %U UID number %d domain name %f fully qualified user name (user@domain) %% a literal '%' This option can also be set per-domain. example: override_homedir = /home/%u Default: Not set (SSSD will use the value retrieved from LDAP) fallback_homedir (string) Set a default template for a user's home directory if one is not specified explicitly by the domain's data provider. The available values for this option are the same as for override_homedir. example: fallback_homedir = /home/%u Default: not set (no substitution for unset home directories) default_shell The default shell to use if the provider does not return one during lookup. This option supersedes any other shell options if it takes effect. Default: not set (Return NULL if no shell is specified and rely on libc to substitute something sensible when necessary, usually /bin/sh) The following example assumes that SSSD is correctly configured and example.com is one of the domains in the [sssd] section. This example shows only the AD provider-specific options. [domain/EXAMPLE] id_provider = ad auth_provider = ad access_provider = ad chpass_provider = ad ad_server = dc1.example.com ad_hostname = client.example.com ad_domain = example.com The AD access control provider checks if the account is expired. It has the same effect as the following configuration of the LDAP provider: access_provider = ldap ldap_access_order = expire ldap_account_expire_policy = ad