As a stepping stone in migration a CentOS Linux system from local user management to Active Directory(AD) integration, I setup Kerberos authentication to the AD but retaining local identity information.

DNS resolution issues with these machines was one of the key reasons they were deployed in the fallback position of local accounts as they simply could not resolve the AD machines. This is the start of the process of unpicking that.

Once the DNS issues were resolved, configuring the rest was very easy with SSSD.

Firstly, I configured the main sssd section. As there is only one of these, I put it in /etc/sssd/sssd.conf:

services = nss, pam
domains = AD.MY.DOMAIN.TLD

Then, I created the domain/<domain> section, which I put in its own file in /etc/sssd/conf.d. e.g. /etc/sssd/conf.d/AD.MY.DOMAIN.TLD.conf:

id_provider = files  # System-local identity
auth_provider = krb5
krb5_realm = AD.MY.DOMAIN.TLD

I then restarted the sssd daemon:

systemctl restart sssd

And finally, enabled sssd for authentication (i.e. stuffed the sssd modules into the pam stack):

authconfig --enablesssdauth --update

After this, I connected without using ssh keys, and used my AD password which let me straight in. This does rely on the system-local usernames matching the AD usernames.