As a stepping stone in migration a CentOS Linux system from local user management to Active Directory(AD) integration, I setup Kerberos authentication to the AD but retaining local identity information.
DNS resolution issues with these machines was one of the key reasons they were deployed in the fallback position of local accounts as they simply could not resolve the AD machines. This is the start of the process of unpicking that.
Once the DNS issues were resolved, configuring the rest was very easy with SSSD.
Firstly, I configured the main
sssd section. As there is only one of these, I put it in
[sssd] services = nss, pam domains = AD.MY.DOMAIN.TLD
Then, I created the
domain/<domain> section, which I put in its own file in
[domain/AD.MY.DOMAIN.TLD] id_provider = files # System-local identity auth_provider = krb5 krb5_realm = AD.MY.DOMAIN.TLD
I then restarted the sssd daemon:
systemctl restart sssd
And finally, enabled sssd for authentication (i.e. stuffed the sssd modules into the pam stack):
authconfig --enablesssdauth --update
After this, I connected without using ssh keys, and used my AD password which let me straight in. This does rely on the system-local usernames matching the AD usernames.