===== RHEL 7 Active Directory LDAP with SSSD =====
Configure DNS with Active Directory IP address.
<code>
nmcli con mod eth0 ipv4.dns-search dominio.local
hostnamectl set-hostname ldap.dominio.local
yum install sssd realmd oddjob oddjob-mkhomedir samba-common-tools krb5-workstation sssd-ad
realm join dominio.local
authconfig --update --enablesssd --enablesssdauth --enablemkhomedir
</code>

==== RHEL 6 ====
You must have configured NTP and DNS.

File /etc/hosts correctly configure for example:
<code>
192.168.75.166 servidor servidor.2008r2.example.com
</code>
Install packages:
<code>
yum install ntp sssd samba-common krb5-workstation
</code>

Edit /etc/krb5.conf:
<code>
includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = 2008R2.EXAMPLE.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 2008R2.EXAMPLE.COM = {
 }

[domain_realm]
 .2008r2.example.com = 2008R2.EXAMPLE.COM
 2008r2.example.com = 2008R2.EXAMPLE.COM
</code>

Edit /etc/samba/smb.conf:
<code>
[global]
   workgroup = 2008R2
   client signing = yes
   client use spnego = yes
   kerberos method = secrets and keytab
   log file = /var/log/samba/%m.log
   realm = 2008R2.EXAMPLE.COM
   security = ads
</code>

Create kerberos ticket:
<code>
kinit Administrator
net ads join -k
authconfig --enablesssd --enablesssdauth --enablelocauthorize --enablemkhomedir --update
</code>

Create /etc/sssd/sssd.conf:
<code>
echo >/etc/sssd/sssd.conf
chmod 600 /etc/sssd/sssd.conf
</code>

With this content:
<code>
[domain/2008r2.example.com]
id_provider = ad
access_provider = ad
default_shell=/bin/bash
fallback_homedir=/home/%u
debug_level = 0

[sssd]
services = nss, pam
config_file_version = 2
domains = 2008r2.example.com

[nss]

[pam]
</code>

Restart sssd:
<code>
service sssd restart
</code>

==== AD user access filter ====
Edit /etc/sssd/sssd.conf and configure in a similar way:
<code>
access_provider = simple
simple_allow_users = user1,user2
</code>

Restart sssd:
<code>
systemctl restart sssd
</code>
==== AD groups access filter ====
Edit /etc/sssd/sssd.conf and configure in a similar way:
<code>
access_provider = simple
simple_allow_groups = linuxusers@administrativos.ice.com,linuxusers@sucursales.ice.com
</code>

Restart sssd:
<code>
systemctl restart sssd
</code>

==== Configure AD groups with sudo ====
Use visudo to add this lines:
<code>
%linuxusers@administrativos.ice.com     ALL=(ALL)       ALL
</code>

==== Configure home dir ====
Change line:
<code>
fallback_homedir=/home/%u@%d
</code>

==== Referencias ====
  * https://access.redhat.com/solutions/2710131
  * https://access.redhat.com/articles/3023951
  * https://access.redhat.com/solutions/715173
  * http://www.thinkplexx.com/learn/howto/linux/system/allow-user-sudo-but-exlude-some-privileges-run-shells-etc