----------------------------------------
krb5.conf
----------------------------------------
[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
  
[libdefaults]
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
  
# encryption types have been removed due to security issues
    default_realm = AD.UILLINOIS.EDU
    dns_lookup_kdc = true
    udp_preference_limit = 0
    dns_lookup_realm = false
  
[realms]
    AD.UILLINOIS.EDU = {
        kdc = kerberos.illinois.edu
        admin_server = kerberos.illinois.edu
        master_kdc = kerberos.illinois.edu
        default_domain = ad.uillinois.edu
    }
       
[domain_realm]
    ad.uillinois.edu = AD.UILLINOIS.EDU
    .ad.uillinois.edu = AD.UILLINOIS.EDU
    illinois.edu = AD.UILLINOIS.EDU
    .illinois.edu = AD.UILLINOIS.EDU

----------------------------------------
sssd.conf
----------------------------------------
[sssd]
debug_level = 2
config_file_version = 2
debug_level = 2
domains = ad.uillinois.edu
services = nss, pam, pac
 
[nss]
debug_level = 2
# enum_cache_timeout (integer)
#    How many seconds should nss_sss cache enumerations (requests for info about all users)
#
#    Default: 120 
#entry_cache_nowait_percentage (integer)
#    The entry cache can be set to automatically update entries in the background if they are 
#    requested beyond a percentage of the entry_cache_timeout value for the domain.
#
#    For example, if the domain's entry_cache_timeout is set to 30s and entry_cache_nowait_percentage 
#    is set to 50 (percent), entries that come in after 15 seconds past the last cache update will be 
#    returned immediately, but the SSSD will go and update the cache on its own, so that future requests
#     will not need to block waiting for a cache update.
#
#    Valid values for this option are 0-99 and represent a percentage of the entry_cache_timeout for 
#    each domain. For performance reasons, this percentage will never reduce the nowait timeout to 
#    less than 10 seconds. (0 disables this feature)
#
#    Default: 50 
#entry_negative_timeout (integer)
#    Specifies for how many seconds nss_sss should cache negative cache hits (that is, queries 
#    for invalid database entries, like nonexistent ones) before asking the back end again.
#
#    Default: 15 
filter_users = root
override_homedir = /home/%u
# ENGRIT CHANGE -- Changed override_shell to default_shell and shell_fallback
default_shell = /bin/bash
shell_fallback = /bin/bash
 

[pam]
debug_level = 2
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
 
[domain/ad.uillinois.edu]
debug_level = 2

# Engineering groups of interest start at gidNumber 60000
min_id = 60000

# Enumerate will enumerate all the groups and is a major factor in login time
#enumerate = True
enumerate = False
 
# How long NSS caches entries before going back to AD to find them
#entry_cache_timeout = 5400 
#entry_cache_user_timeout
#entry_cache_group_timeout
#entry_cache_netgroup_timeout
# etc.
#  cache_credentials (bool)
#           Determines if user credentials are also cached in the local LDB cache
#
#           User credentials are stored in a SHA512 hash, not in plaintext
#
#           Default: FALSE
 
#account_cache_expiration
# Number of days entries are left in cache after last successful login 
# before being removed during a cleanup of the cache. 0 means keep forever. 
# The value of this parameter must be greater than or equal to 
#offline_credentials_expiration.
#Default: 0 (unlimited) 
#       ignore_group_members (bool)
#           Do not return group members for group lookups.
#
#           If set to TRUE, the group membership attribute is not requested from the ldap server, and group members
#           are not returned when processing group lookup calls, such as getgrnam(3) or getgrgid(3). As an effect,
#           âtent group $groupnameâ           Enabling this option can also make access provider checks for group membership significantly faster,
#           especially for groups containing many members.
#
#           Default: FALSE
 
#id_provider:  [ldap|ipa|ad]
# id_provider = ad requires joining the workstation to the domain
id_provider = ldap
 
#auth_provider:  [ldap|krb5|ipa|ad]
auth_provider = krb5
krb5_server = kerberos.illinois.edu
krb5_realm = AD.UILLINOIS.EDU
krb5_ccachedir = /tmp
krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX
krb5_auth_timeout = 15
 
chpass_provider = krb5
dns_discovery_domain = .uillinois.edu
 
##### Commenting this out, it's up above and commented out defaulting to false; 
#cache_credentials = True
 
access_provider = simple
 
#simple_allow_groups = None
 
# This is if we have salt pillar data populating the simple_allow_groups
#simple_allow_groups = {{ class_group }}
 
ldap_uri = ldap://ldap.ad.uillinois.edu
ldap_schema = rfc2307bis
ldap_default_bind_dn = 
ldap_default_authtok_type = obfuscated_password
ldap_default_authtok = 
 
ldap_id_use_start_tls = True
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
ldap_tls_cacertdir = /etc/pki/tls/certs
ldap_referrals = False
ldap_account_expire_policy = ad
ldap_access_order = expire
 
ldap_search_base = DC=ad,DC=uillinois,DC=edu?subtree?
 
# ldap_user_search_base = to all of AD;  You'll want to add any OU you have
#                   for external collaborators/users to your systems
ldap_user_search_base = OU=People,DC=ad,DC=uillinois,DC=edu?subtree?
 
# ENGRIT Change -- Changed from "person" to "user" because Microsoft shoves
#                  more attributes in "user" than it does "person"
#ldap_user_object_class = person
ldap_user_object_class = user
 
ldap_user_name = sAMAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_gecos = displayName
 
ldap_user_home_directory = homeDirectory
ldap_user_shell = loginShell
ldap_user_uuid = objectGUID
ldap_user_objectsid = objectSid
 
# ENGRIT Change -- changed to nosuchattr so the wrong UPN will not be pulled;
#                  when not found, SSSD will contruct the UPN from the
#                  kerberos domain.  Otherwise, our AD returns netid@illinois.edu
#ldap_user_principal = userPrincipalName
ldap_user_principal = nosuchattr
 
# ENGRIT Change -- Make the ldap_group_search_base equal to YOUR OU for groups
#                  plus the OU for all the gidGroups created by campus.
ldap_group_search_base = OU=???,OU=Urbana,DC=ad,DC=uillinois,DC=edu?subtree??OU=gidGroups,OU=Urbana,DC=ad,DC=uillinois,DC=edu?subtree?
 
# ENGRIT Change -- Made the object class for groups "group" instead of
#                  "posixGroup" which is the default
# Made the object class for groups "group" instead of "posixGroup" which is the default
ldap_group_object_class = group
 
# ENGRIT Comment -- "description" is a multi-valued attribute, so use a single-valued
#                   attribute like displayName, which may be changed to extensionAttribute12
ldap_group_name = displayName
 
ldap_group_gid_number = gidNumber
ldap_group_uuid = objectGUID
ldap_group_objectsid = objectSID
 
# ldap_group_nesting_level (integer)
#           If ldap_schema is set to a schema format that supports nested groups (e.g. RFC2307bis), then this option
#           controls how many levels of nesting SSSD will follow. This option has no effect on the RFC2307 schema.
#
#           Note: This option specifies the guaranteed level of nested groups to be processed for any lookup. However,
#           nested groups beyond this limit may be returned if previous lookups already resolved the deeper nesting
#           levels. Also, subsequent lookups for other groups may enlarge the result set for original lookup if
#           re-queried.
#
#           If ldap_group_nesting_level is set to 0 then no nested groups are processed at all. However, when
#           connected to Active-Directory Server 2008 and later it is furthermore required to disable usage of
#           Token-Groups by setting ldap_use_tokengroups to false.
#
#           Default: 2
#
# ENGRIT Change -- Commented out ldap_group_nesting_level since enumerate is off.
# NOTE NOTE NOTE  - Default is 2.   This is working for us because schema is RFC2307bis
# ldap_group_nesting_level = 10
#
#        ldap_groups_use_matching_rule_in_chain
#           This option tells SSSD to take advantage of an Active Directory-specific feature which may speed up group
#           lookup operations on deployments with complex or deep nested groups.
#
#           In most common cases, it is best to leave this option disabled. It generally only provides a performance
#           increase on very complex nestings.
#
#           If this option is enabled, SSSD will use it if it detects that the server supports it during initial
#           connection. So "True" here essentially means "auto-detect".
#
#           Default: False
# ENGRIT Change -- with tokenGroups enabled these two options needn't be here
# ldap_groups_use_matching_rule_in_chain = True 
# ldap_initgroups_use_matching_rule_in_chain = True
#
# ENGRIT Change -- Made ldap_use_tokengroups = True because it is better long run
ldap_use_tokengroups = True
#
#         ldap_search_timeout (integer)
#           Specifies the timeout (in seconds) that ldap searches are allowed to run before they are cancelled and
#           cached results are returned (and offline mode is entered)
#
#           Note: this option is subject to change in future versions of the SSSD. It will likely be replaced at some
#           point by a series of timeouts for specific lookup types.
#
#           Default: 6
#
#       ldap_enumeration_search_timeout (integer)
#           Specifies the timeout (in seconds) that ldap searches for user and group enumerations are allowed to run
#           before they are cancelled and cached results are returned (and offline mode is entered)
#
#           Default: 60
#
#       ldap_network_timeout (integer)
#           Specifies the timeout (in seconds) after which the poll(2)/select(2) following a connect(2) returns in
#           case of no activity.
#
#           Default: 6
#
# The following line may be deprecated.
use_fully_qualified_names = False
#
ignore_group_members = False
 
# ENGRIT Change -- Commented out override_gid since it is not needed.
#override_gid = None 

----------------------------------------
krb5.conf
----------------------------------------
[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
  
[libdefaults]
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
  
# encryption types have been removed due to security issues
    default_realm = AD.UILLINOIS.EDU
    dns_lookup_kdc = true
    udp_preference_limit = 0
    dns_lookup_realm = false
  
[realms]
    AD.UILLINOIS.EDU = {
        kdc = kerberos.illinois.edu
        admin_server = kerberos.illinois.edu
        master_kdc = kerberos.illinois.edu
        default_domain = ad.uillinois.edu
    }
  
[domain_realm]
    ad.uillinois.edu = AD.UILLINOIS.EDU
    .ad.uillinois.edu = AD.UILLINOIS.EDU
    illinois.edu = AD.UILLINOIS.EDU
    .illinois.edu = AD.UILLINOIS.EDU

----------------------------------------
sssd.conf
----------------------------------------
[sssd]
debug_level = 2
config_file_version = 2
[sssd]
debug_level = 2
domains = ad.uillinois.edu
services = nss, pam, pac
[nss]
debug_level = 2
# enum_cache_timeout (integer)
#    How many seconds should nss_sss cache enumerations (requests for info about all users)
#
#    Default: 120
#entry_cache_nowait_percentage (integer)
#    The entry cache can be set to automatically update entries in the background if they are
#    requested beyond a percentage of the entry_cache_timeout value for the domain.
#
#    For example, if the domain's entry_cache_timeout is set to 30s and entry_cache_nowait_percentage
#    is set to 50 (percent), entries that come in after 15 seconds past the last cache update will be
#    returned immediately, but the SSSD will go and update the cache on its own, so that future requests
#     will not need to block waiting for a cache update.
#
#    Valid values for this option are 0-99 and represent a percentage of the entry_cache_timeout for
#    each domain. For performance reasons, this percentage will never reduce the nowait timeout to
#    less than 10 seconds. (0 disables this feature)
#
#    Default: 50
#entry_negative_timeout (integer)
#    Specifies for how many seconds nss_sss should cache negative cache hits (that is, queries
#    for invalid database entries, like nonexistent ones) before asking the back end again.
#
#    Default: 15
filter_users = root
fallback_homedir = /home/%u
default_shell = /bin/bash
shell_fallback = /bin/bash
[pam]
debug_level = 9
[domain/ad.uillinois.edu]
debug_level = 9
# Engineering groups of interest start at gidNumber 60000
min_id = 60000
# Enumerate will enumerate all the groups and is a major factor in login time
#enumerate = True
enumerate = False
# How long NSS caches entries before going back to AD to find them
#entry_cache_timeout = 5400
#entry_cache_user_timeout
#entry_cache_group_timeout
#entry_cache_netgroup_timeout
# etc.
#  cache_credentials (bool)
#           Determines if user credentials are also cached in the local LDB cache
#
#           User credentials are stored in a SHA512 hash, not in plaintext
#
#           Default: FALSE
 
#account_cache_expiration
# Number of days entries are left in cache after last successful login
# before being removed during a cleanup of the cache. 0 means keep forever.
# The value of this parameter must be greater than or equal to
#offline_credentials_expiration.
#Default: 0 (unlimited)
#       ignore_group_members (bool)
#           Do not return group members for group lookups.
#
#           If set to TRUE, the group membership attribute is not requested from the ldap server, and group members
#           are not returned when processing group lookup calls, such as getgrnam(3) or getgrgid(3). As an effect,
#           âtent group $groupnameâ           Enabling this option can also make access provider checks for group membership significantly faster,
#           especially for groups containing many members.
#
#           Default: FALSE
#id_provider:  [ldap|ipa|ad]
# id_provider = ad requires joining the workstation to the domain
id_provider = ldap
#auth_provider:  [ldap|krb5|ipa|ad]
auth_provider = krb5
krb5_server = kerberos.illinois.edu
krb5_realm = AD.UILLINOIS.EDU
krb5_ccachedir = /tmp
krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX
krb5_auth_timeout = 15
krb5_canonicalize = False
  
#access_provider:  [permit|deny|ldap|ipa|ad|simple]
# "simple" access control based on access or deny lists.
# See sssd-simple(5) for more information on configuring the simple access module.
access_provider = simple
# NOTE:   Update the simple_allow_group to the group(s) you want to grant access
simple_allow_group = GROUP_NAME
chpass_provider = krb5
 
#    override_gid (integer)
#    Override the primary GID value with the one specified.
 
ldap_uri = ldap://ldap.ad.uillinois.edu
#ldap_backup_uri = ldap://ad.uillinois.edu
ldap_search_base = DC=ad,DC=uillinois,DC=edu?subtree?
# Changed from rfc2307bis to AD, even though it should make no difference -fep   2016-0-7-14
ldap_schema = AD
# You need to substitute with your own AD Service account
ldap_default_bind_dn = 
ldap_default_authtok_type = obfuscated_password
# You will need to have your corresponding password obfuscated for your service account here
ldap_default_authtok = A....................M
# Changed from "person" to "user" because Microsoft shoves more attributes in "user" than it does "person"
ldap_user_object_class = user
ldap_user_name = cn
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_gecos = displayName
ldap_user_home_directory = homeDirectory
ldap_user_shell = loginShell
ldap_user_uuid = objectGUID
ldap_user_objectsid = objectSid
ldap_user_principal = userPrincipalName
# Made the object class for groups "group" instead of "posixGroup" which is the default
ldap_group_object_class = group
# Makde the ldap_group_name displayName instead of cn, so we can rip the enx- prefix off the name
ldap_group_name = extensionAttribute12
ldap_group_gid_number = gidNumber
ldap_group_uuid = objectGUID
ldap_group_objectsid = objectSID
 
# ldap_group_nesting_level (integer)
#           If ldap_schema is set to a schema format that supports nested groups (e.g. RFC2307bis), then this option
#           controls how many levels of nesting SSSD will follow. This option has no effect on the RFC2307 schema.
#
#           Note: This option specifies the guaranteed level of nested groups to be processed for any lookup. However,
#           nested groups beyond this limit may be returned if previous lookups already resolved the deeper nesting
#           levels. Also, subsequent lookups for other groups may enlarge the result set for original lookup if
#           re-queried.
#
#           If ldap_group_nesting_level is set to 0 then no nested groups are processed at all. However, when
#           connected to Active-Directory Server 2008 and later it is furthermore required to disable usage of
#           Token-Groups by setting ldap_use_tokengroups to false.
#
#           Default: 2
#
# ldap_group_nesting_level = 10
#        ldap_groups_use_matching_rule_in_chain
#           This option tells SSSD to take advantage of an Active Directory-specific feature which may speed up group
#           lookup operations on deployments with complex or deep nested groups.
#
#           In most common cases, it is best to leave this option disabled. It generally only provides a performance
#           increase on very complex nestings.
#
#           If this option is enabled, SSSD will use it if it detects that the server supports it during initial
#           connection. So "True" here essentially means "auto-detect".
#
#           Default: False
#ldap_groups_use_matching_rule_in_chain = True
#
# ldap_initgroups_use_matching_rule_in_chain = True
ldap_use_tokengroups = True
#         ldap_search_timeout (integer)
#           Specifies the timeout (in seconds) that ldap searches are allowed to run before they are cancelled and
#           cached results are returned (and offline mode is entered)
#
#           Note: this option is subject to change in future versions of the SSSD. It will likely be replaced at some
#           point by a series of timeouts for specific lookup types.
#
#           Default: 6
#
#       ldap_enumeration_search_timeout (integer)
#           Specifies the timeout (in seconds) that ldap searches for user and group enumerations are allowed to run
#           before they are cancelled and cached results are returned (and offline mode is entered)
#
#           Default: 60
#
#       ldap_network_timeout (integer)
#           Specifies the timeout (in seconds) after which the poll(2)/select(2) following a connect(2) returns in
#           case of no activity.
#
#           Default: 6

ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
ldap_tls_cacertdir = /etc/pki/tls/certs
ldap_id_use_start_tls = Tru
ldap_referrals = False
ldap_account_expire_policy = ad
ldap_access_order = expire
ldap_group_search_base = OU=,OU=Urbana,DC=ad,DC=uillinois,DC=edu?subtree?
# NOTE:  this search base allows all campus created accounts access,  see the commented version below to add your own created accounts access as well
ldap_user_search_base = OU=People,DC=ad,DC=uillinois,DC=edu?subtree?