When integrating Active Directory authentication with Linux systems through SSSD, two critical post-authentication configurations often require attention:
1. Automatic home directory creation (/home/username)
2. Default shell assignment (/bin/bash or other preferred shell)
Ensure these directives exist in your /etc/sssd/sssd.conf under the [domain/your.ad.domain] section:
[domain/your.ad.domain]
...
override_homedir = /home/%u
default_shell = /bin/bash
...
The %u placeholder automatically substitutes the AD username. For organizational units, consider /home/%d/%u where %d represents the domain.
The critical missing piece is often the PAM (Pluggable Authentication Modules) configuration. Edit /etc/pam.d/sshd (for SSH) or /etc/pam.d/system-auth (for console login):
session required pam_mkhomedir.so skel=/etc/skel umask=0022
Key parameters:
skel=/etc/skel: Copies skeleton directory contentsumask=0022: Sets default file permissions
After configuration changes:
# Restart services
sudo systemctl restart sssd
sudo systemctl restart sshd
# Verify with test user
ssh AD_USER@your-linux-host
Check the resulting environment:
echo $HOME
echo $SHELL
ls -la ~/
If issues persist:
# Check SSSD logs
journalctl -u sssd -f
# Verify PAM stack
sudo pam_tally2
# Debug SSH login
ssh -vvv AD_USER@host
For complex environments, consider using session_provider in sssd.conf:
[domain/your.ad.domain]
...
session_provider = local
...
Then create custom scripts in /usr/libexec/sssd/ to handle home directory creation and shell assignment.
When integrating Active Directory authentication with Linux systems through SSSD, two critical post-login behaviors often require special attention:
- Automatic home directory creation (
/home/username) - Proper shell assignment (
/bin/bashor other)
Your /etc/sssd/sssd.conf appears mostly correct, but needs these critical additions in the [domain/YOUR.DOMAIN] section:
[domain/example.com]
...
override_homedir = /home/%u
default_shell = /bin/bash
...
The authconfig command sometimes doesn't fully enable PAM modules. Verify these lines exist in /etc/pam.d/system-auth:
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
For Ubuntu/Debian systems, check /etc/pam.d/common-session instead.
1. Check SSSD debug logs:
tail -f /var/log/sssd/*.log
2. Verify PAM module order:
grep mkhomedir /etc/pam.d/*
3. Test with manual home creation:
sudo mkdir -p /home/testuser
sudo chown testuser:domain\ users /home/testuser
For enterprise environments, consider these enhancements:
# Custom skeleton directory
override_homedir = /home/%d/%u
fallback_homedir = /home/%u
Example of shell override based on AD groups:
ldap_user_shell = /bin/bash
ldap_user_shell = developer:!/bin/zsh
ldap_user_shell = admin:!/bin/bash
After making changes, always:
sudo systemctl restart sssd
sudo systemctl restart sshd
Test with a new AD user account that has never logged in before.