These instructions are for integrating CentOS 7.x & RHEL 7.x with AD (Windows Server 2008 R2 & Windows Server 2012 R2). Note: system time must be correct; set the clock with ntpdate or such. 1. ensure that /etc/hosts and /etc/resolv.conf contain at least one domain controller, e.g.: /etc/hosts: 192.168.0.151 adserver.example.com adserver /etc/resolv.conf: search example.com nameserver 192.168.0.151 Note: for resolv.conf, the DNS server should be listed in the /etc/sysconfig/network-scripts/ifcfg-* file for one of the network adapters, so that NetworkManager generates /etc/resolv.conf. 2. Install packages: yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python 3. Join to domain: realm join --user=mydomainadminuser example.com 4. Verify that domain join was successful: realm list Output should be something like: [root@server]# realm list example.com type: kerberos realm-name: EXAMPLE.COM domain-name: example.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools login-formats: %U@example.com login-policy: allow-realm-logins Should output a bunch of AD groups for the user: id domainuser@example.com Should output "no such user": id domainuser 5. Restrict AD logins to certain groups only: realm permit -g linuxadmins@example.com realm permit -g "domain admins@example.com" Now the output of 'realm list' should include lines like this: login-policy: allow-permitted-logins permitted-logins: permitted-groups: linuxadmins@example.com, domain admins@example.com 6. Add AD groups to /etc/sudoers (use backslashes to escape spaces): in /etc/sudoers: %domain\ admins@example.com ALL=(ALL) ALL