These instructions are for integrating CentOS 7.x & RHEL 7.x with AD (Windows
Server 2008 R2 & Windows Server 2012 R2).

Note: system time must be correct; set the clock with ntpdate or such.

1. ensure that /etc/hosts and /etc/resolv.conf contain at least one domain
   controller, e.g.:

	/etc/hosts:
	192.168.0.151    adserver.example.com  adserver

	/etc/resolv.conf:
	search example.com
	nameserver 192.168.0.151

   Note: for resolv.conf, the DNS server should be listed in the
   /etc/sysconfig/network-scripts/ifcfg-* file for one of the network adapters,
   so that NetworkManager generates /etc/resolv.conf.

2. Install packages:

	yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python

3. Join to domain:

	realm join --user=mydomainadminuser example.com

4. Verify that domain join was successful:

	realm list

	Output should be something like:
	[root@server]# realm list
	example.com
	  type: kerberos
	  realm-name: EXAMPLE.COM
	  domain-name: example.com
	  configured: kerberos-member
	  server-software: active-directory
	  client-software: sssd
	  required-package: oddjob
	  required-package: oddjob-mkhomedir
	  required-package: sssd
	  required-package: adcli
	  required-package: samba-common-tools
	  login-formats: %U@example.com
	  login-policy: allow-realm-logins

	Should output a bunch of AD groups for the user:

	id domainuser@example.com

	Should output "no such user":

	id domainuser

5. Restrict AD logins to certain groups only:

	realm permit -g linuxadmins@example.com
	realm permit -g "domain admins@example.com"

	Now the output of 'realm list' should include lines like this:
	  login-policy: allow-permitted-logins
	  permitted-logins:
	  permitted-groups: linuxadmins@example.com, domain admins@example.com

6. Add AD groups to /etc/sudoers (use backslashes to escape spaces):

	in /etc/sudoers:
	%domain\ admins@example.com   ALL=(ALL)   ALL