These instructions are for integrating CentOS 7.x & RHEL 7.x with AD (Windows
Server 2008 R2 & Windows Server 2012 R2).

Note: system time must be correct; set the clock with ntpdate or such.

1. ensure that /etc/hosts and /etc/resolv.conf contain at least one domain
   controller, e.g.:

	/etc/hosts:  adserver


   Note: for resolv.conf, the DNS server should be listed in the
   /etc/sysconfig/network-scripts/ifcfg-* file for one of the network adapters,
   so that NetworkManager generates /etc/resolv.conf.

2. Install packages:

	yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python

3. Join to domain:

	realm join --user=mydomainadminuser

4. Verify that domain join was successful:

	realm list

	Output should be something like:
	[root@server]# realm list
	  type: kerberos
	  realm-name: EXAMPLE.COM
	  configured: kerberos-member
	  server-software: active-directory
	  client-software: sssd
	  required-package: oddjob
	  required-package: oddjob-mkhomedir
	  required-package: sssd
	  required-package: adcli
	  required-package: samba-common-tools
	  login-policy: allow-realm-logins

	Should output a bunch of AD groups for the user:


	Should output "no such user":

	id domainuser

5. Restrict AD logins to certain groups only:

	realm permit -g
	realm permit -g "domain"

	Now the output of 'realm list' should include lines like this:
	  login-policy: allow-permitted-logins
	  permitted-groups:, domain

6. Add AD groups to /etc/sudoers (use backslashes to escape spaces):

	in /etc/sudoers:
	%domain\   ALL=(ALL)   ALL