There are two methods for authenticating RHEL 6 to Active Directory, Both methods are completely different & should be configured as per the requirement & environment. NSLCD nslcd will authenticate against Active Directory using the LDAP/Kerberos method, if you have Unix Service for Windows configured Unix Attributes set for windows user. SSSD SSSD works in way similar to NSLCD, but it tries to cache the user credentials to provide authentication in case authentication server is unavailable. It also requires unix service for windows & unix attributes for users. Check the below steps In order to configure RHEL-6 with AD using the LDAP / Kerberos method. NSLCD :- - Install the RHEL-6 with default packages - Install the below packages using yum. nss-pam-ldapd-0.7.5-3.el6.x86_64 nss-pam-ldapd-0.7.5-3.el6.i686 pam_ldap-185-5.el6.x86_64 pam_ldap-185-5.el6.i686 - Make changes to the below files. [root@vm150 ~]# cat /etc/nslcd.conf uri ldap://10.65.208.43/ base dc=gsslab,dc=pnq,dc=redhat,dc=com binddn cn=Administrator,cn=Users,dc=gsslab,dc=pnq,dc=redhat,dc=com bindpw RedHat1! # Mappings for Active Directory pagesize 1000 referrals off filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) map passwd uid sAMAccountName map passwd homeDirectory unixHomeDirectory map passwd gecos displayName filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) map shadow uid sAMAccountName map shadow shadowLastChange pwdLastSet filter group (objectClass=group) map group uniqueMember member ssl no # tls_cacertdir /etc/openldap/cacerts [root@vm150 ~]# cat /etc/sysconfig/authconfig |grep LEGACY FORCELEGACY=yes - Run "authconfig-tui" and select "Use LDAP" for "User Information" and "Use Kerberos" for "Authentication - In LDAP Settings TAB On the ldap Settings step. Leave the use TLS option unselected put the AD servers fully qualified domain name or Ip Address in and the base DN. - In Kerberos Settings TAB On the kerberos Settings page enter the AD servers Realm, also list the AD servers fully qualified domain name or Ip Address for the KDC and Admin Server. This will result out in Starting nslcd daemon. Verify [root@vm150 ~]# id u1 uid=10001(u1) gid=10000(Domain Users) groups=10000(Domain Users),10001(group1),10002(group2),909(group3),10011(group4),10012(group5),10013(group6),10014(group7),10015(group8),10016(group9),10005(group10),10006(group11),10007(group12),10008(group13),10009(group14),10010(group15),10018(group17),1111(Training),10020(TelnetClients) [root@vm150 ~]# getent passwd u1 u1:*:10001:10000:user1:/home/u1:/bin/sh SSSD :- - Install the RHEL - 6 with default packages. Make changes to /etc/sssd/sssd.conf [root@vm172 ~]# cat /etc/sssd/sssd.conf |grep -v ^# |grep -v ^$ [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = default [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [domain/default] ldap_default_authtok_type = password ldap_id_use_start_tls = False cache_credentials = True ldap_group_object_class = group ldap_search_base = dc=gsslab,dc=pnq,dc=redhat,dc=com chpass_provider = krb5 ldap_default_authtok = RedHat1! id_provider = ldap auth_provider = krb5 ldap_default_bind_dn = cn=Administrator,cn=Users,dc=gsslab,dc=pnq,dc=redhat,dc=com ldap_user_gecos = displayName debug_level = 0 ldap_uri = ldap://10.65.208.43/ krb5_realm = GSSLAB.PNQ.REDHAT.COM krb5_kpasswd = 10.65.208.43 ldap_schema = rfc2307bis ldap_force_upper_case_realm = True ldap_user_object_class = person ldap_tls_cacertdir = /etc/openldap/cacerts krb5_kdcip = 10.65.208.43 1. Run the authconfig-tui tool. Select ldap under the "User Information" section and Kerberos under the "Authentication" Section. 2. On the ldap Settings step. Leave the use TLS option unselected put the AD servers fully qualified domain name in and the base DN. 3. On the kerberos Settings page enter the AD servers Realm, also list the AD servers fully qualified domain name for the KDC and Admin Server. This will result in restarting sssd daemon. Verify :- [root@vm172 ~]# id u1 uid=10001(u1) gid=10000(Domain Users) groups=10000(Domain Users),10020(TelnetClients),10021(group20),10022(group19),10023(group18),10018(group17),10010(group15),10009(group14),10008(group13),10007(group12),10006(group11),10005(group10),10016(group9),10015(group8),10014(group7),10013(group6),10012(group5),10011(group4),909(group3),10002(group2),10001(group1) [root@vm172 ~]# getent passwd u1 u1:*:10001:10000:user1:/:/bin/sh