How to migrate from pam_krb5 to SSSD in Red Hat Enterprise Linux

Solution Verified - Updated 25 Aug 2025

Environment

Red Hat Enterprise Linux 7.4
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 9.0, 9.1, 9.2
SSSD
Active Directory
pam_krb5

Issue

How to migrate from pam_krb5 to SSSD in RHEL8
Unable to authenticate local user via AD
Username is the same in AD and local machine
pam_krb5.so is missing from RHEL8 package repositories.

Resolution

In RHEL 8+, pam_krb5 module is no longer shipped, you have to use SSSD instead.
The SSSD files provider has been deprecated starting with RHEL 9.3+. For more information, please visit the Content from sssd.io is not included.SSSD upstream wiki.
Follow the steps given below to set up SSSD for Kerberos authentication.

NOTE: RHEL 9.3+ will NOT WORK with files provider. Either use ldap or ad providers to authenticate to AD.

Steps

Install necessary sssd amd krb5 packages:

# yum install sssd* krb5-workstation -y

Make sure /etc/nsswitch.conf file looks like below:

passwd:     sss files systemd
group:      sss files systemd
shadow:     files sss

Configure /etc/krb5.conf file as below if anyone want to use other tools like kinit, klist, as these Kerberos tools uses /etc/krb5.conf file as a configuration file.

# cat /etc/krb5.conf
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    default_realm = EXAMPLE.COM
    default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 EXAMPLE.COM = {
     kdc = ad.example.com
     admin_server = ad.example.com
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

Create /etc/sssd/sssd.conf file as below :

[sssd]
    services = nss, pam
    domains = EXAMPLE.COM

[domain/EXAMPLE.COM]
    id_provider = files
    auth_provider = krb5
    krb5_realm = EXAMPLE.COM
    krb5_server = ad.example.com
    krb5_validate = false
    debug_level = 0

Make sure permission and ownership of /etc/sssd/sssd.conf is correct.

chmod 600 /etc/sssd/sssd.conf
chown root:root /etc/sssd/sssd.conf

Configure /etc/pam.d/system-auth and /etc/pam.d/password-auth files as below :

# Generated by authselect on Wed May  8 08:55:04 2019
# Do not modify this file manually.

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
auth        sufficient                                   pam_unix.so nullok try_first_pass
auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient                                   pam_sss.so forward_pass
auth        required                                     pam_deny.so

account     required                                     pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required                                     pam_permit.so

password    requisite                                    pam_pwquality.so try_first_pass local_users_only
password    sufficient                                   pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
session     optional                                     pam_sss.so

Check whether login using AD password is successful.

Root Cause

pam_krb5

This PAM module provides Kerberos-based authentication. From the very beginning of its existence the SSSD project was targeting replacing pam_krb5 on the system. SSSD has offered Kerberos authentication for years, but also much more. With the release of Red Hat Enterprise Linux 7.4 SSSD has the features that we believe users need from the standard pam_krb5 module, and we felt ready to add it to the set of deprecated PAM modules.
pam_krb5.so no_user_check
SSSD refuses to admit users that do not exist (i.e., that cannot be resolved through its NSS interface). Therefore, the no_user_check option from pam_krb5 (previously marked as potentially dangerous) has no SSSD analogue.
Upstream Links: Migrating from pam_krb5
1. Content from sssd.io is not included.sssd.io
2. Content from docs.pagure.org is not included.docs.pagure.org

Note: If pam_krb5 module is already present in /etc/pam.d configuration then disable pam_krb5 using below command.

$ authconfig --disablekrb5 --update

SBR

Identity Management

Product(s)

Red Hat Enterprise Linux

Components

Category

Configure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.