[sssd]
# without this services get socket-activated which seems to be broken for sssd-pac
services = nss, pac, pam
config_file_version = 2

domains = {{ domain }}

[domain/{{ domain }}]
id_provider = ad
access_provider = ad

ad_domain = {{ domain }}
ad_enable_gc = true
ad_gpo_access_control = permissive
ad_gpo_ignore_unreadable = true
ad_update_samba_machine_account_password = true

krb5_realm = {{ domain | upper }}
krb5_store_password_if_offline = true
cache_credentials = true
ldap_id_mapping = true
use_fully_qualified_names = true

default_shell = /bin/bash
fallback_homedir = /home/%u@%d

# for debugging ticket renewals
#ad_maximum_machine_account_password_age = 1
#ad_machine_account_password_renewal_opts = 86400:10