[sssd]
domains = {{ domain }}
config_file_version = 2
services = nss, pam

[pam]
offline_credentials_expiration = 1
offline_failed_login_attempts = 3
offline_failed_login_delay = 0

[domain/{{ domain }}]
ad_domain = {{ domain }}
krb5_realm = {{ domain.upper() }}
realmd_tags = manages-system joined-with-adcli 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
enumerate = true
ldap_user_fullname = displayName
krb5_lifetime = 48h
krb5_renewable_lifetime = 200h
krb5_renew_interval = 30m
ad_gpo_access_control = disabled # ignore group policies