Debian 9 加入 Active Directory

我正在尝试配置一些 Linux 服务器（Debian 9.5）以针对我们的 Active Directory 服务器进行身份验证。按照此视频，我已经完成了基础知识： https://www.youtube.com/watch?v=LSShUG75pWw 我不做 Samba 部分，我只想要 AD 部分。我已经验证我可以使用我的一个域帐户登录，但是有一个小问题。

我无法初始化 .bashrc，也无法初始化用户根文件夹中的任何配置文件，其格式为 /home/mydomainname.org/myusername/

在进一步调查后，我发现 Linux 不喜欢组中有空格。这给“域用户”默认组带来了问题。

我想将访问权限限制为仅属于我域中某个用户组的用户，例如“LinuxUsers”。仅允许此 AD 组中的人员能够从 Linux 服务器针对域控制器进行身份验证。

我正在使用以下 Linux 模块：sssd 和 krb5-user。以下是我的配置：

[sssd]
services = nss, pam
config_file_version = 2
domains = EXAMPLE.COM

[domain/EXAMPLE.COM]
id_provider = ad
access_provider = ad

# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME.  Use with pam_mkhomedir.so
override_homedir = /home/%d/%u

# Uncomment if the client machine hostname doesn't match the computer object on the DC.
# ad_hostname = mymachine.example.com

# Uncomment if DNS SRV resolution is not working
# ad_server = dc.example.com

# Uncomment if the AD domain is named differently than the Samba domain
# ad_domain = EXAMPLE.COM

# Enumeration is discouraged for performance reasons.
# enumerate = true

---

# /etc/krb5.conf example

[libdefaults]
  ticket_lifetime = 24h
  default_realm = EXAMPLE.COM
  forwardable = true

[realms]
  EXAMPLE.COM = {
    kdc = 192.168.100.2
    default_domain = EXAMPLE.COM
  }

[domain_realm]
  .example.com = EXAMPLE.COM
  example.com = EXAMPLE.COM

[kdc]
  profile = /etc/krb5kdc/kdc.conf

[appdefaults]
  pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
  }

[logging]
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmin.log
  default = FILE:/var/log/krb5lib.log

有什么建议吗？