install from EPEL

yum --enablerepo=epel -y install adcli sssd authconfig pam_krb5 samba4-common

update network dns

[root@dlp ~]# vi /etc/sysconfig/network-scripts/ifcfg-ens192

# change DNS setting to AD's one

DNS1=10.10.0.90

[root@dlp ~]# /etc/rc.d/init.d/network restart 

change Authentication Provider

[root@dlp ~]# authconfig --enablekrb5 --krb5kdc=tst.com --krb5adminserver=tst.com --krb5realm=tst.com --enablesssd --enablesssdauth --update 

make sure Active Directory domain info

adcli info tst.com 



[domain]

domain-name = tst.com
domain-**short** = TST
domain-forest = tst.com
domain-controller = dc04.tst.com
domain-controller-site = Default-First-Site-Name
domain-controller-flags = gc ldap ds kdc timeserv closest writable full-secret ads-web
domain-controller-usable = yes
domain-controllers = dc04.tst.com dc03.tst.com dc02.tst.com dc01.tst.com

[computer]
computer-site = Default-First-Site-Name

join in Active Directory Domain

[root@dlp ~]# adcli join tst.com -U lzhang -W

Password for lzhang@tst.com:   

If adcli succeeds a keytab file will be created in /etc/krb5.keytab.

vim /etc/krb5.conf

[logging]

default = FIFE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = tst.com
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
tst.com = {
 kdc = dc01.tst.com
 admin_server = dc01.tst.com
}

[domain_realm]
.tst.com = tst.com
tst.com = tst.com

[root@dlp ~]# vi /etc/sssd/sssd.conf 
# create new (replace the hostname in example to your own one)


[sssd]
services = nss, pam, ssh, autofs
config_file_version = 2
domains = tst.com
#debug_level = 9

[domain/tst.com]
ad_domain = tst.com
ad_server = dc01.tst.com
krb5_realm = tst.com
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%d/%u
#auth_provider = ad#chpass_provider = ad
access_provider = ad
ad_access_filter = (|(memberOf=CN=centos-admin,OU=Groups,DC=tst,DC=com)(memberOf=CN=ebay01,OU=Groups,DC=tst,DC=com))
default_shell = /bin/bash
#ad_gpo_access_control = enforcing
debug_level = 9

[root@dlp ~]# chmod 600 /etc/sssd/sssd.conf 

[root@dlp ~]# vi /etc/pam.d/system-auth-ac 

# add follows to the end (generate home directory if not)
session optional pam_mkhomedir.so skel=/etc/skel umask=077 

Check if you enabled the mkhomedir-module in: /etc/sysconfig/authconfig

If it's not enabled, try running the following:
authconfig --enablemkhomedir --update

[root@dlp ~]# /etc/rc.d/init.d/sssd start 
if it's Centos7, then use:
systemctl start sssd

[root@dlp ~]# chkconfig sssd on 
if it's Centos7, then use:
systemctl enable sssd

make sure it's possible to get an AD user info or not

[root@dlp ~]# id lzhang 
uid=797801106(serverworld) gid=797800513(domain users) groups=797800513(domain users)

# make sure it's possible to switch to an AD user or not
su - lzhang

If any problem,

sudo tail -n 50 /var/log/messages

Problem 1: if cannot id domain user or cannot join ad domain, maybe Clock skew too great, so need to adjust the time on server or client.