Certain option defaults do not match their respective backend provider defaults, these option names and AD provider-specific defaults are listed below: krb5_validate = true krb5_use_enterprise_principal = true ldap_schema = ad ldap_force_upper_case_realm = true ldap_id_mapping = true ldap_sasl_mech = GSS-SPNEGO ldap_referrals = false ldap_account_expire_policy = ad ldap_use_tokengroups = true ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM) The AD provider looks for a different principal than the LDAP provider by default, because in an Active Directory environment the principals are divided into two groups - User Principals and Service Principals. Only User Principal can be used to obtain a TGT and by default, computer object's principal is constructed from its sAMAccountName and the AD realm. The well-known host/hostname@REALM principal is a Service Principal and thus cannot be used to get a TGT with. fallback_homedir = /home/%d/%u The AD provider automatically sets "fallback_homedir = /home/%d/%u" to provide personal home directories for users without the homeDirectory attribute. If your AD Domain is properly populated with Posix attributes, and you want to avoid this fallback behavior, you can explicitly set "fallback_homedir = %o". Note that the system typically expects a home directory in /home/%u folder. If you decide to use a different directory structure, some other parts of your system may need adjustments. For example automated creation of home directories in combination with selinux requires selinux adjustment, otherwise the home directory will be created with wrong selinux context.