sudo apt install resolvconf -y
sudo tee -a /etc/network/interfaces << EOF
auto eth0
iface eth0 inet static
  address x.x.x.x/y
  gateway x.x.x.x
  dns-namserves x.x.x.x
  dns-domain {{ defaults.domainadmin }}
EOF
sudo systemctl restart networking

sudo tee /etc/security/limits.d/90-fsize.conf 2&>/dev/null << EOF
* hard fsize unlimited
* soft fsize unlimited
EOF
sudo apt install astra-ad-sssd-client -y
sudo astra-ad-sssd-client -y -d {{ server.domain }} -u {{ defaults.domainadmin }}

sudo apt install libccid pcscd libpcsclite1 pcsc-tools opensc libengine-pkcs11-openssl1.1 -y
sudo apt install libnss3-tools krb5-pkinit libpam-krb5 -y

sudo cp rutoken_pub.key /etc/digsig/keys/ -v
sudo update-initramfs -u -k all

sudo reboot

sudo apt install -f ./librtpkcs11ecp_2.17.1.0-1_amd64.deb
sudo apt install -f ./ifd-rutokens_1.0.4_amd64.deb

sudo mkdir /etc/pki/nssdb -p
sudo chmod 777 /etc/pki/nssdb
sudo certutil -N -d /etc/pki/nssdb --empty-password
sudo certutil -d /etc/pki/nssdb -A -n 'CA-ROOT-CERT' -t CT,CT,CT -a -i cacert.pem

sudo modutil -dbdir /etc/pki/nssdb -add "Rutoken PKCS11" -libfile librtpkcs11ecp.so
#проверка:
sudo certutil -L -d /etc/pki/nssdb -h all

sudo mkdir /etc/krb5/
sudo cp cacert.pem /etc/krb5/ -v

| /etc/krb5.conf

[libdefaults]
...
 pkinit_anchors = FILE:/etc/krb5/cacert.pem
 pkinit_kdc_hostname = ipa.virt.int
 pkinit_eku_checking = kpServerAuth
 pkinit_identities = PKCS11:librtpkcs11ecp.so

| /etc/sssd/sssd.conf

[pam]
pam_cert_auth = True

| /etc/pam.d/common-auth

auth    [success=6 default=ignore]      pam_krb5.so minimum_uid=2500 try_pkinit

| /usr/share/pam-configs/krb5

Auth-Initial:
        [success=end default=ignore]    pam_krb5.so minimum_uid=2500 try_pkinit