sudo apt install resolvconf -y
sudo tee -a /etc/network/interfaces << EOF
auto eth0
iface eth0 inet static
  address x.x.x.x/y
  gateway x.x.x.x
  dns-namserves x.x.x.x
  dns-domain {{ defaults.domainadmin }}
EOF
sudo systemctl restart networking

sudo tee /etc/security/limits.d/90-fsize.conf 2&>/dev/null << EOF
* hard fsize unlimited
* soft fsize unlimited
EOF
sudo apt install astra-ad-sssd-client -y
sudo astra-ad-sssd-client -y -d {{ server.domain }} -u {{ defaults.domainadmin }}

sudo apt install libccid pcscd libpcsclite1 pcsc-tools opensc libengine-pkcs11-openssl1.1 -y
sudo apt install libnss3-tools krb5-pkinit libpam-krb5 -y

sudo cp rutoken_pub.key /etc/digsig/keys/ -v
sudo update-initramfs -u -k all

sudo reboot

sudo apt install -f ./librtpkcs11ecp_2.17.1.0-1_amd64.deb
sudo apt install -f ./ifd-rutokens_1.0.4_amd64.deb

sudo mkdir /etc/pki/nssdb -p
sudo chmod 777 /etc/pki/nssdb
sudo certutil -N -d /etc/pki/nssdb --empty-password
sudo certutil -d /etc/pki/nssdb -A -n 'CA-ROOT-CERT' -t CT,CT,CT -a -i cacert.pem

sudo modutil -dbdir /etc/pki/nssdb -add "Rutoken PKCS11" -libfile librtpkcs11ecp.so
#проверка:
sudo certutil -L -d /etc/pki/nssdb -h all

sudo mkdir /etc/krb5/
sudo cp cacert.pem /etc/krb5/ -v

| /etc/krb5.conf

[libdefaults]
...
pkinit_anchors = FILE:/etc/krb5/cacert.pem
pkinit_identities = PKCS11:/usr/lib/librtpkcs11ecp.so

| /etc/sssd/sssd.conf

[pam]
pam_cert_auth = True