[SSSD-users] home directory ownership

I’m new to SSSD in general. I configured a RHEL 6.5 machines to authenticate against a 2008 R2 AD using ldap_id_mapping because our AD does not have unix information defined for users. All appears to be working well. I had to add override_homedir = /home/%u to get home directories to to be created by oddjob mkhomedir. The only problem is the group ownership on the home directory is “domain users” rather than the user’s private group. The default permissions also allow domain users read/execute access to the home directory. It looks like you can change the umask used in /etc/pam.d/system-auth-ac, but I don’t see where I can control the group information. Any suggestions on best practices on how to fix this? I was surprised it wasn’t in the docs. -John