Basically here is the realm command we use to join the appropriate regional AD domain:

realm join -v --automatic-id-mapping=no --computer-ou="OU=Servers,OU=UNIX,DC=$SUPPORTREGION,DC=COMPANY,DC=COM"  --user-principal="host/`hostname --fqdn`@$JOINDOMAIN"  $JOINDOMAIN

As part of this, realm join internally runs the following command:

 * /usr/bin/sh -c /usr/bin/authselect select sssd with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service

But that sets /etc/pam.d/password-auth and /etc/pam.d/system-auth to a sub-optimal PAM stack.  I.e., not what we desire.

For example,  99.9% of our users are in AD.  So we want to run pam_sssd *before* pam_unix.  

We are very comfortable with testing and debugging PAM stacks.   We have a stable, tested PAM stack that works great -- ever since RHEL7. 

Basically, after the 'realm join' above is done, we have to overwrite /etc/pam.d/{system-auth,password-auth,postlogin} with what we desire.

If 'realm join' can't be convinced to not run authselect, we're ok with creating a custom/profile authselect profile with what we want.  And then convince realm join to run:

authselect select custom/profile

Instead of the above authselect select sssd

Prior to running 'realm join', I have to drop down a /etc/realmd.conf file so that the 'realm join' behaves as I want it to.    Is there any option in realmd.conf to not run authselect or tailor the authselect command?  Or may a flag on the 'realm discover' command line?

I don't remember any of these problems with realm join on RHEL7.  Maybe it was running authconfig inappropriately as well -- and I just never noticed, because I over-wrote with desired PAM stack?