SLES 9 Authentication to Active Directory | SUSE Communities

SLES 9 Authentication to Active Directory


Updated – 02/15/2008

We created a Windows 2003 Server and installed ADS on it and named it After which we installed Windows Services for Unix

which can be downloaded from the above site.

After loading Windows Services for Unix we can now adjust a user, or create a new user so that it can be used by Linux. Follow the screen shots below in order to adjust the user properly.

  1. Open Active Directory Users and Computers
  2. Open the Properties of a User account you would like to activate for Linux Authentication. In this example we use geeko as the user.
  3. Once you have properties open we will then need to click on the new UNIX Attributes Tab.
  4. Notice the NIS Domain: field, we will need to select the domain from that field, in this example we choose, and modified it according to the screen shot below.
  5. You may also choose to adjust the options according to your own environment. I would suggest setting the Primary group name/GID field to 100 so as to stay with the standard users group in SLES and SLED, unless your standard is set to something else otherwise.

Now that the User has been modified in Active Directory for Authentication to Linux we can move on to the next step.

We then created a SLES 9 SP3 server.

After the Installation was done we Installed Samba Client and Kerberos Client.

First We Configured Samba 3 to authenticate with ADS. The configuration file is as follows:

smb.conf is the main samba configuration file. We initially used YaST to setup our Samba Client and then went back to the smb.conf to make adjustments. You can find a full commented version at /usr/share/doc/packages/samba/examples/smb.conf.SuSE. Also it won’t hurt to just copy the one I have here into your configuration.

Note: those things in CAPS must be in CAPS.
        winbind separator = +
        winbind cache time = 10
        winbind use default domain = yes
        workgroup = EXAMPLE
        printing = cups
        printcap name = cups
        printcap cache time = 750
        cups options = raw
        map to guest = Bad User
        include = /etc/samba/dhcp.conf
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        idmap gid = 10000-20000
        idmap uid = 10000-20000
        realm = EXAMPLE.COM
        security = ADS
        template homedir = /home/%U
        template shell = /bin/bash
        password server =
	  unix password sync = Yes
	  passwd program = /usr/bin/passwd %u
	  passwd chat = *New*password* %n\n *Retype*new*password*%n\n*password:*all*authentication*tokens*updated*successfully
	  Pam password change = Yes
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes
        comment = Network Profiles Service
        path = %H
        read only = No
        store dos attributes = Yes
        create mask = 0600
        directory mask = 0700
        comment = All users
        path = /home
        read only = No
        inherit acls = Yes
        veto files = /aquota.user/groups/shares/
        comment = All groups
        path = /home/groups
        read only = No
        inherit acls = Yes
        comment = All Printers
        path = /var/tmp
        printable = Yes
        create mask = 0600
        browseable = No
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = @ntadmin root
        force group = ntadmin
        create mask = 0664
        directory mask = 0775


After the smb.conf file was made we configured the Kerberos Client. You can setup the Kerberos Client in YaST and it will setup what needs to be setup for you. Here is what the /etc/krb5.conf file looks like. You can also just copy this one and change the proper entities where needed.

Note: Those things in CAPS must be in CAPS
        default_realm = EXAMPLE.COM
        clockskew = 300
        kdc = (could also be ip address)
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON
[domain_realm] = EXAMPLE.COM
pam = {
        ticket_lifetime = 1d
        renew_lifetime = 1d
        forwardable = true
        proxiable = false
        retain_after_close = false
        minimum_uid = 0
        try_first_pass = true

Note: Before starting any Daemons Please Make sure that both the client and the server ping each other using their hostnames as well as FQDN’s.

After this was done edit the /etc/nsswitch.conf file. Here is what the nsswitch.conf file looks like. Again, you can copy the one provided here.

# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
# Legal entries are:
#       compat                  Use compatibility setup
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       db                      Use the /var/db databases
#       [NOTFOUND=return]       Stop searching if not found so far
# For more information, please read the nsswitch.conf.5 manual page.
# passwd: files nis
# shadow: files nis
# group:  files nis
passwd: files winbind
shadow: files winbind
group:  files winbind
hosts:          files dns
networks:       files dns
services:       files
protocols:      files
rpc:            files
ethers:         files
netmasks:       files
netgroup:       files
publickey:      files
bootparams:     files
automount:      files nis
aliases:        files

Now we can start the winbind Daemon

rcwinbind start

Note: For Debugging purposes kindly Disable the nscd Caching Daemon from all runlevels and stop nscd daemon if it is running with the following commands
rcnscd stop
chkconfig nscd off

After the winbind Daemon has been started we will need to make sure kerberos is working properly with the following command.

kinit Administrator@EXAMPLE.COM

After we have verified that kerberos is working you can now join your server to the Domain with the following command.

net ads join -U Administrator

Now see if you can retrieve the Domain Information with the following commands.

wbinfo -u
wbinfo -g

Also some other helpful commands to find out how the users and groups are coming across to the system. Using these commands will show you how the AD users and groups are being seen to the system. If there is something in front of the username or group that you can see here you may need to adjust your smb.conf settings and then restart winbind.

getent passwd
getent group

In order for a user to Login we need to edit the /etc/pam.d/login file as follows:

Note: This is for Console Logins.
auth required
auth required
auth sufficient
auth sufficient nullok use_first_pass
auth required
auth required
account sufficient
account required
password sufficient
password required nullok
password required nullok use_first_pass use_authtok
session required skel=/etc/skel/ umask=0077
#session sufficient none # debug or trace
session sufficient

Notice the highlighted line. This helps to create a home directory in Unix if one does not already exists with umask 077 so that only the user has access to it. Also, the highlighted will allow the authentication to the AD server.

If you will be logging into the system via ssh then your /etc/pam.d/sshd file should look as follows:

auth     sufficient
auth     required    # set_secrpc
auth     required
auth     required
account  sufficient
account  required
account  required
password sufficient use_authtok
password required
password required    use_first_pass use_authtok
password required    use_authtok
session  required    none # trace or debug
session required skel=/etc/skel/ umask=0077
session  required
# Enable the following line to get resmgr support for
# ssh sessions (see /usr/share/doc/packages/resmgr/README.SuSE)
#session  optional fake_ttyname

Again notice the changes are highlighted.

Now we can try to login via ssh or the console with a windows username and it should allow you to.

Now if you would like you can also adjust other pam methods such as sudo or su to use winbind as well. You will just need to make the proper changes to the file /etc/pam.d/* as such.

Another question that will arise is “How do I lock my system down to only allowing specific groups to login?” , and the answer is simple. Just add the following line to your pam configuration either for login or sshd, or both, and your all set.

account sufficient gid=10003

This addition of pam module will only allow the authentication to succeed if its user matches the gid of 10003. Now of course you will need to change the gid number to fit your needs. Please see the online man pages for this pam module for more details here


(Visited 1 times, 1 visits today)

Leave a Reply

Your email address will not be published. Required fields are marked *

No comments yet

Avatar photo
cseader Senior Innovative Technologist with over 15 years of experience delivering creative, customer-centric value and solutions. Broad experience in many different verticals, architectures, and data center environments. Proven leadership experience ranging from evaluating technology, collaborating across engineering teams and departments, competitive analysis, and strategic planning. Highly-motivated with a track record of success in consistent achievement of projects and goals, and driving business function and management. Skilled problem identifier and troubleshooter, continually learning and adapting, and strong analytical skills. Efficient, organized leader with success in coordinating efforts within internal-external teams to reach and surpass expectations. Expert-level skills in the implementation, analysis, optimization, troubleshooting, and documentation of mode 1 and mode 2 data center systems.