SUSE Support

Here When You Need Us

How to authenticate AD users on SLES/SLED

This document (7001912) is provided subject to the disclaimer at the end of this document.


SUSE Linux Enterprise Desktop 10 Service Pack 2
SUSE Linux Enterprise Desktop 10 Service Pack 1
SUSE Linux Enterprise Server 10 Service Pack 2
SUSE Linux Enterprise Server 10 Service Pack 1
SUSE Linux Enterprise Server 9 Service Pack 4


Users from an Active Directory server (such as Windows 2003) need access to SLES/SLED computers.
keywords:  winbind pam pam.d security require_membership_of active directory


Step 1:  The SLES/SLED system must be joined to the ADS domain.  On the SLES/SLED computer give the command:

   yast2 samba-client
Check the box for "Also Use SMB Information for Linux Authentication".
[Optional:]  Clicking on "Create directory on logon" will cause users home directory to be created automatically after logging into SLES/SLED.

Step 2:  [OPTIONAL]  It is possible to restrict which users in Active Directory can login, by their group membership.  The easiest way to so this is below:
a.  Create or identify a group (i.e. group1) and add (to this group) users who are allowed access.

b.  On SLES/SLED, Find out the SID number of the SSH group created in Step 2, use the command: 

   wbinfo --name-to-sid=NET\\group1

Output will look like this:

   S-1-5-21-3169155090-2081415613-2343130028-1107 Domain Group (2)

The SID is the long S-xxx number, not including the "Domain Group (2)" portion.

c.   Edit /etc/security/pam_winbind.conf, and find the [global] section.  Add a membership entry specifying one or more SIDs, as shown below:
Note:  SIDs or group names should be separated by commas and no spaces.  Do not create multiple "require_membership_of" lines, or only the last will be used.

Additional Information

Additional points:
A.  Group names can be used instead of SIDs, but due to occasional restrictions (like not handling spaces in group names) it is recommended to use SIDs as described above.
B.  If you want to add group restrictions to just *some* services (for example, sshd) but not others, then instead of putting "require_membership_of" restrictions in /etc/security/pam_winbind.conf, put them in the services own /etc/pam.d file.  For example, in /etc/pam.d/sshd, find the existing "auth" lines and then *after* those, add the following (using the SID determined earlier):

   auth required require_membership_of=S-1-5-21-3169155090-2081415613-2343130028-1107 krb5_auth try_first_pass
C.  User home directories may be created in /home/[domain]/user.

D.  Users logging through ssh may need to use domain\user@host syntax.
For example, user "user1" on domain NET may have to use:

   ssh NET\\user1@sles

E.  To check whether a user is a member of group "group1"

  First find out the group id using the command format:
   wbinfo --group-info=NET\\group1

       The output will look like this:

  Then check the group membership list for the user:
   wbinfo --user-groups=NET\\user1
       The output will list group numbers which that user belongs to, like this:
   10002 <-- this is the id of group1, so the user is a member


This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7001912
  • Creation Date: 18-Nov-2008
  • Modified Date:16-Mar-2021
    • SUSE Linux Enterprise Desktop
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.