11.3 Configuring a Linux Client for Active Directory

Before your client can join an AD domain, some adjustments must be made to your network setup to ensure a flawless interaction of client and server.


Configure your client machine to use a DNS server that can forward DNS requests to the AD DNS server. Alternatively, configure your machine to use the AD DNS server as the name service data source.


To succeed with Kerberos authentication, the client must have have its time set accurately. It is highly encouraged to use a central NTP time server for this purpose (this can be also the NTP server running on your Active Directory domain controller). If the clockskew between your Linux host and the domain controller exceeds a certain limit, Kerberos authentication fails and the client is logged in only using the weaker NTLM (NT LAN Manager) authentication.


If your client uses dynamic network configuration with DHCP, configure DHCP to provide the same IP and hostname to the client. If possible, use static IP addresses to be on the safe side.


To browse your network neighborhood, either disable the firewall entirely or mark the interface used for browsing as part of the internal zone.

To change the firewall settings on your client, log in as root and start the YaST firewall module. Select Interfaces. Select your network interface from the list of interfaces and click Change. Select Internal Zone and apply your settings with OK. Leave the firewall settings with Next Accept . To disable the firewall, just set Service Start to Manually and leave the firewall module with Next Accept .

AD Account

You cannot log in to an AD domain unless the AD administrator has provided you with a valid user account for this domain. Use the AD username and password to log in to the AD domain from your Linux client.

Join an existing AD domain during installation or by later activating SMB user authentication with YaST in the installed system. The domain join during installation is covered in Configuring the Host as a Windows Domain Member.

NOTE:Currently only a domain administrator account, such as Administrator, can join SUSE Linux Enterprise Desktop into Active Directory.

To join an AD domain in a running system, proceed as follows:

  1. Log in as root and start YaST.

  2. Start Network Services Windows Domain Membership .

  3. Enter the domain to join at Domain or Workgroup in the Windows Domain Membership screen (see Figure 11-2). If the DNS settings on your host are properly integrated with the Windows DNS server, enter the AD domain name in its DNS format (mydomain.mycompany.com). If you enter the short name of your domain (also known as the pre–Windows 2000 domain name), YaST must rely on NetBIOS name resolution instead of DNS to find the correct domain controller. To select from a list of available domains instead, use Browse to list the NetBIOS domains then select the desired domain.

    Figure 11-2 Determining Windows Domain Membership

  4. Check Also Use SMB Information for Linux Authentication to use the SMB source for Linux authentication.

  5. Check Create Home Directory on Login to automatically create a local home directory for your AD user on the Linux machine.

  6. Check Offline Authentication to allow your domain users to log in even if the AD server is temporarily unavailable or you do not have a network connection.

  7. Click Finish and confirm the domain join when prompted for it.

  8. Provide the password for the Windows administrator on the AD server and click OK (see Figure 11-3).

    Figure 11-3 Providing Administrator Credentials

After you have joined the AD domain, you can log in to it from your workstation using the display manager of your desktop or the console.