SUSE Support

Here When You Need Us

How to configure sssd on SLES 11 to resolve names and authenticate to Windows 2008 Active Directory

This document (7014572) is provided subject to the disclaimer at the end of this document.


SUSE Linux Enterprise Server 11 Service Pack 1 (SLES 11 SP1)


Environment were authentication and name resolution needs to occur by communicating to a Window 2008 Active Directory Domain.

This is an alternative to using winbind.  SSSD must be used as a solution, in lieu of winbind, when the primary group for a user, as listed on the Active Directory side of things MUST be different than the primary group for the user as listed on the Linux side of things.  This is due to recent changes in winbind (security fixes).  If the primary group is the same on the Windows and Linux sides, then sssd can be used as an optional alternative if desired.


This document describes how to configure sssd on SLES 11 sp1 to perform name resolution and authentication using Kerberos and LDAP to a Windows 2008 Active Directory domain.

For the purposes of this document, the following naming is used:

domain =
SLES 11 SP1 server (client) = client
SLES 11 SP1 server (client) fully qualified =
Windows 2008 server (AD server) = adserver
Windows 2008 server (AD server) fully qualified =
ipaddress of Windows 2008 server =
User = unixuser
Group = unixgroup

This document assumes a fully functional Windows 2008 Active Directory domain and network.  It will not go into troubleshooting or setup of communication between the SLES 11 SP1 server and the Windows 2008 server. 

Windows 2008 domain configuration:

1. Using Server Manager, Under Roles | Active Directory Domain Services | Active Directory Users and Computers [] expand the domain that will contain the SLES 11 SP1 server & users -  If the domain doesn't exist yet, create a new domain.

2. Within the Computers folder, right click and choose New | Computer.  Create a computer object that will correspond to the SLES 11 SP1 server.  For our example, Computer name = client.  It is not necessary to choose the option, Assign this computer account as a pre-Windows 2000 computer.
3. Click Active Directory Domain Services under Roles in Service Manager.  Scroll the right hand window down to Role Services.  Choose Add Role Service and select - Identity Management for UNIX.  Use the domain created / used in step 1 as the NIS Domain Name.  For our example, NIS Domain name =

4. Under Roles | Active Directory Domain Services | Active Directory Users and Computers [] Within the Users folder, right click and choose New | Group.  Create a group object.  For our example, Group name = unixgroup
  - Double click or go into properties for the group, unixgroup then switch to the Unix Attributes tab.
    - Select the NIS domain set setup in Step 3.
    - Set GID (this will be according to your environment's configuration).  For our example, 10000

5. Under Roles | Active Directory Domain Services | Active Directory Users and Computers [] Within the Users folder, right click and choose New | User.  Create a user object.  For our example, User logon name = unixuser. 
  - Uncheck User must change password at next logon and Account is disabled.
  - Double click or go into properties for the user, aduser then switch to the UNIX Attributes tab.
    - Select the NIS domain as setup in Step 3.
    - Set UID (this will be according to your environment's configuration).  For our example, 10000
    - Set Login Shell (this will be according to your environment's configuration).  For our example, /bin/bash
    - Set Home Directory (this will be according to your environment's configuration). For our example, /home/unixuser
    - Set Primary Group Name/GID to unixgroup

SLES 11 SP1 server configuration:

1.  Check and install if needed the following packages: sssd, krb5, krb5-client, pam_krb5, sssd-tools

2.  Modify /etc/krb5.conf file to reflect actual configuration. Some environments may not need the included additional definition for [realm] and [domain_realm].   For our example, see the following:

    default_realm = AD-DOMAIN.COM
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    rdns = false
    forwardable = yes
    clockskew = 300

        default_domain =
        admin_server =

    kdc = FILE:/var/log/krb5/krb5kdc.log
    admin_server = FILE:/var/log/krb5/kadmind.log


    pam = {
        ticket_lifetime = 1d
        renew_lifetime = 1d
        forwardable = true
        proxiable = false
        minimum_uid = 1
        external = sshd
        use_shmem = sshd

3.  Modify /etc/sssd/sssd.conf file to reflect actual configuration. For our example, see the following:

config_file_version = 2

reconnection_retries = 3

sbus_timeout = 30
services = nss,pam
debug_level = 10

domains = AD-DOMAIN.COM

filter_groups = root
filter_users = root
reconnection_retries = 3

reconnection_retries = 3

description = LDAP domain with AD server
enumerate = false
min_id = 1000
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
ldap_uri = ldap://
ldap_schema = rfc2307bis
ldap_user_search_base = dc=ad-domain,dc=com
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = LoginShell
ldap_group_search_base = dc=ad-domain,dc=com
ldap_group_object_class = group
ldap_force_upper_case_realm = false
ldap_access_order = expire
ldap_account_expire_policy = ad
krb5_realm = AD-DOMAIN.COM
krb5_server =
ldap_sasl_mech = gssapi
ldap_krb5_init_creds = true
ldap_krb5_keytab = /etc/krb5.keytab
ldap_krb5_ticket_lifetime = 86400
ldap_sasl_authid = host/

4. Check resolution of Active Directory Domain from SLES 11 SP1 server.  It may be necessary to add the domain to /etc/hosts file is DNS resolution doesn't provide address for domain.  For our example, add the following to the /etc/hosts file. adserver

5. Create a Services Keytab for the SLES11 SP1 server

From the Windows 2008 server, open a command window and run the following commands to configure the computer object created for the SLES11 SP1 server and generate a keytab.  For our example, the commands would be:
  - setspn -A host/ client
  - setspn -L client
  - ktpass /princ host/ /out client-krb5.keytab /crypto all /ptype KRB5_NT_PRINCIPAL -desonly /mapuser AD-DOMAIN.COM\client$ /pass *
Copy client-krb5.keytab to the SLES11 SP1 server, place it in the /etc directory and rename it to krb5-keytab

6. Verify Kerberos functionality and /etc/krb5.keytab.  For our example, the command would be:
  - kinit -k -t /etc/krb5.keytab 'host/'
  - kinit unixuser@AD-DOMAIN.COM
  - /usr/bin/ldapsearch -H ldap:// -Y GSSAPI -N -b "dc=ad-domain,dc=com" "(&(objectclass=user)(sAMAccountName=unixuser))"
7. Modify the /etc/nsswitch.conf file to include resolution through sss

passwd: files sss
group:  files sss

8. Add the module to the pam.d files.  Always backup the /etc/pam.d files before making modifications and maintain an open/authenicated terminal session while testing until configuration success is validated.  Modification to pam.d files can result in the inability to authenicate any users including root.  For our example, pam.d files contain the following:

auth    required   
auth    sufficient   
auth    required    use_first_pass   

account    requisite   
account    sufficient
account    required    use_first_pass

session    required   
session    required   
session    optional   
session    optional   

password    requisite    nullok cracklib
password    sufficient    use_authtok nullok
password    required    use_authtok


This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7014572
  • Creation Date: 14-Feb-2014
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.