How to configure sssd on SLES 12 to connect to Windows 2012 R2 AD

This document (7022002) is provided subject to the disclaimer at the end of this document.


Windows 2012 R2 w/ Active Directory
Suse Enterprise Linux Server 12


Configure SLES 12 server to resolve and authenticate users located in the Active Directory on Window 2012 R2


SSSD (System Security Service Daemon)

- Identity resolution - NSS module
- Authenication - PAM module
-  Caching for offline access and reduced database processing
- Multiple sources in single configuration
(common sources: LDAP, AD, KRB)

SSSD Functionality Diagram

Sample Windows AD Information

Windows Server Name = WIN2012SRV
Windows Server IPADDRESS =
AD Administrator =
Create test user = Jane Doe / jdoe

Steps to configure SLES 12 to resolve and authenticate users in Active Directory using the AD backend plugin

1.  Join SLES 12 server to Active Directory domain

- Install krb5-client and samba client

zypper ref
zypper in krb5-client
zypper in samba-client

- Configure /etc/krb5.conf


        default_realm = AD.DOMAIN.COM
        dns_lookup_realm = false
        dns_lookup_kdc = false
        ticket_lifetime = 24h
        renew_lifetime = 7d
        forwardable = true
        rdns = false


        AD.DOMAIN.COM = {
                 kdc =
                 master_kdc =
                 admin_server =

        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON

[domain_realm] = AD.DOMAIN.COM = AD.DOMAIN.COM

- Configure /etc/samba/smb.conf

        workgroup = AD
        printing = cups
        printcap name = cups
        printcap cache time = 750
        cups options = raw
        map to guest = Bad User
        include = /etc/samba/dhcp.conf
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = No
        idmap gid = 10000-20000
        idmap uid = 10000-20000
        realm = AD.DOMAIN.COM
        security = ADS
        template homedir = /home/%u
        template shell = /bin/bash
        winbind refresh tickets = yes
        winbind use default domain = yes
        kerberos method = secrets and keytab
        client signing = yes
        client use spnego = yes

- Configure /etc/hosts  win2012srv ad

- Join the SLES 12 Server to the AD domain

kinit Administrator

net ads join -k

-  Test GSSAPI connectivity with ldapsearch

/usr/bin/ldapsearch -H ldap:// -Y GSSAPI -N -b "dc=ad,dc=domain,dc=com" "(&(objectClass=user)(sAMAccountName=jdoe))"

2. Configure SSSD                                                        

-  Install sssd and sssd-ad

zypper ref
zypper in sssd
zypper in sssd-ad

-  Modify /etc/sssd/sssd.conf

config_file_version = 2
debug_level = 6
services = nss, pam

domains =  AD

filter_users = root
filter_groups = root

debug_level = 6
id_provider = ad
auth_provider = ad
ad_domain =
ad_server =
ad_hostname =
ldap_id_mapping = True
override_homedir = /home/%u
ldap_schema = ad

3. Configure NSS                                                         

- Modify  /etc/nsswitch.conf

passwd:  files  sss
group:   files sss

-  Modify  /etc/nscd.conf

enable-cache   passwd    no
enable-cache   group      no

-  restart nscd

systemctl restart nscd

-  start sssd

systemctl start sssd

4. Configure PAM                                                       


auth    sufficient     use_first_pass


account   sufficient    use_first_pass


session    sufficient     use_first_pass
session    sufficient                 


password     sufficient 

5.  Test Resolution and Authentication


  id  <userid>

getent passwd <userid>


ssh <userid>@localhost


This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7022002
  • Creation Date: 04-Oct-2017
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact:

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center