Manually join AD on SUSE Linux Enterprise Server 12 without Yast usage

This document (7018461) is provided subject to the disclaimer at the end of this document.


SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
SUSE Linux Enterprise Server 12 Service Pack 2 (SLES 12 SP2)


Configuration via command line without usage of Yast.
This is usefull for automation purpose.


  1. install kerberos client and samba-winbind
  2. zypper in krb5-client samba-winbind
  3. edit files - best way to do this is to use yast on test machine and copy files from it
    In following examples you need to replace EXAMPLE/EXAMPLE.COM/ with your values/settings
    • /etc/samba/smb.conf
          workgroup = EXAMPLE
          usershare allow guests = NO #disallow guests from sharing
          idmap gid = 10000-20000
          idmap uid = 10000-20000
          kerberos method = secrets and keytab
          realm = EXAMPLE.COM
          security = ADS
          template homedir = /home/%D/%U
          template shell = /bin/bash
          winbind offline logon = yes
          winbind refresh tickets = yes
    • /etc/krb5.conf
          default_realm = EXAMPLE.COM
          clockskew = 300
          EXAMPLE.COM = {
              kdc = PDC.EXAMPLE.COM
              default_domain = EXAMPLE.COM
              admin_server = PDC.EXAMPLE.COM
          pam = {
              ticket_lifetime = 1d
              renew_lifetime = 1d
              forwardable = true
              proxiable = false
              minimum_uid = 1
    • /etc/security/pam_winbind.conf
          cached_login = yes
          krb5_auth = yes
          krb5_ccache_type = FILE
    • /etc/nsswitch.conf
      passwd: compat winbind
      group: compat winbind
    • if you need yast to show that ssh single sign on is activated you will need to modify also /etc/sshd_config and /etc/ssh_config
  4. make sure you use correct DNS server that can resolve your AD server and special AD strings (DNS server that is part of AD domain or mirrors its DNS)
  5. cat /etc/resolv.conf
  6. check that date and time on AD and linux server is in sync. Ideally sync AD and linux machine time from same source
  7. join the domain
  8. net ads join -U Administrator%Mypassword
  9. enable winbind as login source in pam
  10. pam-config --add --winbind
  11. enable automatic creation of homedir so that users can log in
  12. pam-config -a --mkhomedir
  13. start winbind
  14. systemctl enable winbind
    systemctl start winbind
  15. {optional} invalidate password and group cache so that users from AD can login without restarting the linux server
  16. systemctl stop nscd
    nscd -i passwd
    nscd -i group
    systemctl start nscd


Additional Information

This was put together because of Service Request no. 101038815251


This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7018461
  • Creation Date: 09-Jan-2017
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact:

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center