How to configure sssd on SLES 12 to connect to Windows 2012 R2 AD

This document (7022002) is provided subject to the disclaimer at the end of this document.


Windows 2012 R2 w/ Active Directory
Suse Enterprise Linux Server 12


Configure SLES 12 server to resolve and authenticate users located in the Active Directory on Window 2012 R2


For a more recent TID on this see:

SSSD (System Security Service Daemon)
- Identity resolution - NSS module
- Authenication - PAM module
-  Caching for offline access and reduced database processing
- Multiple sources in single configuration
(common sources: LDAP, AD, KRB)
SSSD Functionality Diagram
Sample Windows AD Information
Windows Server Name = WIN2012SRV
Windows Server IPADDRESS =
AD Administrator =
Create test user = Jane Doe / jdoe
Steps to configure SLES 12 to resolve and authenticate users in Active Directory using the AD backend plugin
1.  Join SLES 12 server to Active Directory domain
- Install krb5-client and samba client
zypper ref
zypper in krb5-client
zypper in samba-client
- Configure /etc/krb5.conf
        default_realm = AD.DOMAIN.COM
        dns_lookup_realm = false
        dns_lookup_kdc = false
        ticket_lifetime = 24h
        renew_lifetime = 7d
        forwardable = true
        rdns = false
        AD.DOMAIN.COM = {
                 kdc =
                 master_kdc =
                 admin_server =
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON
[domain_realm] = AD.DOMAIN.COM = AD.DOMAIN.COM
- Configure /etc/samba/smb.conf
        workgroup = AD
        printing = cups
        printcap name = cups
        printcap cache time = 750
        cups options = raw
        map to guest = Bad User
        include = /etc/samba/dhcp.conf
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = No
        idmap gid = 10000-20000
        idmap uid = 10000-20000
        realm = AD.DOMAIN.COM
        security = ADS
        template homedir = /home/%u
        template shell = /bin/bash
        winbind refresh tickets = yes
        winbind use default domain = yes
        kerberos method = secrets and keytab
        client signing = yes
        client use spnego = yes
- Configure /etc/hosts  win2012srv ad
- Join the SLES 12 Server to the AD domain
kinit Administrator
net ads join -k
-  Test GSSAPI connectivity with ldapsearch
/usr/bin/ldapsearch -H ldap:// -Y GSSAPI -N -b "dc=ad,dc=domain,dc=com" "(&(objectClass=user)(sAMAccountName=jdoe))"
2. Configure SSSD                                                        
-  Install sssd and sssd-ad
zypper ref
zypper in sssd
zypper in sssd-ad
-  Modify /etc/sssd/sssd.conf
config_file_version = 2
debug_level = 6
services = nss, pam
domains =  AD
filter_users = root
filter_groups = root
debug_level = 6
id_provider = ad
auth_provider = ad
ad_domain =
ad_server =
ad_hostname =
ldap_id_mapping = True
override_homedir = /home/%u
ldap_schema = ad
3. Configure NSS                                                         
- Modify  /etc/nsswitch.conf
passwd:  files  sss
group:   files sss
-  Modify  /etc/nscd.conf
enable-cache   passwd    no
enable-cache   group      no
-  restart nscd
systemctl restart nscd
-  start sssd
systemctl start sssd
4. Configure PAM                                                       
- Use pam-config as root to inject the necessary pam modules into the pam stack

# pam-config -a  --sss
# pam-config -a --mkhomedir
5.  Test Resolution and Authentication
  id  <userid>
getent passwd <userid>
ssh <userid>@localhost


This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7022002
  • Creation Date: 04-Oct-2017
  • Modified Date:11-Jan-2022
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact:

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center