How to authenticate AD users on SLES/SLED

This document (7001912) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Desktop 10 Service Pack 2
SUSE Linux Enterprise Desktop 10 Service Pack 1
SUSE Linux Enterprise Server 10 Service Pack 2
SUSE Linux Enterprise Server 10 Service Pack 1
SUSE Linux Enterprise Server 9 Service Pack 4

Situation

Users from an Active Directory server (such as Windows 2003) need access to SLES/SLED computers.

keywords: winbind pam pam.d security require_membership_of active directory

Resolution

Step 1: The SLES/SLED system must be joined to the ADS domain. On the SLES/SLED computer give the command:

yast2 samba-client

Check the box for "Also Use SMB Information for Linux Authentication".

[Optional:] Clicking on "Create directory on logon" will cause users home directory to be created automatically after logging into SLES/SLED.

Step 2: [OPTIONAL] It is possible to restrict which users in Active Directory can login, by their group membership. The easiest way to so this is below:

a. Create or identify a group (i.e. group1) and add (to this group) users who are allowed access.

b. On SLES/SLED, Find out the SID number of the SSH group created in Step 2, use the command:

wbinfo --name-to-sid=NET\\group1

Output will look like this:

S-1-5-21-3169155090-2081415613-2343130028-1107 Domain Group (2)

The SID is the long S-xxx number, not including the "Domain Group (2)" portion.

c. Edit /etc/security/pam_winbind.conf, and find the [global] section. Add a membership entry specifying one or more SIDs, as shown below:

[global]

require_membership_of=sid1,sid2,sid3

Note: SIDs or group names should be separated by commas and no spaces. Do not create multiple "require_membership_of" lines, or only the last will be used.

Additional Information

Additional points:

A. Group names can be used instead of SIDs, but due to occasional restrictions (like not handling spaces in group names) it is recommended to use SIDs as described above.

B. If you want to add group restrictions to just *some* services (for example, sshd) but not others, then instead of putting "require_membership_of" restrictions in /etc/security/pam_winbind.conf, put them in the services own /etc/pam.d file. For example, in /etc/pam.d/sshd, find the existing "auth" lines and then *after* those, add the following (using the SID determined earlier):

auth required pam_winbind.so require_membership_of=S-1-5-21-3169155090-2081415613-2343130028-1107 krb5_auth try_first_pass

C. User home directories may be created in /home/[domain]/user.

D. Users logging through ssh may need to use domain\user@host syntax.
For example, user "user1" on domain NET may have to use:

   ssh NET\\user1@sles

E. To check whether a user is a member of group "group1"

First find out the group id using the command format:
   wbinfo --group-info=NET\\group1

       The output will look like this:
   NET\group1:x:10002

Then check the group membership list for the user:

   wbinfo --user-groups=NET\\user1

       The output will list group numbers which that user belongs to, like this:

10000
10002 <-- this is the id of group1, so the user is a member

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.