SUSE Support

Here When You Need Us

How to authenticate AD users on SLES/SLED

This document (7001912) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Desktop 10 Service Pack 2
SUSE Linux Enterprise Desktop 10 Service Pack 1
SUSE Linux Enterprise Server 10 Service Pack 2
SUSE Linux Enterprise Server 10 Service Pack 1
SUSE Linux Enterprise Server 9 Service Pack 4

Situation

Users from an Active Directory server (such as Windows 2003) need access to SLES/SLED computers.
 
keywords:  winbind pam pam.d security require_membership_of active directory

Resolution

Step 1:  The SLES/SLED system must be joined to the ADS domain.  On the SLES/SLED computer give the command:

   yast2 samba-client
 
Check the box for "Also Use SMB Information for Linux Authentication".
[Optional:]  Clicking on "Create directory on logon" will cause users home directory to be created automatically after logging into SLES/SLED.

Step 2:  [OPTIONAL]  It is possible to restrict which users in Active Directory can login, by their group membership.  The easiest way to so this is below:
 
a.  Create or identify a group (i.e. group1) and add (to this group) users who are allowed access.

b.  On SLES/SLED, Find out the SID number of the SSH group created in Step 2, use the command: 

   wbinfo --name-to-sid=NET\\group1

Output will look like this:

   S-1-5-21-3169155090-2081415613-2343130028-1107 Domain Group (2)

The SID is the long S-xxx number, not including the "Domain Group (2)" portion.

 
c.   Edit /etc/security/pam_winbind.conf, and find the [global] section.  Add a membership entry specifying one or more SIDs, as shown below:
 
[global]
require_membership_of=sid1,sid2,sid3
 
Note:  SIDs or group names should be separated by commas and no spaces.  Do not create multiple "require_membership_of" lines, or only the last will be used.

Additional Information

Additional points:
 
A.  Group names can be used instead of SIDs, but due to occasional restrictions (like not handling spaces in group names) it is recommended to use SIDs as described above.
 
B.  If you want to add group restrictions to just *some* services (for example, sshd) but not others, then instead of putting "require_membership_of" restrictions in /etc/security/pam_winbind.conf, put them in the services own /etc/pam.d file.  For example, in /etc/pam.d/sshd, find the existing "auth" lines and then *after* those, add the following (using the SID determined earlier):

   auth required pam_winbind.so require_membership_of=S-1-5-21-3169155090-2081415613-2343130028-1107 krb5_auth try_first_pass
 
C.  User home directories may be created in /home/[domain]/user.

D.  Users logging through ssh may need to use domain\user@host syntax.
For example, user "user1" on domain NET may have to use:

   ssh NET\\user1@sles

E.  To check whether a user is a member of group "group1"

  First find out the group id using the command format:
   wbinfo --group-info=NET\\group1

       The output will look like this:
   NET\group1:x:10002

  Then check the group membership list for the user:
   wbinfo --user-groups=NET\\user1
  
       The output will list group numbers which that user belongs to, like this:
   10000
   10002 <-- this is the id of group1, so the user is a member

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7001912
  • Creation Date: 18-Nov-2008
  • Modified Date:16-Mar-2021
    • SUSE Linux Enterprise Desktop
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.