Jump to content
Sign in to follow this  

Windows 2003 Domain

Recommended Posts

This is how I was able to configure Suse 10.0 to authenticate on a Windows 2003 Active Directory Server. I do not know if it will work on previous versions of Windows or with previous versions of Suse Linux.




1.Any text that reads domain.internal (lower case) you will replace with your domain.

2.Any text that reads DOMAIN.INTERNAL (upper case) you will replace with your domain in upper case.

3.Any text that reads DOMAIN (upper case) you will replace with your domain (no .internal)

4.The NetBios name is the name of your client (workstation/computer)



This process will require the krb5-client (I installed all of it), Samba, and Samba-Winbind.




Step 1: Install the Required Packages – This can be done through Yast


Step 2: Edit the /etc/krb5.conf File



default = FILE10000:/var/log/krb5lib.log


ticket_lifetime = 24000

default_realm = DOMAIN.INTERNAL

default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 aes256-cts arcfour-hmac-md5

default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 aes256-cts arcfour-hmac-md5



kdc = domainserver.domain.internal

admin_server = domainserver.domain.internal

default_domain = DOMAIN.INTERNAL



.domain.internal = DOMAIN.INTERNAL

domain.internal = DOMAIN.INTERNAL


Step 3: Edit /etc/samba/smb.conf



security = ads

netbios name = NetBios Name


password server = domainserver.domain.internal

workgroup = DOMAIN

idmap uid = 1000-29999

idmap gid = 1000-29999

winbind separator = +

winbind enum users = yes

winbind enum groups = yes

winbind use default domain = yes

template homedir = /home/%D/%U

template shell = /bin/bash

client use spnego = yes

domain master = no

server string =


Step 4: Test the configuration with the testparm command – You should be able to see what you entered in the samba.conf file.


Step 5: Edit /etc/nsswitch.conf to look like the example below


passwd: compat winbind

group: compat winbind

shadow: compat

hosts: files dns wins

networks: files

protocols: db files

services: db files

ethers: db files

rpc: db files

netgroup: nis


Step 6: Modify the PAM settings


These files are all located in the /etc/pam.d folder


File: common-account (It should contain only the following lines)


account sufficient pam_winbind.so

account required pam_unix.so



File: common-auth (It should contain only the following lines)


auth sufficient pam_winbind.so

auth required pam_unix.so nullok_secure use_first_pass


File: common-password file


password required pam_unix.so nullok obscure min=4 max=50 md5


File: common-session


session required pam_mkhomedir.so umask=0022 skel=/etc/skel


Step 7: Make a directory to hold domain user home directories


Note: Use Konsole for this

Note: Use the value you put in the WORKGROUP tag smb.conf file


mkdir /home/DOMAIN


Step 8: Initialize Kerberos


Note: Use Konsole for this


kinit domain_admin_account@DOMAIN.INTERNAL


Step 9: Check to be sure you got a ticket from the domain controller


Note: Use Konsole for this




Step 10: Join the Domain


Note: Use Konsole for this


net ads join -U domainadminuser@DOMAIN.INTERNAL


Step 11: Restart Samba-related Services


Note: The order is important

Note: Use Konsole for this


/etc/init.d/smb stop

/etc/init.d/winbind stop

/etc/init.d/smb start

/etc/init.d/winbind start


Step 12: Attempt to switch user and logon as a domain member. If you can logon than you are successful.


Step 13: Configure SUDO


Add the “Domain Admins” group from windows to the /etc/sudoers file


%Domain Admins ALL=(ALL) ALL



# sudoers file

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification

Defaults targetpw # ask for the password of the target user i.e. root

%users ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!

# Runas alias specification

# User privilege specification

root ALL=(ALL) ALL


# Uncomment to allow people in group wheel to run all commands

%Domain Admins ALL=(ALL) ALL


# Same thing without a password


# Samples

# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom

# %users localhost=/sbin/shutdown -h now

Step 14: See if Konsole will list user names and group names from Windows:


wbinfo -u

wbinfo -g


Step 15: Make sure the permission on the DOMAIN folder under Homes is set to the correct permissions so that the new users can create their folder on login.

Share this post

Link to post
Share on other sites

moved to samba and pinned


thanks for the post.




Edited by anyweb

Share this post

Link to post
Share on other sites
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Create New...