Before your client can join an AD domain, some adjustments must be made to your network setup to ensure the flawless interaction of client and server.
Configure your client machine to use a DNS server that can forward DNS requests to the AD DNS server. Alternatively, configure your machine to use the AD DNS server as the name service data source.
To succeed with Kerberos authentication, the client must have have its time set accurately. It is highly recommended to use a central NTP time server for this purpose (this can be also the NTP server running on your Active Directory domain controller). If the clockskew between your Linux host and the domain controller exceeds a certain limit, Kerberos authentication fails and the client is logged in using the weaker NTLM (NT LAN Manager) authentication. For more details about using active directory for time synchronization, see Procedure 5.1, “Joining an AD Domain”.
If your client uses dynamic network configuration with DHCP, configure DHCP to provide the same IP and hostname to the client. If possible, use static IP addresses.
To browse your network neighborhood, either disable the firewall entirely or mark the interface used for browsing as part of the internal zone.
To change the firewall settings on your client, log in as root
and start the YaST firewall module. Select
. Select your network interface from the
list of interfaces and click . Select
and apply your settings with
. Leave the firewall settings with + . To
disable the firewall, just set to
and leave the firewall module with
+ .
You cannot log in to an AD domain unless the AD administrator has provided you with a valid user account for that domain. Use the AD username and password to log in to the AD domain from your Linux client.
Join an existing AD domain during installation (or by later activating SMB user authentication with YaST in the installed system).
![]() | |
Currently only a domain administrator account, such as
|
To join an AD domain in a running system, proceed as follows:
Procedure 5.1. Joining an AD Domain
Log in as root
and start YaST.
Start
+ .
Enter the domain to join at Figure 5.2, “Determining Windows Domain Membership”). If the DNS settings on your host
are properly integrated with the Windows DNS server, enter the AD
domain name in its DNS format
(mydomain.mycompany.com
). If you enter the short
name of your domain (also known as the pre–Windows 2000 domain
name), YaST must rely on NetBIOS name resolution instead of DNS to
find the correct domain controller. To select from a list of available
domains instead, use to list the NetBIOS
domains then select the desired domain.
Check
to use the SMB source for Linux authentication.Check
to automatically create a local home directory for your AD user on the Linux machine.Check
to allow your domain users to log in even if the AD server is temporarily unavailable, or if you do not have a network connection.Select
, if you want to change the UID and GID ranges for the Samba users and groups. Let DHCP retrieve the WINS server only if you need it. This is the case when some of your machines are resolved only by the WINS system.Configure NTP time synchronization for your AD environment by selecting
and entering an appropriate server name or IP address. This step is obsolete if you have already entered the appropriate settings in the standalone YaST NTP configuration module.Click
and confirm the domain join when prompted for it.Provide the password for the Windows administrator on the AD server and click Figure 5.3, “Providing Administrator Credentials”).
(seeAfter you have joined the AD domain, you can log in to it from your workstation using the display manager of your desktop or the console.