11.3 Configuring a Linux Client for Active Directory
Before your client can join an AD domain, some adjustments must be made
to your network setup to ensure a flawless interaction of client and server.
- DNS
-
Configure your client machine to use a DNS server that can forward DNS
requests to the AD DNS server. Alternatively, configure your machine to use the AD
DNS server as the name service data source.
- NTP
-
To succeed with Kerberos authentication, the client must have
have its time set accurately. It is highly encouraged to use
a central NTP time server for this purpose (this can be also the NTP
server running on your Active Directory domain controller). If the
clockskew between your Linux host and the domain controller exceeds a
certain limit, Kerberos authentication fails and the client is
logged in only using the weaker NTLM (NT LAN Manager) authentication.
- DHCP
-
If your client uses dynamic network configuration with DHCP, configure
DHCP to provide the same IP and hostname to the client. If possible, use
static IP addresses to be on the safe side.
- Firewall
-
To browse your network neighborhood, either disable the firewall entirely
or mark the interface used for browsing as part of the internal
zone.
To change the firewall settings on your client, log in as root
and start the YaST firewall module. Select
. Select your network interface from the
list of interfaces and
click . Select
and apply your settings with . Leave the firewall
settings with . To disable the firewall, just set to and leave the firewall
module with .
- AD Account
-
You cannot log in to an AD domain unless the AD
administrator has provided you with a valid user account for this domain.
Use the AD username and password to log in to the AD domain from your
Linux client.
Join an existing AD domain during installation or by later
activating SMB user authentication with YaST in the installed
system. The domain join during installation is covered in
Configuring the Host as a Windows Domain Member.
NOTE:Currently only a domain administrator account, such as
Administrator, can join SUSE Linux Enterprise Desktop into Active
Directory.
To join an AD domain in a running system, proceed as follows:
-
Log in as root and start YaST.
-
Start .
-
Enter the domain to join at
in the screen (see Figure 11-2). If the DNS settings on your host are
properly integrated with the Windows DNS server, enter the AD domain name
in its DNS format (mydomain.mycompany.com). If you
enter the short name of your domain (also known as the pre–Windows 2000
domain name), YaST must rely on NetBIOS name resolution instead of DNS
to find the correct domain controller. To select from a list of available
domains instead, use to list the NetBIOS domains
then select the desired domain.
-
Check
to use the SMB source for Linux authentication.
-
Check to automatically
create a local home directory for your AD user on the Linux machine.
-
Check to allow your domain
users to log in even if the AD server is temporarily unavailable or
you do not have a network connection.
-
Click and confirm the domain join when
prompted for it.
-
Provide the password for the Windows administrator on the AD server
and click (see Figure 11-3).
After you have joined the AD domain, you can log in to it from your
workstation using the display manager of your desktop or the console.