Join and authenticate on Active Directory

Someone could indicate material on joining computer opensuse in Active Directory domain and also authenticate to the domain?


Never done it but this should work

My personal SOP is to never try to do both (authenticate/create new <and> join in a single operation).
Doesn’t matter if you’re talking about all Windows or joining a Linux box,
I find there are too many moving parts with a decent probability of error.

I highly recommend…
Create your User ahead of time (or use an existing Domain Admin account to do the actual join).
Then join using your prepared User account.

And, I’ve found that the main problem joining is proper name resolution connecting to the Domain Controller, if normal DNS isn’t sufficient then a temporary Hosts file entry will solve that problem.


I can join the machine in the field without problems; I’m not able to log in using domain user.

What shows up in the log when you try to authenticate with a domain user?

# journalctl -b |grep winbind

Last week I spent about 4 hours trying to figure out why all of a sudden I couldn’t logon to my Tumbleweed VM with a domain user.

Here are some tools to check what’s working:

# wbinfo -u         # (shows all AD users)
# wbinfo -g         # (shows all AD groups)
# getent passwd     # (shows local users)
# net ads info      # (shows AD info)
# net ads testjoin  # (shows Join is OK)

plaintext password authentication failed
challenge/response password authentication succeeded

plaintext kerberos password authentication for [DOMAINUSER%PASSWORD] failed (requesting cctype: FILE) 
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error message was: No such user
Could not authenticate user [DOMAINUSER%PASSWORD] with kerberos (ccache:FILE)

With Domain prepended it works.

plaintext kerberos password authentication for [DOMAIN\DOMAINUSER%PASSWORD] succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0

After adding winbind use default domain = true to smb.conf and restarting winbind.service

# wbinfo -K DOMAINUSER%PASSWORDplaintext kerberos password authentication for [DOMAINUSER%PASSWORD] succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0

plaintext password authentication succeeded
challenge/response password authentication succeeded

And domain user logon is successful for me.

Hope this helps.


Verify your machine is truly joined to the Domain (Inspect your AD in a Domain Controller).

If you created a Hosts file entry to join your machine to the Domain, be sure to remove it after a successful join so that what I call the AD (or LDAP) “Troika” of DNS, DNS, and Domain Controller resolution and communication takes full effect with the next login (if you need to, logout and back in).

If your network is large enough that you have multiple Domain Controllers, be aware that any changes you make to your AD may not have replicated to other DC so directory info may be inconsistent for awhile. Push changes (manually initiate replication) if necessary, otherwise changes should be fully replicated throughout by the following day.

If you still have problems, then troubleshoot like

  • Ping your Domain Controllers by name
  • Ping your DNS by name
  • Ping other Domain resources by name
  • Try another Domain User account.