Integrate a SLED/SLES Desktop with Active Directory for Smart Card Redirection

To support smart card redirection on a SLED/SLES desktop, integrate the desktop with an Active Directory (AD) domain using the Samba and Winbind solutions.

Use the following procedure to integrate a SLED/SLES desktop with an AD domain for smart card redirection.

Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the DNS name of your AD domain. Replace the placeholder values with information specific to your configuration, as described in the following table.


Placeholder Value	Description
dns_IP_ADDRESS	IP address of your DNS name server
mydomain.com	DNS name of your AD domain
MYDOMAIN.COM	DNS name of your AD domain, in all capital letters
MYDOMAIN	DNS name of the workgroup or NT domain that includes your Samba server, in all capital letters
ads-hostname	Host name of your AD server
ads-hostname.mydomain.com	Fully qualified domain name (FQDN) of your AD server
mytimeserver.mycompany.com	DNS name of your NTP time server
AdminUser	User name of the Linux desktop administrator

Procedure

Configure the network settings for your SLED/SLES desktop.
1. Define the host name of the desktop by editing the /etc/hostname and /etc/hosts configuration files.
2. Configure the DNS server IP address, and disable Automatic DNS. For SLES 12 SP3, also disable Change Hostname via DHCP.
3. To configure network time synchronization, add your NTP server information to the /etc/ntp.conf file, as shown in the following example.
```
server mytimeserver.mycompany.com
```
Install the required AD join packages.
```
# zypper in krb5-client samba-winbind
```

Edit the required configuration files.

Edit the /etc/samba/smb.conf file, as shown in the following example.

[global]
        workgroup = MYDOMAIN
        usershare allow guests = NO
        idmap gid = 10000-20000
        idmap uid = 10000-20000
        kerberos method = secrets and keytab
        realm = MYDOMAIN.COM
        security = ADS
        template homedir = /home/%D/%U
        template shell = /bin/bash
        winbind use default domain=true
        winbind offline logon = yes
        winbind refresh tickets = yes
[homes]
        ...

Edit the /etc/krb5.conf file, as shown in the following example.

[libdefaults]
        default_realm = MYDOMAIN.COM
        clockskew = 300 

[realms]
        MYDOMAIN.COM = {
                kdc = ads-hostname.mydomain.com
                default_domain = mydomain.com 
                admin_server = ads-hostname.mydomain.com
        }

[logging]
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON

[domain_realm]
        .mydomain.com = MYDOMAIN.COM
        mydomain.com = MYDOMAIN.COM

[appdefaults]
        pam = {
                ticket_lifetime = 1d
                renew_lifetime = 1d
                forwardable = true
                proxiable = false
                minimum_uid = 1
        }

Edit the /etc/security/pam_winbind.conf file, as shown in the following example.
```
cached_login = yes
krb5_auth = yes
krb5_ccache_type = FILE
```
Edit the /etc/nsswitch.conf file, as shown in the following example.
```
passwd: compat winbind
group: compat winbind
```

Join the AD domain, as shown in the following example.
```
# net ads join -U AdminUser
```
Enable the Winbind service.
1. To enable and start Winbind, run the following sequence of commands.
```
# pam-config --add --winbind
# pam-config -a --mkhomedir
# systemctl enable winbind
# systemctl start winbind
```
2. To ensure that AD users can log in to the desktop without having to restart the Linux server, run the following sequence of commands.
```
# systemctl stop nscd
# nscd -i passwd
# nscd -i group
# systemctl start nscd
```
To confirm the success of the AD join, run the following commands and check that they return the correct output.
```
# wbinfo -u

# wbinfo -g
```

What to do next

Set Up Smart Card Redirection for a SLED/SLES Desktop