To support smart card redirection on a SLED/SLES desktop, integrate the desktop with an Active Directory (AD) domain using the Samba and Winbind solutions.
Use the following procedure to integrate a SLED/SLES desktop with an AD domain for smart card redirection.
Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the DNS name of your AD domain. Replace the placeholder values with information specific to your configuration, as described in the following table.
Placeholder Value |
Description |
dns_IP_ADDRESS |
IP address of your DNS name server |
mydomain.com |
DNS name of your AD domain |
MYDOMAIN.COM |
DNS name of your AD domain, in all capital letters |
MYDOMAIN |
DNS name of the workgroup or NT domain that includes your Samba server, in all capital letters |
ads-hostname |
Host name of your AD server |
ads-hostname.mydomain.com |
Fully qualified domain name (FQDN) of your AD server |
mytimeserver.mycompany.com |
DNS name of your NTP time server |
AdminUser |
User name of the Linux desktop administrator |
Procedure
- Configure the network settings for your SLED/SLES desktop.
- Define the host name of the desktop by editing the /etc/hostname and /etc/hosts configuration files.
- Configure the DNS server IP address, and disable Automatic DNS. For SLES 12 SP3, also disable Change Hostname via DHCP.
- To configure network time synchronization, add your NTP server information to the /etc/ntp.conf file, as shown in the following example.
server mytimeserver.mycompany.com
- Install the required AD join packages.
# zypper in krb5-client samba-winbind
- Edit the required configuration files.
- Edit the /etc/samba/smb.conf file, as shown in the following example.
[global]
workgroup = MYDOMAIN
usershare allow guests = NO
idmap gid = 10000-20000
idmap uid = 10000-20000
kerberos method = secrets and keytab
realm = MYDOMAIN.COM
security = ADS
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain=true
winbind offline logon = yes
winbind refresh tickets = yes
[homes]
...
- Edit the /etc/krb5.conf file, as shown in the following example.
[libdefaults]
default_realm = MYDOMAIN.COM
clockskew = 300
[realms]
MYDOMAIN.COM = {
kdc = ads-hostname.mydomain.com
default_domain = mydomain.com
admin_server = ads-hostname.mydomain.com
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1
}
- Edit the /etc/security/pam_winbind.conf file, as shown in the following example.
cached_login = yes
krb5_auth = yes
krb5_ccache_type = FILE
- Edit the /etc/nsswitch.conf file, as shown in the following example.
passwd: compat winbind
group: compat winbind
- Join the AD domain, as shown in the following example.
# net ads join -U AdminUser
- Enable the Winbind service.
- To enable and start Winbind, run the following sequence of commands.
# pam-config --add --winbind
# pam-config -a --mkhomedir
# systemctl enable winbind
# systemctl start winbind
- To ensure that AD users can log in to the desktop without having to restart the Linux server, run the following sequence of commands.
# systemctl stop nscd
# nscd -i passwd
# nscd -i group
# systemctl start nscd
- To confirm the success of the AD join, run the following commands and check that they return the correct output.