To support smart card redirection on a SLED/SLES desktop, integrate the desktop with an Active Directory (AD) domain using the Samba and Winbind solutions.

Use the following procedure to integrate a SLED/SLES desktop with an AD domain for smart card redirection.

Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the DNS name of your AD domain. Replace the placeholder values with information specific to your configuration, as described in the following table.

Placeholder Value Description
dns_IP_ADDRESS IP address of your DNS name server
mydomain.com DNS name of your AD domain
MYDOMAIN.COM DNS name of your AD domain, in all capital letters
MYDOMAIN DNS name of the workgroup or NT domain that includes your Samba server, in all capital letters
ads-hostname Host name of your AD server
ads-hostname.mydomain.com Fully qualified domain name (FQDN) of your AD server
mytimeserver.mycompany.com DNS name of your NTP time server
AdminUser User name of the Linux desktop administrator

Procedure

  1. Configure the network settings for your SLED/SLES desktop.
    1. Define the host name of the desktop by editing the /etc/hostname and /etc/hosts configuration files.
    2. Configure the DNS server IP address, and disable Automatic DNS. For SLES 12 SP3, also disable Change Hostname via DHCP.
    3. To configure network time synchronization, add your NTP server information to the /etc/ntp.conf file, as shown in the following example.
      server mytimeserver.mycompany.com
  2. Install the required AD join packages.
    # zypper in krb5-client samba-winbind
  3. Edit the required configuration files.
    1. Edit the /etc/samba/smb.conf file, as shown in the following example.
      [global]
              workgroup = MYDOMAIN
              usershare allow guests = NO
              idmap gid = 10000-20000
              idmap uid = 10000-20000
              kerberos method = secrets and keytab
              realm = MYDOMAIN.COM
              security = ADS
              template homedir = /home/%D/%U
              template shell = /bin/bash
              winbind use default domain=true
              winbind offline logon = yes
              winbind refresh tickets = yes
      [homes]
              ...
    2. Edit the /etc/krb5.conf file, as shown in the following example.
      [libdefaults]
              default_realm = MYDOMAIN.COM
              clockskew = 300 
      
      [realms]
              MYDOMAIN.COM = {
                      kdc = ads-hostname.mydomain.com
                      default_domain = mydomain.com 
                      admin_server = ads-hostname.mydomain.com
              }
      
      [logging]
              kdc = FILE:/var/log/krb5/krb5kdc.log
              admin_server = FILE:/var/log/krb5/kadmind.log
              default = SYSLOG:NOTICE:DAEMON
      
      [domain_realm]
              .mydomain.com = MYDOMAIN.COM
              mydomain.com = MYDOMAIN.COM
      
      [appdefaults]
              pam = {
                      ticket_lifetime = 1d
                      renew_lifetime = 1d
                      forwardable = true
                      proxiable = false
                      minimum_uid = 1
              }
    3. Edit the /etc/security/pam_winbind.conf file, as shown in the following example.
      cached_login = yes
      krb5_auth = yes
      krb5_ccache_type = FILE
    4. Edit the /etc/nsswitch.conf file, as shown in the following example.
      passwd: compat winbind
      group: compat winbind
  4. Join the AD domain, as shown in the following example.
    # net ads join -U AdminUser
  5. Enable the Winbind service.
    1. To enable and start Winbind, run the following sequence of commands.
      # pam-config --add --winbind
      # pam-config -a --mkhomedir
      # systemctl enable winbind
      # systemctl start winbind
    2. To ensure that AD users can log in to the desktop without having to restart the Linux server, run the following sequence of commands.
      # systemctl stop nscd
      # nscd -i passwd
      # nscd -i group
      # systemctl start nscd
  6. To confirm the success of the AD join, run the following commands and check that they return the correct output.
    # wbinfo -u
    
    # wbinfo -g

What to do next

Set Up Smart Card Redirection for a SLED/SLES Desktop