To support smart card redirection on a RHEL desktop, integrate the desktop with an Active Directory (AD) domain using the Samba and Winbind solutions.

Use the following procedure to integrate a RHEL desktop with an AD domain for smart card redirection.

Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the DNS name of your AD domain. Replace the placeholder values with information specific to your configuration, as described in the following table.

Placeholder Value Description
dns_IP_ADDRESS IP address of your DNS name server
mydomain.com DNS name of your AD domain
MYDOMAIN.COM DNS name of your AD domain, in all capital letters
MYDOMAIN DNS name of the workgroup or NT domain that includes your Samba server, in all capital letters
ads-hostname Host name of your AD server
Note: Smart card redirection is supported on desktops running RHEL 6 or later, or RHEL 7.1 or later.

Procedure

  1. On your RHEL desktop, install the required packages.
    # yum install nscd samba-winbind krb5-workstation pam_krb5 samba-winbind-clients authconfig-gtk
  2. Edit the network settings for your system connection. Open the NetworkManager control panel and navigate to the IPv4 Settings for your system connection. For IPv4 Method, select Automatic (DHCP) . In the DNS text box, enter the IP address of your DNS name server. Then click Apply.
  3. Run the following command and verify that it returns the Fully Qualified Domain Name (FQDN) of your RHEL desktop.
    # hostname -f
  4. Edit the /etc/resolve.conf configuration file, as shown in the following example.
    search mydomain.com
    nameserver dns_IP_ADDRESS
  5. Disable Security-Enhanced Linux (SELinux) on your RHEL desktop. Edit the /etc/selinux/config configuration file, as shown in the following example.
    SELINUX=disabled
  6. Edit the /etc/krb5.conf configuration file, as shown in the following example.
    [libdefaults]
          dns_lookup_realm = false
          ticket_lifetime = 24h
          renew_lifetime = 7d
          forwardable = true
          rdns = false
          default_realm = MYDOMAIN.COM
          default_ccache_name = KEYRING:persistent:%{uid}
    
    [realms]
          MYDOMAIN.COM = {
                kdc = ads-hostname
                admin_server = ads-hostname
                default_domain = ads-hostname
          }
    
    [domain_realm]
          .mydomain.com = MYDOMAIN.COM
          mydomain.com = MYDOMAIN.COM
  7. Edit the /etc/samba/smb.conf configuration file, as shown in the following example.
    [global]
          workgroup = MYDOMAIN  
          password server = ads-hostname
          realm = MYDOMAIN.COM
          security = ads
          idmap config * : range = 16777216-33554431
          template homedir =/home/MYDOMAIN/%U
          template shell = /bin/bash 
          kerberos method = secrets and keytab
          winbind use default domain = true
          winbind offline logon = false 
          winbind refresh tickets = true
     
          passdb backend = tdbsam
  8. Open the authconfig-gtk tool and configure settings as follows.
    1. Select the Identity & Authentication tab. For User Account Database, select Winbind.
    2. Select the Advanced Options tab, and select the Create home directories on the first login check box.
    3. Select the Identity & Authentication tab and then click Join Domain. At the alert asking you to save changes, click Save.
    4. When prompted, enter the user name and password of the domain administrator, and click OK.
    Your RHEL desktop is joined to the AD domain.
  9. Set up ticket caching on PAM Winbind. Edit the /etc/security/pam_winbind.conf configuration file so that it includes the lines shown in the following example.
    [global]
    
    # authenticate using kerberos
    ;krb5_auth = yes 
    
    # create homedirectory on the fly
    ;mkhomedir = yes  
  10. Restart the Winbind service.
    # sudo service winbind restart
  11. To verify the AD join, run the following commands and check that they return the correct output.
    • net ads testjoin
    • net ads info
  12. Reboot your system and log back in.

What to do next

Set Up Smart Card Redirection for a RHEL Desktop