To support smart card redirection on Ubuntu desktops, integrate the base virtual machine (VM) with an Active Directory (AD) domain using the Samba and Winbind solutions.

Use the following procedure to integrate an Ubuntu VM with an AD domain for smart card redirection.

Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the DNS name of your AD domain. Replace the placeholder values with information specific to your configuration, as described in the following table.

Placeholder Value Description
dns_IP_ADDRESS IP address of your DNS name server
mydomain.com DNS name of your AD domain
MYDOMAIN.COM DNS name of your AD domain, in all capital letters
MYDOMAIN DNS name of the workgroup or NT domain that includes your Samba server, in all capital letters
ads-hostname Host name of your AD server
ads-hostname.mydomain.com Fully qualified domain name (FQDN) of your AD server
mytimeserver.mycompany.com DNS name of your NTP time server
AdminUser User name of the VM administrator

Procedure

  1. On the Ubuntu VM, define the host name of the VM by editing the /etc/hostname configuration file.
  2. Configure DNS.
    1. Add the DNS server name and IP address to the /etc/hosts configuration file.
    2. Add your DNS name server's IP address and the DNS name of your AD domain to the /etc/network/interfaces configuration file, as shown in the following example.
      dns-nameservers dns_IP_ADDRESS
      dns-search mydomain.com
  3. Install the resolvconfig package.
    1. Run the installation command.
      apt-get install -y resolvconf
      Allow the system to install the package and reboot.
    2. Verify your DNS configuration in the /etc/resolv.conf file, as shown in the following example.
      cat /etc/resolv.conf
      …
      nameserver dns_IP_ADDRESS
      search mydomain.com
  4. Configure network time synchronization.
    1. Install the ntpdate package.
      apt-get install -y ntpdate
    2. Add the NTP server information to the /etc/systemd/timesyncd.conf configuration file, as shown in the following example.
      [Time]
      NTP=mytimeserver.mycompany.com
  5. Restart the NTP service.
    sudo service ntpdate restart
  6. Install the required AD join packages.
    1. Run the installation command.
      apt-get install -y samba krb5-config krb5-user winbind libpam-winbind
          libnss-winbind
    2. At the installation prompt asking for the default Kerberos realm, enter the DNS name of your AD domain in capital letters (for example, MYDOMAIN.COM). Then select Ok.
  7. Edit the /etc/krb5.conf configuration file, as shown in the following example.
    [libdefaults]
          dns_lookup_realm = false
          ticket_lifetime = 24h
          renew_lifetime = 7d
          forwardable = true
          rdns = false
          default_realm = MYDOMAIN.COM
          default_ccache_name = KEYRING:persistent:%{uid}
    
    [realms]
          MYDOMAIN.COM = {
                kdc = ads-hostname.mydomain.com
                admin_server = ads-hostname.mydomain.com
                default_domain = ads-hostname.mydomain.com
                pkinit_anchors = FILE:/etc/pki/nssdb/certificate.pem
                pkinit_cert_match = <KU>digitalSignature
                pkinit_kdc_hostname = ads-hostname.mydomain.com
          }
    
    [domain_realm]
          .mydomain.com = MYDOMAIN.COM
          mydomain.com = MYDOMAIN.COM
  8. To verify the Kerberos certification, run the following commands.
    kinit Administrator@MYDOMAIN.COM
    
    klist
    Verify that the commands return output similar to the following example.
    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: Administrator@MYDOMAIN.COMValid starting        Expires                Service principal
    2019-05-27T17:12:03   2019-05-28T03:12:03    krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
            renew until 2019-05-28T17:12:03    
    
  9. Edit the /etc/samba/smb.conf configuration file, as shown in the following example.
    [global]
          workgroup = MYDOMAIN  
          realm = MYDOMAIN.COM
          password server = ads-hostname.mydomain.com
          security = ads
          kerberos method = secrets only
          winbind use default domain = true
          winbind offline logon = false 
          template homedir =/home/%D/%U
          template shell = /bin/bash 
          client use spnego = yes
          client ntlmv2 auth = yes
          encrypt passwords = yes
          passdb backend = tdbsam
          winbind enum users = yes
          winbind enum groups = yes
          idmap uid = 10000-20000
          idmap gid = 10000-20000
  10. Join the AD domain, and check the integration.
    1. Run the AD join commands.
      net ads join -U AdminUser@mydomain.com
      systemctl stop samba-ad-dc
      systemctl enable smbd nmbd winbind
      systemctl restart smbd nmbd winbind
    2. Modify the /etc/nsswitch.conf configuration file, as shown in the following example.
      passwd:    compat systemd winbind
      group:     compat systemd winbind
      shadow:    compat
      gshadow:   files
    3. To check the results of the AD join, run the following commands and verify that they return the correct output.
      wbinfo -u
      
      wbinfo -g
    4. To check the Winbind Name Service Switch, run the following commands and verify that they return the correct output.
      getent group|grep 'domain admins'
      
      getent passwd|grep 'ads-hostname'
  11. Enable all PAM profiles.
    pam-auth-update
    In the PAM Configuration screen, select all the PAM profiles, including Create home directory on login, and then select Ok.
  12. On Ubuntu 16.04, enable the user switch in the login screen. Modify the /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf file as shown in the following example.
    user-session=ubuntu
    greeter-show-manual-login=true

What to do next

Set Up Smart Card Redirection on an Ubuntu Virtual Machine