To support smart card redirection on Ubuntu desktops, integrate the base virtual machine (VM) with an Active Directory (AD) domain using the Samba and Winbind solutions.
Use the following procedure to integrate an Ubuntu VM with an AD domain for smart card redirection.
Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the DNS name of your AD domain. Replace the placeholder values with information specific to your configuration, as described in the following table.
Placeholder Value |
Description |
dns_IP_ADDRESS |
IP address of your DNS name server |
mydomain.com |
DNS name of your AD domain |
MYDOMAIN.COM |
DNS name of your AD domain, in all capital letters |
MYDOMAIN |
DNS name of the workgroup or NT domain that includes your Samba server, in all capital letters |
ads-hostname |
Host name of your AD server |
ads-hostname.mydomain.com |
Fully qualified domain name (FQDN) of your AD server |
mytimeserver.mycompany.com |
DNS name of your NTP time server |
AdminUser |
User name of the VM administrator |
Procedure
- On the Ubuntu VM, define the host name of the VM by editing the /etc/hostname configuration file.
- Configure DNS.
- Add the DNS server name and IP address to the /etc/hosts configuration file.
- Add your DNS name server's IP address and the DNS name of your AD domain to the /etc/network/interfaces configuration file, as shown in the following example.
dns-nameservers dns_IP_ADDRESS
dns-search mydomain.com
- Install the resolvconfig package.
- Run the installation command.
apt-get install -y resolvconf
Allow the system to install the package and reboot.
- Verify your DNS configuration in the /etc/resolv.conf file, as shown in the following example.
cat /etc/resolv.conf
…
nameserver dns_IP_ADDRESS
search mydomain.com
- Configure network time synchronization.
- Install the ntpdate package.
apt-get install -y ntpdate
- Add the NTP server information to the /etc/systemd/timesyncd.conf configuration file, as shown in the following example.
[Time]
NTP=mytimeserver.mycompany.com
- Restart the NTP service.
sudo service ntpdate restart
- Install the required AD join packages.
- Run the installation command.
apt-get install -y samba krb5-config krb5-user winbind libpam-winbind
libnss-winbind
- At the installation prompt asking for the default Kerberos realm, enter the DNS name of your AD domain in capital letters (for example, MYDOMAIN.COM). Then select Ok.
- Edit the /etc/krb5.conf configuration file, as shown in the following example.
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = MYDOMAIN.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
MYDOMAIN.COM = {
kdc = ads-hostname.mydomain.com
admin_server = ads-hostname.mydomain.com
default_domain = ads-hostname.mydomain.com
pkinit_anchors = FILE:/etc/pki/nssdb/certificate.pem
pkinit_cert_match = <KU>digitalSignature
pkinit_kdc_hostname = ads-hostname.mydomain.com
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
- To verify the Kerberos certification, run the following commands.
kinit Administrator@MYDOMAIN.COM
klist
Verify that the commands return output similar to the following example.
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@MYDOMAIN.COMValid starting Expires Service principal
2019-05-27T17:12:03 2019-05-28T03:12:03 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 2019-05-28T17:12:03
- Edit the /etc/samba/smb.conf configuration file, as shown in the following example.
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.COM
password server = ads-hostname.mydomain.com
security = ads
kerberos method = secrets only
winbind use default domain = true
winbind offline logon = false
template homedir =/home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
passdb backend = tdbsam
winbind enum users = yes
winbind enum groups = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
- Join the AD domain, and check the integration.
- Run the AD join commands.
net ads join -U AdminUser@mydomain.com
systemctl stop samba-ad-dc
systemctl enable smbd nmbd winbind
systemctl restart smbd nmbd winbind
- Modify the /etc/nsswitch.conf configuration file, as shown in the following example.
passwd: compat systemd winbind
group: compat systemd winbind
shadow: compat
gshadow: files
- To check the results of the AD join, run the following commands and verify that they return the correct output.
- To check the Winbind Name Service Switch, run the following commands and verify that they return the correct output.
getent group|grep 'domain admins'
getent passwd|grep 'ads-hostname'
- Enable all PAM profiles.
In the PAM Configuration screen, select all the PAM profiles, including
Create home directory on login, and then select
Ok.
- On Ubuntu 16.04, enable the user switch in the login screen. Modify the /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf file as shown in the following example.
user-session=ubuntu
greeter-show-manual-login=true