To configure smart card redirection on a SLED/SLES virtual machine (VM), install the libraries on which the feature depends and the root CA certificate to support the trusted authentication of smart cards. In addition, you must edit some configuration files to complete the authentication setup.

Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the DNS name of your AD domain. Replace the placeholder values with information specific to your configuration, as described in the following table.

Placeholder Value Description
dns_IP_ADDRESS IP address of your DNS name server
mydomain.com DNS name of your AD domain
MYDOMAIN.COM DNS name of your AD domain, in all capital letters
MYDOMAIN DNS name of the workgroup or NT domain that includes your Samba server, in all capital letters
ads-hostname Host name of your AD server
ads-hostname.mydomain.com Fully qualified domain name (FQDN) of your AD server
mytimeserver.mycompany.com DNS name of your NTP time server
AdminUser User name of the VM administrator

Prerequisites

Complete the steps described in Integrate a SLED/SLES Virtual Machine with Active Directory for Smart Card Redirection.

Procedure

  1. Install the required library packages.
    1. Install the PAM library and other packages.
      # zypper install pam_pkcs11 mozilla-nss mozilla-nss-tools 
          pcsc-lite pcsc-ccid opensc coolkey pcsc-tools

      You may need to enable extensions like PackageHub to install all the above packages

    2. To use the installed packages, enable extensions like PackageHub and install the PC/SC tools. For example, you can run the following commands for SLED/SLES 12 SP3.
      # SUSEConnect --list-extensions
      # SUSEConnect -p PackageHub/12.3/x86_64
      # zypper in pcsc-tools
  2. Install a Root Certification Authority (CA) certificate.
    1. Download a root CA certificate and save it to /tmp/certificate.cer on the system. See How to Export Root Certification Authority Certificate.
    2. Locate the root CA certificate that you downloaded, transfer it to a .pem file, and create a hash file.
      # openssl x509 -inform der -in /tmp/certificate.cer -out /tmp/certificate.pem
      # cp /tmp/certificate.pem /etc/pam_pkcs11/cacerts
      # chmod a+r /etc/pam_pkcs11/cacerts/certificate.pem
      # cd /etc/pam_pkcs11/cacerts
      # pkcs11_make_hash_link
    3. Install trust anchors to the NSS database.
      # mkdir /etc/pam_pkcs11/nssdb
      # certutil -N -d /etc/pam_pkcs11/nssdb
      # certutil -L -d /etc/pam_pkcs11/nssdb
      # certutil -A -n rootca -i certificate.pem -t "CT,CT,CT" -d /etc/pam_pkcs11/nssdb
    4. Install the required drivers.
      # cp libcmP11.so /usr/lib64/
      # modutil -add "piv card 2.0" -libfile /usr/lib64/libcmP11.so -dbdir /etc/pam_pkcs11/nssdb/
  3. Edit the /etc/pam_pkcs11/pam_pkcs11.conf file.
    1. Delete the line use_pkcs11_module = nss. In its place, add the line use_pkcs11_module = mysc.
    2. Add the mysc module, as shown in the following example.
      pkcs11_module mysc {
        module = /usr/lib64/libcmP11.so;
        description = "MY Smartcard";
        slot_num = 0;
        nss_dir = /etc/pam_pkcs11/nssdb;
        cert_policy = ca, ocsp_on, signature, crl_auto;
      }
    3. Update the Common Name mapper configuration, as shown in the following example.
      # Assume common name (CN) to be the login
      mapper cn {
            debug = false;
            module = internal;
            # module = /usr/lib64/pam_pkcs11/cn_mapper.so;
            ignorecase = true;
            mapfile = file:///etc/pam_pkcs11/cn_map;}
    4. Delete the line use_mappers = ms. In its place, add the line use_mappers = cn, null.
  4. Edit the /etc/pam_pkcs11/cn_map configuration file so that it includes the following line.
    ads-hostname -> ads-hostname
  5. Modify the PAM configuration.
    1. To make it possible to configure smart card authentication, first disable the pam_config tool.
      # find /etc/pam.d/ -type l -iname "common-*" -delete
      # for X in /etc/pam.d/common-*-pc; do cp -ivp $X ${X:0:-3}; done
    2. Create a file named common-auth-smartcard under the /etc/pam.d/ directory. Add the following content to the file.
      auth    required        pam_env.so
      auth    sufficient      pam_pkcs11.so
      auth    optional        pam_gnome_keyring.so
      auth    [success=1 default=ignore]      pam_unix.so nullok_secure try_first_pass
      auth    required        pam_winbind.so  use_first_pass
    3. Replace the line auth include common-auth with the line auth include common-auth-smartcard in both of these files: /etc/pam.d/gdm and /etc/pam.d/xscreensaver.
  6. To configure the pcscd service to start automatically after the VM restarts, edit the appropriate file for your SLED/SLES version.
    • (SLED/SLES 12.x) Add the line rcpcscd start to /etc/init.d/after.local so that the file resembles the following example.
      #! /bin/sh
      #
      # Copyright (c) 2010 SuSE LINUX Products GmbH, Germany. All rights reserved.
      #
      # Author: Werner Fink, 2010
      #
      # /etc/init.d/after.local
      #
      # script with local commands to be executed from init after all scripts
      # of a runlevel have been executed.
      #
      # Here you should add things, that should happen directly after
      # runlevel has been reached.
      #
      rcpcscd start
    • (SLED/SLES 15.x) Add the line WantedBy=multi-user.target to /usr/lib/systemd/system/pcscd.service so that the file resembles the following example.
      [Unit]
      Description=PC/SC Smart Card Daemon
      Requires=pcscd.socket
      
      [Service]
      ExecStart=/usr/sbin/pcscd --foreground --auto-exit
      ExecReload=/usr/sbin/pcscd --hotplug
      
      [Install]
      Also=pcscd.socket
      WantedBy=multi-user.target
      After editing the pcscd.service file, run the following command.
      systemctl enable pcscd
    Note: If the pcscd service does not start after the VM restarts, the first login via pam_pkcs11 fails.
  7. Disable the firewall.
    # rcSuSEfirewall2 stop
    # chkconfig SuSEfirewall2_setup off
    # chkconfig SuSEfirewall2_init off
    Note: Smart card redirection sometimes fails when the firewall is enabled.
  8. Update the PC/SC Lite library to version 1.8.8.
    • For SLED/SLES 12 SP3 or 15.x, use the following sequence of commands. Replace <SUSE-version> with the version number of your distribution, for example 15.2 for SLED/SLES 15 SP2.
      # SUSEConnect -p sle-sdk/<SUSE-version>/x86_64
      # zypper in git autoconf automake libtool flex libudev-devel gcc
      # git clone https://salsa.debian.org/rousseau/PCSC.git
      # cd PCSC/
      # git checkout -b pcsc-1.8.8 1.8.8
      # ./bootstrap
      # ./configure -program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr 
        --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include  
        --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib64 
        --mandir=/usr/share/man --infodir=/usr/share/info --disable-static --enable-usbdropdir=/usr/lib64/pcsc/drivers
      # make
      # make install
    • For SLES 12 SP5, use the following sequence of commands.
      # SUSEConnect -p sle-sdk/12.5/x86_64                                      
      # zypper in git-core autoconf automake libtool flex libudev-devel gcc     
      # git clone https://salsa.debian.org/rousseau/PCSC.git
      # cd PCSC/
      # git checkout -b pcsc-1.8.8 1.8.8
      # ./bootstrap
      # ./configure -program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib64 --mandir=/usr/share/man --infodir=/usr/share/info --disable-static --enable-usbdropdir=/usr/lib64/pcsc/drivers
      # make
      # make install
  9. (SLED/SLES 15.x) To ensure that the smart card greeter functions properly, modify the org.gnome.Shell.desktop file on the VM.
    1. Open the /usr/share/applications/org.gnome.Shell.desktop file.
    2. In the file, find and replace Exec=/usr/bin/gnome-shellwith the following line.
      Exec=sh -c "DISPLAY=:${DISPLAY##*:} exec /usr/bin/gnome-shell"
      
    3. Save and close the file.
  10. Install the Horizon Agent package, with smart card redirection enabled.
    # sudo ./install_viewagent.sh -m yes
  11. Restart the VM and log back in.