To support smart card redirection on RHEL 7.x desktops, integrate the base virtual machine (VM) with your Active Directory (AD) domain using the Samba and Winbind solutions.
Use the following procedure to integrate a RHEL 7.x VM with your AD domain for smart card redirection.
Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the DNS name of your AD domain. Replace the placeholder values with information specific to your configuration, as described in the following table.
Placeholder Value |
Description |
dns_IP_ADDRESS |
IP address of your DNS name server |
mydomain.com |
DNS name of your AD domain |
MYDOMAIN.COM |
DNS name of your AD domain, in all capital letters |
MYDOMAIN |
DNS name of the workgroup or NT domain that includes your Samba server, in all capital letters |
ads-hostname |
Host name of your AD server |
Note: Smart card redirection is supported on desktops running RHEL 7.2 or later.
Procedure
- On the RHEL 7.x VM, install the required packages.
# yum install nscd samba-winbind krb5-workstation pam_krb5 samba-winbind-clients authconfig-gtk
- Edit the network settings for your system connection. Open the NetworkManager control panel and navigate to the IPv4 Settings for your system connection. For IPv4 Method, select Automatic (DHCP) . In the DNS text box, enter the IP address of your DNS name server. Then click Apply.
- Run the following command and verify that it returns the Fully Qualified Domain Name (FQDN) of the RHEL 7.x VM.
- Edit the /etc/resolv.conf configuration file, as shown in the following example.
search mydomain.com
nameserver dns_IP_ADDRESS
- Disable Security-Enhanced Linux (SELinux) on the RHEL 7.x VM. Edit the /etc/selinux/config configuration file, as shown in the following example.
- Edit the /etc/krb5.conf configuration file, as shown in the following example.
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = MYDOMAIN.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
MYDOMAIN.COM = {
kdc = ads-hostname
admin_server = ads-hostname
default_domain = ads-hostname
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
- Edit the /etc/samba/smb.conf configuration file, as shown in the following example.
[global]
workgroup = MYDOMAIN
password server = ads-hostname
realm = MYDOMAIN.COM
security = ads
idmap config * : range = 16777216-33554431
template homedir =/home/MYDOMAIN/%U
template shell = /bin/bash
kerberos method = secrets and keytab
winbind use default domain = true
winbind offline logon = false
winbind refresh tickets = true
passdb backend = tdbsam
- Open the authconfig-gtk tool and configure settings as follows.
- Select the Identity & Authentication tab. For User Account Database, select Winbind.
- Select the Advanced Options tab, and select the Create home directories on the first login check box.
- Select the Identity & Authentication tab and then click Join Domain. At the alert asking you to save changes, click Save.
- When prompted, enter the user name and password of the domain administrator, and click OK.
The RHEL 7.x VM is joined to the AD domain.
- Set up ticket caching on PAM Winbind. Edit the /etc/security/pam_winbind.conf configuration file so that it includes the lines shown in the following example.
[global]
# authenticate using kerberos
;krb5_auth = yes
# create homedirectory on the fly
;mkhomedir = yes
- Restart the Winbind service.
# sudo service winbind restart
- To verify the AD join, run the following commands and ensure that they return the correct output.
- net ads testjoin
- net ads info
- Restart the RHEL 7.x VM and log back in.