To support smart card redirection on RHEL 7.x desktops, integrate the base virtual machine (VM) with your Active Directory (AD) domain using the Samba and Winbind solutions.

Use the following procedure to integrate a RHEL 7.x VM with your AD domain for smart card redirection.

Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the DNS name of your AD domain. Replace the placeholder values with information specific to your configuration, as described in the following table.

Placeholder Value Description
dns_IP_ADDRESS IP address of your DNS name server
mydomain.com DNS name of your AD domain
MYDOMAIN.COM DNS name of your AD domain, in all capital letters
MYDOMAIN DNS name of the workgroup or NT domain that includes your Samba server, in all capital letters
ads-hostname Host name of your AD server

Procedure

  1. On the RHEL 7.x VM, install the required packages.
    yum install nscd samba-winbind krb5-workstation pam_krb5 samba-winbind-clients authconfig-gtk
  2. Edit the network settings for your system connection. Open the NetworkManager control panel and navigate to the IPv4 Settings for your system connection. For IPv4 Method, select Automatic (DHCP) . In the DNS text box, enter the IP address of your DNS name server. Then click Apply.
  3. Run the following command and verify that it returns the Fully Qualified Domain Name (FQDN) of the RHEL 7.x VM.
    hostname -f
  4. Edit the /etc/resolv.conf configuration file, as shown in the following example.
    search mydomain.com nameserver dns_IP_ADDRESS
  5. Edit the /etc/krb5.conf configuration file, as shown in the following example.
    [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = MYDOMAIN.COM default_ccache_name = KEYRING:persistent:%{uid} [realms] MYDOMAIN.COM = { kdc = ads-hostname admin_server = ads-hostname default_domain = ads-hostname } [domain_realm] .mydomain.com = MYDOMAIN.COM mydomain.com = MYDOMAIN.COM
  6. Edit the /etc/samba/smb.conf configuration file, as shown in the following example.
    [global] workgroup = MYDOMAIN password server = ads-hostname realm = MYDOMAIN.COM security = ads idmap config * : range = 16777216-33554431 template homedir =/home/MYDOMAIN/%U template shell = /bin/bash kerberos method = secrets and keytab winbind use default domain = true winbind offline logon = false winbind refresh tickets = true passdb backend = tdbsam
  7. Open the authconfig-gtk tool and configure settings as follows.
    1. Select the Identity & Authentication tab. For User Account Database, select Winbind.
    2. Select the Advanced Options tab, and select the Create home directories on the first login check box.
    3. Select the Identity & Authentication tab and then click Join Domain. At the alert asking you to save changes, click Save.
    4. When prompted, enter the user name and password of the domain administrator, and click OK.
    The RHEL 7.x VM is joined to the AD domain.
  8. Set up ticket caching on PAM Winbind. Edit the /etc/security/pam_winbind.conf configuration file so that it includes the lines shown in the following example.
    [global] # authenticate using kerberos ;krb5_auth = yes # create homedirectory on the fly ;mkhomedir = yes
  9. Restart the Winbind service.
    sudo service winbind restart
  10. To verify the AD join, run the following commands and ensure that they return the correct output.
    net ads testjoin net ads info
  11. Restart the RHEL 7.x VM and log back in.

What to do next

Set Up Smart Card Redirection on a RHEL 7.x Virtual Machine