To support smart card redirection on SLED/SLES desktops, integrate the base virtual machine (VM) with an Active Directory (AD) domain using the Samba and Winbind solutions.

Use the following procedure to integrate a SLED/SLES VM with an AD domain for smart card redirection.

Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the DNS name of your AD domain. Replace the placeholder values with information specific to your configuration, as described in the following table.

Placeholder Value Description
dns_IP_ADDRESS IP address of your DNS name server
mydomain.com DNS name of your AD domain
MYDOMAIN.COM DNS name of your AD domain, in all capital letters
MYDOMAIN DNS name of the workgroup or NT domain that includes your Samba server, in all capital letters
ads-hostname Host name of your AD server
ads-hostname.mydomain.com Fully qualified domain name (FQDN) of your AD server
mytimeserver.mycompany.com DNS name of your NTP time server
AdminUser User name of the VM administrator

Prerequisites

Verify that the SLED/SLES VM meets the system requirements described in Setting Up Smart Card Redirection.

Procedure

  1. Configure the network settings for the SLED/SLES VM.
    1. Define the host name of the VM by editing the /etc/hostname and /etc/hosts configuration files.
    2. Configure the DNS server IP address, and turn off Automatic DNS. For a SLES VM, also turn off Change Hostname via DHCP.
    3. To configure network time synchronization, add your NTP server information to the /etc/ntp.conf file, as shown in the following example.
      server mytimeserver.mycompany.com
  2. Install the required AD join packages.
    zypper in krb5-client samba-winbind
  3. Update the krb5 library, as shown in the following example.
    zypper up krb5
  4. Edit the required configuration files.
    1. Edit the /etc/samba/smb.conf file, as shown in the following example.
      [global]
              workgroup = MYDOMAIN
              usershare allow guests = NO
              idmap gid = 10000-20000
              idmap uid = 10000-20000
              kerberos method = secrets and keytab
              realm = MYDOMAIN.COM
              security = ADS
              template homedir = /home/%D/%U
              template shell = /bin/bash
              winbind use default domain=true
              winbind offline logon = yes
              winbind refresh tickets = yes
      [homes]
              ...
    2. Edit the /etc/krb5.conf file, as shown in the following example.
      [libdefaults]
              default_realm = MYDOMAIN.COM
              clockskew = 300 
      
      [realms]
              MYDOMAIN.COM = {
                      kdc = ads-hostname.mydomain.com
                      default_domain = mydomain.com 
                      admin_server = ads-hostname.mydomain.com
              }
      
      [logging]
              kdc = FILE:/var/log/krb5/krb5kdc.log
              admin_server = FILE:/var/log/krb5/kadmind.log
              default = SYSLOG:NOTICE:DAEMON
      
      [domain_realm]
              .mydomain.com = MYDOMAIN.COM
              mydomain.com = MYDOMAIN.COM
      
      [appdefaults]
              pam = {
                      ticket_lifetime = 1d
                      renew_lifetime = 1d
                      forwardable = true
                      proxiable = false
                      minimum_uid = 1
              }
    3. Edit the /etc/security/pam_winbind.conf file, as shown in the following example.
      cached_login = yes
      krb5_auth = yes
      krb5_ccache_type = FILE
    4. Edit the /etc/nsswitch.conf file, as shown in the following example.
      passwd: compat winbind
      group: compat winbind
  5. Join the AD domain, as shown in the following example.
    net ads join -U AdminUser
  6. Enable the Winbind service.
    1. To enable and start Winbind, run the following sequence of commands.
      pam-config --add --winbind
      pam-config -a --mkhomedir
      systemctl enable winbind
      systemctl start winbind
    2. To ensure that AD users can log in to desktops without having to restart the Linux server, run the following sequence of commands.
      systemctl stop nscd
      nscd -i passwd
      nscd -i group
      systemctl start nscd
  7. To confirm the success of the AD join, run the following commands and check that they return the correct output.
    wbinfo -u
    wbinfo -g

What to do next

Proceed to Set Up Smart Card Redirection on a SLED/SLES Virtual Machine.