Use the following procedure to integrate a RHEL 9.x/8.x virtual machine (VM) with an Active Directory (AD) domain for smart card redirection.

Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the DNS name of your AD domain. Replace the placeholder values with information specific to your configuration, as described in the following table.

Placeholder Value Description
dns_IP_ADDRESS IP address of your DNS name server
rhelsc.domain.com Fully qualified host name of your VM
rhelsc Unqualified host name of your VM
domain.com DNS name of your AD domain
DOMAIN.COM DNS name of your AD domain, in all capital letters
DOMAIN DNS name of the workgroup or NT domain that includes your Samba server, in all capital letters
dnsserver.domain.com Host name of your AD server

Procedure

  1. On the RHEL VM, do the following.
    1. Configure network and DNS settings as required by your organization.
    2. Turn off IPv6.
    3. Turn off Automatic DNS.
  2. Configure the /etc/hosts configuration file, so that it resembles the following example.
    127.0.0.1        rhelsc.domain.com rhelsc localhost localhost.localdomain localhost4 localhost4.localdomain4
    ::1              localhost localhost.localdomain localhost6 localhost6.localdomain6
     
    dns_IP_ADDRESS   dnsserver.domain.com
  3. Configure the /etc/resolv.conf configuration file, so that it resembles the following example.
    # Generated by NetworkManager
    search domain.com
    nameserver dns_IP_ADDRESS
  4. Install the packages required for the AD integration.
    yum install -y samba-common-tools oddjob-mkhomedir
  5. Enable the oddjobd service.
    systemctl enable oddjobd.service
    systemctl start oddjobd.service
    
  6. Specify the system identity and authentication sources.
    authselect select sssd with-smartcard with-mkhomedir
    
    
  7. Start the oddjobd service.
    systemctl enable oddjobd.service
    systemctl start oddjobd.service
    
  8. To support smart card authentication, create the /etc/sssd/sssd.conf file.
    touch /etc/sssd/sssd.conf
    chmod 600 /etc/sssd/sssd.conf
    chown root:root /etc/sssd/sssd.conf
  9. Add the required content to /etc/sssd/sssd.conf, as shown in the following example. Under the [pam] section, specify pam_cert_auth = True.
    [sssd]
    config_file_version = 2
    domains = domain.com
    services = nss, pam, pac
     
    [domain/DOMAIN.COM]
    id_provider = ad
    auth_provider = ad
    chpass_provider = ad
    access_provider = ad
    cache_credentials = true
     
    [pam]
    pam_cert_auth = True
  10. Enable the sssd service.
    systemctl enable sssd.service
    systemctl start sssd.service
  11. Edit the /etc/krb5.conf configuration file so that it resembles the following example.
    # To opt out of the system crypto-policies configuration of krb5, remove the
    # symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
    includedir /etc/krb5.conf.d/
     
    [logging]
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmind.log
     
    [libdefaults]
        dns_lookup_realm = false
        ticket_lifetime = 24h
        renew_lifetime = 7d
        forwardable = true
        rdns = false
        pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
        spake_preauth_groups = edwards25519
        default_realm = DOMAIN.COM
        default_ccache_name = KEYRING:persistent:%{uid}
     
    [realms]
     DOMAIN.COM = {
         kdc = dnsserver.domain.com
         admin_server = dnsserver.domain.com
         default_domain = dnsserver.domain.com
         pkinit_anchors = FILE:/etc/pki/nssdb/certificate.pem
         pkinit_cert_match = <KU>digitalSignature
         pkinit_kdc_hostname = dnsserver.domain.com
     }
     
    [domain_realm]
     .domain.com = DOMAIN.COM
     domain.com = DOMAIN.COM
  12. Edit the /etc/samba/smb.conf configuration file so that it resembles the following example.
    [global]
            workgroup = DOMAIN
            security = ads
            passdb backend = tdbsam
            printing = cups
            printcap name = cups
            load printers = yes
            cups options = raw
            password server = dnsserver.domain.com
            realm = DOMAIN.COM
            idmap config * : range = 16777216-33554431
            template homedir =/home/DOMAIN/%U
            template shell = /bin/bash
            kerberos method = secrets and keytab
     
    [homes]
            comment = Home Directories
            valid users = %S, %D%w%S
            browseable = No
            read only = No
            inherit acls = Yes
     
    [printers]
            comment = All Printers
            path = /var/tmp
            printable = Yes
            create mask = 0600
            browseable = No
     
    [print$]
            comment = Printer Drivers
            path = /var/lib/samba/drivers
            write list = @printadmin root
            force group = @printadmin
            create mask = 0664
            directory mask = 0775
  13. Join the AD domain, as shown in the following example.
    net ads join -U AdminUser
    Running the join command returns output similar to the following example.
    Enter AdminUser's password:
    Using short domain name -- DOMAIN
    Joined 'rhelsc' to dns domain 'domain.com'
  14. Verify that the VM is successfully joined to the AD domain.
    net ads testjoin

    A successful AD join returns the following output.

    Join is OK

What to do next

Configure Smart Card Redirection on a RHEL 9.x/8.x Virtual Machine