Use the following procedure to integrate a RHEL 9.x/8.x virtual machine (VM) with an Active Directory (AD) domain for smart card redirection.
Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the DNS name of your AD domain. Replace the placeholder values with information specific to your configuration, as described in the following table.
Placeholder Value |
Description |
dns_IP_ADDRESS |
IP address of your DNS name server |
rhelsc.domain.com |
Fully qualified host name of your VM |
rhelsc |
Unqualified host name of your VM |
domain.com |
DNS name of your AD domain |
DOMAIN.COM |
DNS name of your AD domain, in all capital letters |
DOMAIN |
DNS name of the workgroup or NT domain that includes your Samba server, in all capital letters |
dnsserver.domain.com |
Host name of your AD server |
Procedure
- On the RHEL VM, do the following.
- Configure network and DNS settings as required by your organization.
- Turn off IPv6.
- Turn off Automatic DNS.
- Configure the /etc/hosts configuration file, so that it resembles the following example.
127.0.0.1 rhelsc.domain.com rhelsc localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
dns_IP_ADDRESS dnsserver.domain.com
- Configure the /etc/resolv.conf configuration file, so that it resembles the following example.
# Generated by NetworkManager
search domain.com
nameserver dns_IP_ADDRESS
- Install the packages required for the AD integration.
yum install -y samba-common-tools oddjob-mkhomedir
- Enable the oddjobd service.
systemctl enable oddjobd.service
systemctl start oddjobd.service
- Specify the system identity and authentication sources.
authselect select sssd with-smartcard with-mkhomedir
- Start the oddjobd service.
systemctl enable oddjobd.service
systemctl start oddjobd.service
- To support smart card authentication, create the /etc/sssd/sssd.conf file.
touch /etc/sssd/sssd.conf
chmod 600 /etc/sssd/sssd.conf
chown root:root /etc/sssd/sssd.conf
- Add the required content to /etc/sssd/sssd.conf, as shown in the following example. Under the [pam] section, specify pam_cert_auth = True.
[sssd]
config_file_version = 2
domains = domain.com
services = nss, pam, pac
[domain/DOMAIN.COM]
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
cache_credentials = true
[pam]
pam_cert_auth = True
- Enable the sssd service.
systemctl enable sssd.service
systemctl start sssd.service
- Edit the /etc/krb5.conf configuration file so that it resembles the following example.
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
default_realm = DOMAIN.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
DOMAIN.COM = {
kdc = dnsserver.domain.com
admin_server = dnsserver.domain.com
default_domain = dnsserver.domain.com
pkinit_anchors = FILE:/etc/pki/nssdb/certificate.pem
pkinit_cert_match = <KU>digitalSignature
pkinit_kdc_hostname = dnsserver.domain.com
}
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
- Edit the /etc/samba/smb.conf configuration file so that it resembles the following example.
[global]
workgroup = DOMAIN
security = ads
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
password server = dnsserver.domain.com
realm = DOMAIN.COM
idmap config * : range = 16777216-33554431
template homedir =/home/DOMAIN/%U
template shell = /bin/bash
kerberos method = secrets and keytab
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @printadmin root
force group = @printadmin
create mask = 0664
directory mask = 0775
- Join the AD domain, as shown in the following example.
net ads join -U AdminUser
Running the
join command returns output similar to the following example.
Enter AdminUser's password:
Using short domain name -- DOMAIN
Joined 'rhelsc' to dns domain 'domain.com'
- Verify that the VM is successfully joined to the AD domain.
net ads testjoin
A successful AD join returns the following output.
Join is OK