To support smart card redirection on SLED/SLES desktops, integrate the base virtual machine (VM) with an Active Directory (AD) domain using the Samba and Winbind solutions.

Use the following procedure to integrate a SLED/SLES VM with an AD domain for smart card redirection.

Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the DNS name of your AD domain. Replace the placeholder values with information specific to your configuration, as described in the following table.

Placeholder Value Description
dns_IP_ADDRESS IP address of your DNS name server
mydomain.com DNS name of your AD domain
MYDOMAIN.COM DNS name of your AD domain, in all capital letters
MYDOMAIN DNS name of the workgroup or NT domain that includes your Samba server, in all capital letters
ads-hostname Host name of your AD server
ads-hostname.mydomain.com Fully qualified domain name (FQDN) of your AD server
mytimeserver.mycompany.com DNS name of your NTP time server
AdminUser User name of the VM administrator

Prerequisites

Verify that the SLED/SLES VM meets the system requirements described in Setting Up Smart Card Redirection.

Procedure

  1. Configure the network settings for the SLED/SLES VM.
    1. Define the host name of the VM by editing the /etc/hostname and /etc/hosts configuration files.
    2. Configure the DNS server IP address, and turn off Automatic DNS. For a SLES VM, also turn off Change Hostname via DHCP.
    3. To configure network time synchronization, add your NTP server information to the /etc/ntp.conf file, as shown in the following example.
      server mytimeserver.mycompany.com
  2. Install the required AD join packages.
    zypper in krb5-client samba-winbind
  3. Update the krb5 library, as shown in the following example.
    zypper up krb5
  4. Edit the required configuration files.
    1. Edit the /etc/samba/smb.conf file, as shown in the following example.
      [global] workgroup = MYDOMAIN usershare allow guests = NO idmap gid = 10000-20000 idmap uid = 10000-20000 kerberos method = secrets and keytab realm = MYDOMAIN.COM security = ADS template homedir = /home/%D/%U template shell = /bin/bash winbind use default domain=true winbind offline logon = yes winbind refresh tickets = yes [homes] ...
    2. Edit the /etc/krb5.conf file, as shown in the following example.
      [libdefaults] default_realm = MYDOMAIN.COM clockskew = 300 [realms] MYDOMAIN.COM = { kdc = ads-hostname.mydomain.com default_domain = mydomain.com admin_server = ads-hostname.mydomain.com } [logging] kdc = FILE:/var/log/krb5/krb5kdc.log admin_server = FILE:/var/log/krb5/kadmind.log default = SYSLOG:NOTICE:DAEMON [domain_realm] .mydomain.com = MYDOMAIN.COM mydomain.com = MYDOMAIN.COM [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false minimum_uid = 1 }
    3. Edit the /etc/security/pam_winbind.conf file, as shown in the following example.
      cached_login = yes krb5_auth = yes krb5_ccache_type = FILE
    4. Edit the /etc/nsswitch.conf file, as shown in the following example.
      passwd: compat winbind group: compat winbind
  5. Join the AD domain, as shown in the following example.
    net ads join -U AdminUser
  6. Enable the Winbind service.
    1. To enable and start Winbind, run the following sequence of commands.
      pam-config --add --winbind pam-config -a --mkhomedir systemctl enable winbind systemctl start winbind
    2. To ensure that AD users can log in to desktops without having to restart the Linux server, run the following sequence of commands.
      systemctl stop nscd nscd -i passwd nscd -i group systemctl start nscd
  7. To confirm the success of the AD join, run the following commands and check that they return the correct output.
    wbinfo -u wbinfo -g

What to do next

Proceed to Set Up Smart Card Redirection on a SLED/SLES Virtual Machine.