To configure smart card redirection on an Ubuntu/Debian virtual machine (VM), install the libraries on which the feature depends and the root Certificate Authority (CA) certificate to support the trusted authentication of smart cards. In addition, you must edit some configuration files to complete the authentication setup.

Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the DNS name of your AD domain. Replace the placeholder values with information specific to your configuration, as described in the following table.

Placeholder Value Description
dns_IP_ADDRESS IP address of your DNS name server
mydomain.com DNS name of your AD domain
MYDOMAIN.COM DNS name of your AD domain, in all capital letters
MYDOMAIN DNS name of the workgroup or NT domain that includes your Samba server, in all capital letters
ads-hostname Host name of your AD server
ads-hostname.mydomain.com Fully qualified domain name (FQDN) of your AD server
mytimeserver.mycompany.com DNS name of your NTP time server
AdminUser User name of the VM administrator

Prerequisites

Integrate an Ubuntu/Debian Virtual Machine with Active Directory for Smart Card Redirection

Procedure

  1. Install the required libraries on the Ubuntu/Debian VM.
    apt-get install -y pcscd pcsc-tools pkg-config libpam-pkcs11 opensc libengine-pkcs11-openssl libnss3-tools
  2. Install a root CA certificate.
    1. Download a root CA certificate and save it to /tmp/certificate.cer on the Ubuntu VM. See How to Export Root Certification Authority Certificate.
    2. Locate the root CA certificate that you downloaded, and transfer it to a .pem file.
      openssl x509 -inform der -in /tmp/certificate.cer -out /tmp/certificate.pem
    3. Copy the root CA certificate to the /etc/pam_pkcs11/cacerts directory.
      cp /tmp/certificate.pem /etc/pam_pkcs11/cacerts
  3. Create a pkcs11 hash file.
    chmod a+r certificate.pem
    pkcs11_make_hash_link
  4. Configure the pam_pkcs11 library.
    1. Create a pam_pkcs11.conf file using default example content.
      • (Ubuntu 18.04/20.04, Debian 10.x) Run the following command sequence.
        mkdir /etc/pam_pkcs11
        zcat /usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz | tee /etc/pam_pkcs11/pam_pkcs11.conf
      • (Ubuntu 20.04.1 and later, Ubuntu 22.04, Debian 11.x) Run the following command sequence.
        mkdir /etc/pam_pkcs11
        cat /usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example | tee /etc/pam_pkcs11/pam_pkcs11.conf
    2. Edit the /etc/pam_pkcs11/pam_pkcs11.conf file as shown in the following example.
      use_pkcs11_module = opensc;                            
      ...
      pkcs11_module opensc {                                 
           module = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so;         
           description = "OpenSC PKCS#11 module";               
           slot_num = 0;                           
           ca_dir = /etc/pam_pkcs11/cacerts;
           crl_dir = /etc/pam_pkcs11/crls;       
           support_threads = false;
           cert_policy = ca,signature;
           token_type = "Smart card";                       
      }                                                    
      ...
      use_mappers = cn, null;                        
      ...
      mapper cn {
           debug = false;
           module = internal;
           ignorecase = true;
           mapfile = file:///etc/pam_pkcs11/cn_map; 
      }
    3. Edit the /etc/pam_pkcs11/cn_map file so that it includes the following line.
      Common name -> Login ID
  5. Edit the /etc/pam.d/gdm-password configuration file. Place the pam_pkcs11.so authorization line before the common-auth line, as shown in the following example.
    #%PAM-1.0
    auth    requisite       pam_nologin.so
    auth    required        pam_succeed_if.so user != root quiet_success
    auth sufficient pam_pkcs11.so                                                                               
    @include common-auth
    auth    optional        pam_gnome_keyring.so
    @include common-account
  6. To verify the smart card hardware and the certificates installed on the smart card, run the following commands.
    pcsc_scan
    pkcs11_listcerts
    pkcs11_inspect
  7. Install the Horizon Agent package, with smart card redirection enabled.
    sudo ./install_viewagent.sh -m yes
    Note: If you get an error message instructing you to install the default PC/SC Lite library, uninstall the custom PC/SC Lite library that is currently present on the machine and install the default PC/SC Lite library using the following command.
    apt-get install --reinstall pcscd libpcsclite1

    You can then run the Horizon Agent installer.

  8. If you are using a custom PC/SC Lite library, configure the pcscd.maxReaderContext and pcscd.readBody options in the /etc/vmware/config file.
  9. Restart the Ubuntu VM and log back in.