To configure smart card redirection on a SLED/SLES virtual machine (VM), install the libraries on which the feature depends and the root Certificate Authority (CA) certificate to support the trusted authentication of smart cards. In addition, you must edit some configuration files to complete the authentication setup.

Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the DNS name of your AD domain. Replace the placeholder values with information specific to your configuration, as described in the following table.

Placeholder Value Description
dns_IP_ADDRESS IP address of your DNS name server
mydomain.com DNS name of your AD domain
MYDOMAIN.COM DNS name of your AD domain, in all capital letters
MYDOMAIN DNS name of the workgroup or NT domain that includes your Samba server, in all capital letters
ads-hostname Host name of your AD server
ads-hostname.mydomain.com Fully qualified domain name (FQDN) of your AD server
mytimeserver.mycompany.com DNS name of your NTP time server
AdminUser User name of the VM administrator

Prerequisites

Complete the steps described in Integrate a SLED/SLES Virtual Machine with Active Directory for Smart Card Redirection.

Procedure

  1. Install the PAM library and other required packages.
    sudo zypper install pam_pkcs11 mozilla-nss mozilla-nss-tools pcsc-lite pcsc-ccid opensc pcsc-tools

    You might need to enable extensions like PackageHub to install all the preceding packages.

  2. Install a root CA certificate.
    1. Download a root CA certificate and save it to /tmp/certificate.cer on the system. See How to Export Root Certification Authority Certificate.
    2. Install trust anchors to the NSS database.
      sudo mkdir /etc/pam_pkcs11/nssdb
      sudo certutil -N -d /etc/pam_pkcs11/nssdb
      sudo certutil -L -d /etc/pam_pkcs11/nssdb
      sudo certutil -A -n rootca -i certificate.pem -t "CT,CT,CT" -d /etc/pam_pkcs11/nssdb
    3. Install the required drivers.
      sudo modutil -add "opensc lib" -libfile /usr/lib64/opensc-pkcs11.so -dbdir /etc/pam_pkcs11/nssdb/
  3. Edit the /etc/pam_pkcs11/pam_pkcs11.conf file as shown in the following example.
    use_pkcs11_module = opensc;
    ...
    pkcs11_module opensc {
         module = /usr/lib64/opensc-pkcs11.so;
         description = "OpenSC PKCS#11 module";
         slot_num = 0;
         nss_dir = /etc/pam_pkcs11/nssdb;
         crl_dir = /etc/pam_pkcs11/crls;
         support_threads = false;
         cert_policy = ca,signature;
         token_type = "Smart card";
    }
    ...
    use_mappers = cn, null;                         
    ...
    mapper cn {
         debug = false;
         module = internal;
         ignorecase = true;
         mapfile = file:///etc/pam_pkcs11/cn_map;         
    }
  4. Edit the /etc/pam_pkcs11/cn_map configuration file so that it includes the following line.
    ads-hostname -> ads-hostname
  5. Modify the PAM configuration.
    1. To make it possible to configure smart card authentication, first deactivate the pam_config tool.
      sudo find /etc/pam.d/ -type l -iname "common-*" -delete
      sudo for X in /etc/pam.d/common-*-pc; do cp -ivp $X ${X:0:-3}; done
    2. Create a file named common-auth-smartcard under the /etc/pam.d/ directory. Add the following content to the file.
      auth    required        pam_env.so
      auth    sufficient      pam_pkcs11.so
      auth    optional        pam_gnome_keyring.so
      auth    [success=1 default=ignore]      pam_unix.so nullok_secure try_first_pass
      auth    required        pam_winbind.so  use_first_pass
    3. Replace the line auth include common-auth with the line auth include common-auth-smartcard in both of these files: /etc/pam.d/gdm and /etc/pam.d/xscreensaver.
  6. To configure the pcscd service to start automatically after the VM restarts, edit the pcscd.service file.
    1. Add the line WantedBy=multi-user.target to /usr/lib/systemd/system/pcscd.service so that the file resembles the following example.
      [Unit]
      Description=PC/SC Smart Card Daemon
      Requires=pcscd.socket
      
      [Service]
      ExecStart=/usr/sbin/pcscd --foreground --auto-exit
      ExecReload=/usr/sbin/pcscd --hotplug
      
      [Install]
      Also=pcscd.socket
      WantedBy=multi-user.target
    2. After editing the pcscd.service file, run the following command.
      sudo systemctl enable pcscd
    Note: If the pcscd service does not start after the VM restarts, the first login through pam_pkcs11 fails.
  7. Turn off the firewall.
    sudo rcSuSEfirewall2 stop
    sudo chkconfig SuSEfirewall2_setup off
    sudo chkconfig SuSEfirewall2_init off
    Note: Smart card redirection sometimes fails when the firewall is enabled.
  8. To support the smart card single sign-on (SSO) feature, configure the /etc/vmware/viewagent-greeter.conf file. See Setting Options in Configuration Files on a Linux Desktop.
  9. Install the Horizon Agent package, with smart card redirection enabled.
    sudo ./install_viewagent.sh -m yes
    Note: If you get an error message instructing you to install the default PC/SC Lite library, uninstall the custom PC/SC Lite library that is currently present on the machine and install the default PC/SC Lite library using the following command.
    sudo zypper install -f -y pcsc-lite libpcsclite1

    You can then run the Horizon Agent installer.

  10. If you are using a custom PC/SC Lite library, configure the pcscd.maxReaderContext and pcscd.readBody options in the /etc/vmware/config file.
  11. Restart the VM and log back in.