Use the following procedure to integrate a RHEL or Rocky Linux 9.x/8.x virtual machine (VM) with an Active Directory (AD) domain for smart card redirection.

Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the DNS name of your AD domain. Replace the placeholder values with information specific to your configuration, as described in the following table.

Placeholder Value Description
dns_IP_ADDRESS IP address of your DNS name server
rhelsc.domain.com Fully qualified host name of your VM
rhelsc Unqualified host name of your VM
domain.com DNS name of your AD domain
DOMAIN.COM DNS name of your AD domain, in all capital letters
DOMAIN DNS name of the workgroup or NT domain that includes your Samba server, in all capital letters
dnsserver.domain.com Host name of your AD server

Procedure

  1. On the VM, do the following.
    1. Configure network and DNS settings as required by your organization.
    2. Turn off IPv6.
    3. Turn off Automatic DNS.
  2. Configure the /etc/hosts configuration file, so that it resembles the following example. 
    127.0.0.1        rhelsc.domain.com rhelsc localhost localhost.localdomain localhost4 localhost4.localdomain4
::1              localhost localhost.localdomain localhost6 localhost6.localdomain6
 
dns_IP_ADDRESS   dnsserver.domain.com
  3. Configure the /etc/resolv.conf configuration file, so that it resembles the following example. 
    # Generated by NetworkManager
search domain.com
nameserver dns_IP_ADDRESS
  4. Install the packages required for the AD integration. 
    sudo yum install -y samba-common-tools oddjob-mkhomedir
  5. Specify the system identity and authentication sources. 
    sudo authselect select sssd with-smartcard with-mkhomedir
  6. Start the oddjobd service.
    • (RHEL or Rocky Linux 8.x) Run the following commands.
      sudo systemctl enable oddjobd.service
sudo systemctl start oddjobd.service
    • (RHEL or Rocky Linux 9.x) Run the following command.
      sudo systemctl enable --now oddjobd.service
  7. To support smart card authentication, create the /etc/sssd/sssd.conf file. 
    sudo touch /etc/sssd/sssd.conf
sudo chmod 600 /etc/sssd/sssd.conf
sudo chown root:root /etc/sssd/sssd.conf
  8. Add the required content to /etc/sssd/sssd.conf, as shown in the following example. Under the [pam] section, specify pam_cert_auth = True. 
    [sssd]
config_file_version = 2
domains = domain.com
services = nss, pam, pac
 
[domain/DOMAIN.COM]
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
cache_credentials = true
 
[pam]
pam_cert_auth = True
  9. (RHEL or Rocky Linux 8.x) Enable the sssd service. 
    sudo systemctl enable sssd.service
sudo systemctl start sssd.service
  10. Edit the /etc/krb5.conf configuration file so that it resembles the following example. 
    # To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/
 
[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
 
[libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
    default_realm = DOMAIN.COM
    default_ccache_name = KEYRING:persistent:%{uid}
 
[realms]
 DOMAIN.COM = {
     kdc = dnsserver.domain.com
     admin_server = dnsserver.domain.com
     default_domain = dnsserver.domain.com
     pkinit_anchors = FILE:/etc/pki/nssdb/certificate.pem
     pkinit_cert_match = <KU>digitalSignature
     pkinit_kdc_hostname = dnsserver.domain.com
 }
 
[domain_realm]
 .domain.com = DOMAIN.COM
 domain.com = DOMAIN.COM
  11. Edit the /etc/samba/smb.conf configuration file so that it resembles the following example. 
    [global]
        workgroup = DOMAIN
        security = ads
        passdb backend = tdbsam
        printing = cups
        printcap name = cups
        load printers = yes
        cups options = raw
        password server = dnsserver.domain.com
        realm = DOMAIN.COM
        idmap config * : range = 16777216-33554431
        template homedir =/home/DOMAIN/%U
        template shell = /bin/bash
        kerberos method = secrets and keytab
 
[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes
 
[printers]
        comment = All Printers
        path = /var/tmp
        printable = Yes
        create mask = 0600
        browseable = No
 
[print$]
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = @printadmin root
        force group = @printadmin
        create mask = 0664
        directory mask = 0775
  12. Join the AD domain, as shown in the following example. 
    sudo net ads join -U AdminUser
    Running the join command returns output similar to the following example. 
    Enter AdminUser's password:
Using short domain name -- DOMAIN
Joined 'rhelsc' to dns domain 'domain.com'
  13. Verify that the VM is successfully joined to the AD domain. 
    sudo net ads testjoin

    A successful AD join returns the following output.

    Join is OK

What to do next

Configure Smart Card Redirection on a RHEL or Rocky Linux 9.x/8.x Virtual Machine