Sample Procedures for Linux Smartcard Authentication Setup

This topic contains example procedures that illustrate how to configure Ubuntu and RHEL machines for smartcard authentication.

Ubuntu Machine Setup

Step I: Prepare the Machine

Info

This example assumes that the domain name is example.net.

  1. Log on to the test machine.

  2. Modify the hostname of the test machine to include the domain name:

    sudo hostnamectl set-hostname <machine-name.example.net>

    sudo reboot

  3. Verify that the hostname has been updated successfully:

    hostnamectl

  4. Install the required packages:

    sudo apt -y install realmd sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin oddjob oddjob-mkhomedir packagekit

  5. Join the Active Directory domain, replace SRV.WORLD with your domain name, and replace domain_join_user with your domain user that has the necessary permissions to join the domain.

    root@test:~# sudo realm join SRV.WORLD -U domain_join_user

    Password for domain_join_user: # AD password

  6. Verify that the AD user information is accessible:

    root@test:~# id Serverworld@srv.world
uid=1259201103(serverworld@srv.world) gid=1259200513(domain users@srv.world) groups=1259200513(domain users@srv.world),1259200512(domain admins@srv.world),1259200572(denied rodc
password replication group@srv.world)

    root@test:~# nano /etc/pam.d/common-session

  7. Add the following line at the end of Step 5 to create a home directory on initial login:

    session optional        pam_mkhomedir.so skel=/etc/skel umask=077

  8. Sign in to the console or an SSH session with the domain user account to verify that the domain joining was successful.

Step II: Enable Smart Card Authentication

  1. Install the PKCS#11 Driver for your smartcard:

    1. Identify the PKCS#11 driver that supports your smart card device.

    2. Enter the following command to install the OpenSC PKCS#11 driver:

      sudo apt install opensc-pkcs11 -y

    Note

    If your device requires a different PKCS#11 driver, install the appropriate package instead.

  2. Install PCSCD to enable the smart card reader.

    sudo apt install pcscd -y

  3. Extract the CA chain that signs the smart card user certificate, and include the CA certificates in the SSSD CA database:

    sudo mkdir -p /etc/sssd/pki -m 600

    sudo su
cat test_ca_chain.pem >> /etc/sssd/pki/sssd_auth_ca_db.pem

  4. Set pam_cert_auth to "True" in the /etc/sssd/sssd.conf file.

    [pam]
pam_cert_auth = True

  5. Edit the /etc/sssd/sssd.conf file and add the following section. Replace <your_domain_name> with your actual domain name:

    [certmap/<you_domain_name>/upn]
maprule=(|(userPrincipalName={subject_nt_principal})(samAccountName={subject_nt_principal.short_name}))

  6. Restart the SSSD service:

    sytemctl restart sssd

  7. Check if the SSSD service is running:

    systemctl status sssd

Rocky Linux Linux 8/9 Machine Machine Setup

Step I: Prepare Your Machine

Info

This example assumes that the domain name is example.net.

  1. Log on to the test machine.

  2. Run the following command to modify the hostname of the test machine to include domain name:

    sudo hostnamectl set-hostname <machine-name.example.net>
sudo reboot

  3. Run the following command to verify that the hostname has been update successfully:

    hostnamectl

  4. Install the required packages for domain joining:

    sudo yum install samba-common-tools realmd oddjob oddjob-mkhomedir sssd adcli krb5-workstation -y
realm discover example.net
sudo realm join example.net -U <domain admin that has permission to join domain>

  5. Run the following command to verify that the domain joining was successful:

    getent passwd <domain user name>

  6. Verify that the domain user can access the machine:

    ssh domain_user@example.net@machine_ip_address

    Note

    If the ssh session fails, check the system log for errors.

Step II: Enable Smart Card Authentication

  1. Run the following commands to fix the failed to verify CMS error. For more information refer to Red Hat Bugzilla - Bug 2060798.

    This command only work on RHEL/Rocky Linux 9

     ```
 sudo update-crypto-policies --set DEFAULT:SHA1
 sudo reboot
 ```

    This command works on both RHEL/Rocky Linux 8 and 9

     ```
 sudo dnf  install opensc gnutls-utils  krb5-pkinit -y
 ```

  2. Add the following to the /etc/krb5.conf file in the [libdefaults] section. For more information, refer to MIT Kerberos Documentation.

    pkinit_kdc_hostname = example.net

  3. Add or modify the following configuration in the /etc/sssd/sssd.conf file:

    [domain/example.net]

    Adjust this setting if the DoD CAC card does not work in the test environment:

    krb5_auth_timeout = 30

  4. Get the CA chain that signs the smartcard user certificate. Ensure that the CA chain is in the pem format.

  5. Assume the smart card user cert is signed by Ca-Auth-root-CERT.pem and Ca-Auth-leaf-CERT.pem.

  6. Include the CA certificates in the SSSD CA database:

    sudo mkdir -p /etc/sssd/pki -m 600 (Create /etc/sssd/pki if it does not exist)
sudo su
cat Ca-Auth-root-CERT.pem Ca-Auth-leaf-CERT.pem >> /etc/sssd/pki/sssd_auth_ca_db.pem

  7. Add the CA chain to the system's trust anchors:

    sudo trust anchor /etc/sssd/pki/sssd_auth_ca_db.pem

  8. Run the following command to restart SSSD to apply changes:

    sudo systemctl restart sssd

  9. Allow both the smartcard and password authentication with the following command:

    sudo authselect select sssd with-smartcard --force
Last updated: Thursday, June 12, 2025