Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-3415: How to enable Smart Card logon support on RedHat environments

Centrify DirectControl ,  

12 April,16 at 11:14 AM

Applies to: Centrify DirectControl on Red Hat Enterprise Linux platforms

 

Question:

How does one enable Smart Card logon support on Red Hat environments?

 

Answer:

On the RHEL server, run as root or sudo the command: sctool -s 

This is to check the status of smart card support. 

 

 

The screenshot below shows what happens if any of the required packages are missing. 

It is absolutely required to have all the relevant RedHat SmartCard packages.

  

 

 

 

 

 

 

 

 

 

 

 

 

 

To enable smart card support:

 

Note: Smart card authentication requires configuration changes to certain Red Hat Linux files, including:

 

  1. /etc/pam.d/gdm and /etc/pam.d/gnome-screensaver
    (Red Hat 5.6)

     
  2. /etc/pam.d/password-auth, /etc/pam.d/smartcard-auth, and /etc/pam.d/gnomescreensaver 
    (Red Hat 6.0)

     
  3. Coolkey sym-links such as /usr/lib(64)/libckyapplet.so.1.0.0 and /usr/lib(64)/pkcs11/libcoolkeypk11.so

 

 

Once smart card authentication is enabled, DirectControl makes the required changes and creates backup copies of the modified files.

 

If Red Hat Linux 6.0 is being used in the environment, additional support packages need to be installed before enabling smart card support:

 

To install required packages on Red Hat Linux 6.0

 

  1. Log on to a Red Hat computer with root privilege and open a terminal window.
     
  2. Run the following command

    [root]#yum groupinstall "Smart card support"

     
  3. Either of the following methods can be followed to enable smart card authentication:
    • Option A: Use the “Enable smart card support” group policy, which enables smart card support on all computers to which the Group Policy object applies.
      Note that configuration changes do not take place until the next group 
      policy update or when adgpupdate is run on the Linux computers.

       
    • Option B: Run sctool -enable on each computer that requires smart card support.

 

=== Option A: To enable smart card support by using group policy

 

  1. Edit or create a new GPO for the Red Hat Linux computers and edit the GP at:

    Computer Configuration / Centrify Settings / Linux Settings / Security / "Enable smart card support"

     
  2. Select Enabled, then click OK.










































     
  3. This group policy modifies /etc/pam.d/system-auth on Red Hat Enterprise Linux 5.6 and /etc/pam.d/smartcard-auth and /etc/pam.d/gnome-screensaver on Red Hat Enterprise Linux 6.0 in order to look for a smart card user’s credentials in Active Directory and verify the identity of the user with the smart card certificate
     
  4. To apply the group policy immediately to any computer, either restart the computer or run adgpupdate.
    Otherwise, all GP-enabled computers will be updated automatically at the next group policy update interval.
    After computers are restarted or receive the policy update, they are ready for smart card use.

 

 

 

=== Option B: To enable smart card support by running sctool

 

  1. Log on to a Red Hat computer with root privilege and open a terminal window.
     
  2. Run the sctool utility with the --enable option:

    [root]$ sctool --enable

     
  3. Repeat steps 1 and 2 for each computer on which to enable smart card authentication. 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.