[CALUG] RDP

Bryan J. Smith b.j.smith at ieee.org
Sun Jun 28 22:07:40 EDT 2009


From: Jason C. Miller <jason.c.miller at gmail.com>

> Does anyone here have any experience using smart cards
> over MS RDP with linux?

To what back-end?  I assume Active Directory Services (ADS)?

The problems are in the protocols, IPC (inter process communication)
and other details.  E.g., most of the time the client _must_ already
be trusted by Active Directory.

That means your Linux computer must be in the Active Directory Domain,
or in a Kerberos realm with an Active Directory External Trust, etc...
I.e., ADS tokens ~ Kerberos tickets, trusts setup between the two.
Some of this is covered on MS Tech Net, although they do leave out a
crapload of details -- especially on the SmartCard.

This isn't just something you do overnight, let alone you _must_ have
the support of your ADS administrators, because of the "trusts" involved.
Either that or you have to purposely poison tickets/tokens at your
keytabs and other things, which is likely an utter violation of security
policy.  ;)

I find having more Microsoft credentials and 15+ years of NT experience
(since 3.1) isn't enough to break through the typical attitudes of ADS
administrators, who don't understand the first thing about how ADS works.
"Oh, we don't support Linux" and "Oh, just make Linux work" [without a
trust, which wouldn't work for any OS or Kerberos principal either]

Or have you been delegated the rights to do this?  E.g., they setup a
domain in their forest explicitly for Linux clients and/or interfacing
with a Kerberos realm (or possibly interchange with Red Hat Directory
Server / Port386.org)?


-- 
Bryan J Smith          Professional, Technical Annoyance
b.j.smith at ieee.org    http://www.linkedin.com/in/bjsmith
--------------------------------------------------------
I don't have a "favorite Linux distro."  I use, develop
and support community efforts, often built around Linux.
Technology and solutions are my focus, not dragging in
assumptions, marketing and other concepts which dominate
non-community developed software, which I left long ago.





More information about the CALUG mailing list