[CALUG] RDP
Jason C. Miller
jason.c.miller at gmail.com
Sun Jun 28 22:52:54 EDT 2009
Actually....no. It's much simpler than that. :)
The issue that I was having was getting rdesktop to work with my vista box.
I have a smartcard reader connected to my linux machine and I wanted to be
able to use it on the remote vista box as if it was native to that box.
Of course, if you download the latest version of rdesktop, it is supported
natively (by supplying the "scard" argument). However, it simply wasn't
working on my linux machine.
My solution wasn't very eloquent, but I refuse to devote too much more time
to it than I have to until I actually have the time. Basically, what it
came down to is that there were a couple of functions in the rdesktop scard
module that were responsible for translating values between types. For
whatever reason, the value that was always returned was always off. The
logic in the code always returned (CORRECT_VALUE | 0x0001000) for whatever
reason. So, in my rush for a workable solution, I modded the code locally,
recompiled, and bam....I now have something that works ~85% of the time.
Remember...I SAID it wasn't eloquent. :)
I think that the escd daemon doesn't like my mod very much. It's workable
for now, though. If you have any better solutions, please let me know! :)
~j
On Sun, Jun 28, 2009 at 10:07 PM, Bryan J. Smith <b.j.smith at ieee.org> wrote:
>
> From: Jason C. Miller <jason.c.miller at gmail.com>
>
> > Does anyone here have any experience using smart cards
> > over MS RDP with linux?
>
> To what back-end? I assume Active Directory Services (ADS)?
>
> The problems are in the protocols, IPC (inter process communication)
> and other details. E.g., most of the time the client _must_ already
> be trusted by Active Directory.
>
> That means your Linux computer must be in the Active Directory Domain,
> or in a Kerberos realm with an Active Directory External Trust, etc...
> I.e., ADS tokens ~ Kerberos tickets, trusts setup between the two.
> Some of this is covered on MS Tech Net, although they do leave out a
> crapload of details -- especially on the SmartCard.
>
> This isn't just something you do overnight, let alone you _must_ have
> the support of your ADS administrators, because of the "trusts" involved.
> Either that or you have to purposely poison tickets/tokens at your
> keytabs and other things, which is likely an utter violation of security
> policy. ;)
>
> I find having more Microsoft credentials and 15+ years of NT experience
> (since 3.1) isn't enough to break through the typical attitudes of ADS
> administrators, who don't understand the first thing about how ADS works.
> "Oh, we don't support Linux" and "Oh, just make Linux work" [without a
> trust, which wouldn't work for any OS or Kerberos principal either]
>
> Or have you been delegated the rights to do this? E.g., they setup a
> domain in their forest explicitly for Linux clients and/or interfacing
> with a Kerberos realm (or possibly interchange with Red Hat Directory
> Server / Port386.org)?
>
>
> --
> Bryan J Smith Professional, Technical Annoyance
> b.j.smith at ieee.org http://www.linkedin.com/in/bjsmith
> --------------------------------------------------------
> I don't have a "favorite Linux distro." I use, develop
> and support community efforts, often built around Linux.
> Technology and solutions are my focus, not dragging in
> assumptions, marketing and other concepts which dominate
> non-community developed software, which I left long ago.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.unknownlamer.org/pipermail/calug/attachments/20090628/8740dcea/attachment.htm
More information about the CALUG
mailing list