Linux VDA 1.1 Configuration in Redhat Enterprise Linux 7.1 and 7.2 (with Kerberos Cache Method as KEYRING)

Linux VDA 1.1 Configuration in Redhat Enterprise Linux 7.1 and 7.2 (with Kerberos Cache Method as KEYRING)

book

Article ID: CTX205874

calendar_today

Updated On:

Description

Please follow the product documentation in below link for Redhat Enterprise Linux, however, for the version 7.1 and 7.2, sometimes it might need slight changes in some steps, especially in editing the conf files.
http://docs.citrix.com/content/dam/docs/en-us/xenapp-xendesktop/xenapp-xendesktop-7-6/downloads/Linux%20Virtual%20Desktop%20Installation%20Guide%20for%20Redhat%20Enterprise%20Linux.pdf.
 
1. In /etc/hostname file, enter the hostname in case sensitivity. Once this is done, execute the hostname and hostname -f command to see whether it returns correct values of the NetBIOS name and FQDN of the server.
  1. On DNS server, create Host/A record for the system in correct case and test the nslookup and ping.
  2. In /etc/samba/smb.conf, we can see the Authconfig section. There, make sure that the "kerberos method" has "secrets only" as default.
  3. At the end of Authconfig section in smb.conf, add below lines:
    1. Kerberos method = secrets and keytab
    2. Winbind refresh tickets = true

  4. In /etc/krb5.conf, under the "rdns = false" line in "[lib defaults]" section, add following line:
    "dns_lookup_kdc = true"

  5. In krb5.conf, add the following lines in "[domain realm]" section.

    1. Domain dns name = DOMAIN DNS NAME

    2. .Domain dns name = DOMAIN DNS NAME

  6. In krb5.conf, make sure that the "default_ccache_name = KEYRING:persistent:%{uid}" is same. Here we have noticed an issue in RHEL 7.1 and 7.2 that, if the cache type is mentioned as FILE, it fails to generate the cache and if it gets generated, the VDA fails to get registered.

  7. Also, in krb5.conf, make sure that the kdc addresses are correctly pointing to the Domain controller addresses.

  8. In /etc/security/pam_winbind.conf, please make sure that "krb5_auth = yes" and "mkhomedir = yes"

  9. In pam_winbind.conf, if "krb5_ccache_type = FILE", please leave it as it is (however it does not make any change as cache type is KEYRING)

  10. Once these are done, please join the system to domain, however there are some steps which can be different from the product documentation. In product documentation, it specifies only to edit the config files and use command line to add to domain. For easiness install "authconfig-gtk" to install the authentication configuration  GUI tool.

  11. Use command "yum install authconfig-gtk" to install. After installation is over, go to "Activities overview" and search for Authentication. It will bring up the Authentication tool. Select Winbind and enter the parameters exactly like in below screen shot​​.

  12. Before clicking on "Join domain", navigate to Active Directory Users and Computers in Domain Controller and Pre-stage a computer account with name in correct case.

  13. Click on "Join domain" button and make sure to enter the domain administrative credentials correctly and click ok. Wait for a while to make sure no errors encountered and then click apply to exit the tool.

  14. Before trying to login as user, reboot the system.

  15. Once system is boot up, login to the system with a domain user account to test. If there is any failure to create homedir, the login will fail, then need to troubleshoot on that aspect.

  16. Once the domain join is done, please test the domain join and krb5 auth with following commands as root.​

    1. Kinit -k

    2. Klist -ket

    3. Net ads info

    4. Net ads status

    5. Net ads testjoin

  17. Sometimes, the above commands can fail as the local root account is not a domain user. In this scenario, please make a new domain user with "root" as name and add the user to domain admins group. However, do not login as Domain\root, use the local root itself. Now the above commands will give the result.

  18. Also, the "net ads keytab" commands can be used to see the keytab contents and flush the contents. Please do not do those if no specific need for that, otherwise it can mess up the domain membership of the system. This can even accidentally delete the SPN for the VDA's account in AD.

  19. Once the above steps are complete, please download the proper installer file for the VDA agent 1.1 and install it as per the documentation.

  20. Once successfully installed, please execute script /usr/local/sbin/ctxsetup.sh with correct parameters and reboot the system.

  21. On system is boot up, please check the status of Winbind, Ctxhdx and ctxvda services with following commands.
    a./sbin/service ctxhdx status -l
    b./sbin/service ctxvda status -l
    c./sbin/service winbind status -l

  22. In case of any issues or errors in service status, need to do the troubleshooting on those aspects. For example, if the "selinux" is in enforcing status, the Winbind may have errors in status, hence we need to change the selinux config to allow that, or disable the selinux (Note: please do not execute incorrectly with selinux and it can).
  23. Once these are done, Create Machine catalogue in XenDesktop Studio as Server OS and not power managed. Specify the VDA agent as 7.6 and add the computer account.
  24. Once the addition is done to Machine catalogue, please verify the status of the VDA in studio as registered. In case if unregistered, please check the /var/log/xdl/vda.log for any java or AD issues and start troubleshooting on those
User-added image
Note: With the above configuration, each users who login to the VDA will be prompted for keyring password. At the first, login of each users, provide a blank password, so that the keyring for the user will be unlocked automatically at every logon of the user logon without any prompt.
 
 

Issue/Introduction

Linux VDA 1.1 configuration in Redhat Enterprise Linux 7.1 and 7.2 (with Kerberos cache method as KEYRING)
Powered by Wolken Software