Chapter 20. Authentication and Interoperability

Do not use SELinux in enforcing mode when sharing the root directory

Samba requires a shared directory to be labeled samba_share_t when SELinux is in enforcing mode. However, when sharing the whole root directory of the system by using the path = / configuration in the /etc/samba/smb.conf file, labeling the root directory as samba_share_t causes critical system malfunctions.
Red Hat strongly discourages users from labeling the root directory with the samba_share_t label. Therefore, do not use SELinux in enforcing mode when sharing the root directory using Samba. (BZ#1320172)

SSSD does not support the LDAP externalUser attribute

The System Security Services Daemon (SSSD) service is missing support for the externalUser LDAP attribute of the Identity Management (IdM) schema. In consequence, the assignment of sudo rules to local accounts, such as by using the /etc/passwd file, fails. The problem affects only accounts outside of the IdM domains and Active Directory (AD) trusted domains.
To work around this problem, set the LDAP sudo search base as follows in the [domain] section of the /etc/sssd/sssd.conf file:
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
This enables SSSD to resolve users defined in externalUser. (BZ#1321884)

SSSD incorrectly creates local overrides in an AD environment

The sss_override tool creates case-insensitive distinguished names (DN) when the id_provider option is set to ad in the /etc/sssd/sssd.conf file. However, the DNs in the SSSD cache are stored case-sensitive. As a consequence, local overrides are not created for users from the Active Directory (AD) subdomain or for users with mixed-case account names. (BZ#1327272)

sssd_be does not terminate forked child processes

When the id_provider option is set to ad in the /etc/sssd/sssd.conf file, a helper process inside sssd_be processes sometimes fails. In consequence, the process is spawning new sssd_be instances, which consume additional memory. To work around this problem, install the adcli package and restart the sssd daemon. (BZ#1336453)

SSSD fails to manage sudo rules from the IdM LDAP tree

The System Security Services Daemon (SSSD) currently uses the IdM LDAP tree by default. As a consequence, it is not possible to assign sudo rules to non-POSIX groups. To work around this problem, modify the /etc/sssd/sssd.conf file to set your domain to use the compat tree again:
[domain/EXAMPLE]
...
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
As a result, SSSD will load sudo rules from the compat tree and you will be able to assign rules to non-POSIX groups.
Note that Red Hat recommends to configure groups referenced in sudo rules as POSIX groups.

The HP keyboard KUS1206 does not handle smart cards correctly and can become unresponsive

When using the HP keyboard KUS1206 with a built-in smart card reader, you might experience the following problems:
  • The keyboard detects smart cards inconsistently.
  • When the user logs in to the system with a password and the smart card is not inserted, the following message appears continuously in the /var/log/messages file:
    pcscd: commands.c:957:CmdGetSlotStatus Card absent or mute
  • The keyboard sometimes becomes unresponsive.