Chapter 4. Authentication and Interoperability

The ca.subsystem.certreq parameter is no longer reported missing

Previously, Identity Management (IdM) expected the ca.subsystem.certreq parameter to be defined in the CS.cfg public key infrastructure (PKI) configuration file. When starting the IdM server, an error occurred if ca.subsystem.certreq was missing. The error was not necessary because neither PKI nor IdM services use the parameter. To fix this problem, PKI code has been updated to ensure the parameter is only retrieved if it exists. (BZ#1313207)

The ipa-server-install utility no longer terminates unexpectedly due to unexpected comment lines in CS.cfg

An attempt to install an Identity Management server previously sometimes failed due to a problem with the pki-common package. The fail occurred because the CS.cfg certificate authority (CA) configuration file which was being parsed contained unexpected comment lines before configuration. This problem has been fixed by making the parsing code ignore comment and blank lines. (BZ#1306989)

Installing an IdM server no longer fails if Java 1.8 is installed

The Public Key Infrastructure (PKI) server, included in Identity Management (IdM), supports Java version 1.7 on Red Hat Enterprise Linux 6. The ipa-server-install installation script failed on systems where the java-1.8 package was installed and selected as the current system java using the alternatives utility. To fix this problem, the pki-core code has been updated to bypass alternatives on Red Hat Enterprise Linux 6 by forcing PKI servers to always run under OpenJDK version 1.7 regardless of the version of java selected using alternatives. (BZ#1290535)

Samba no longer denies access when sharing the root directory of the system

Previously, due to a missing path check, Samba denied access when sharing the root directory of the system by using the path = / setting in the /etc/samba/smb.conf file. With this update, Samba no longer incorrectly treats the / path as a symbolic link and does not incorrectly deny access in the described situation. (BZ#1305870)

Acquiring keytabs takes longer with SELinux after memory leaks have been fixed

Previously, SELinux support in the krb5 packages caused krb5 to leak memory. This bug has been fixed. Note that acquiring keytabs now takes longer than before when SELinux is in enforcing or permissive mode. (BZ#1311287)

sudo smart refresh updates no longer fail due to USN parsing errors

System Security Services Daemon (SSSD) did not correctly handle the format of the modifyTimestamp attribute of the OpenLDAP server. Consequently, smart refresh updates for the sudo utility did not work. After the user changed a sudo rule with SSSD running, the logs showed an error stating that SSSD was unable to parse the Update Sequence Number (USN) scheme. This update fixes the problem, and smart refresh updates now work in the described situation. (BZ#1312062)

SSSD stores sudo rules correctly when id_provider = ipa is set

Identity Management version 3.0 and previous use different format for the ipasudocmd distinguished name (DN). Consequently, the System Security Services Daemon (SSSD) service was unable to store sudo rules correctly when the id_provider option was set to ipa in the /etc/sssd/sssd.conf file. This update fixes the problem, and sudo rules now work as expected in the described situation. (BZ#1313940)

The user is prompted for smart card PIN as expected

Due to insufficient SELinux policy rules, the ppl_child process, running in the sssd_t SELinux domain, was unable to manage the authentication cache and connect to Apache ports. Consequently, the system did not prompt the user for smart card PIN. The SELinux policy rules, provided by the selinux-policy package, have been updated to allow this functionality. As a result, the user is prompted for smart card PIN as expected in the described situation. (BZ#1299066)

Cloning a PKI server with an externally-signed CA certificate to Red Hat Enterprise Linux 7 no longer fails

Previously, when a Red Hat Enterprise Linux 6 public key infrastructure (PKI) server was installed with an externally-signed certificate authority (CA) certificate, the subsystem user was not created properly. Consequently, cloning to Red Hat Enterprise Linux 7 failed.
For new Red Hat Enterprise Linux 6 installations, the code has been fixed to create the subsystem user, add it to the subsystem group, and map the subsystem certificate to the user properly. For existing Red Hat Enterprise Linux 6 installations, the code has been modified to automatically restore the subsystem user to the correct configuration on restart.
As a result, cloning to Red Hat Enterprise Linux 7 now succeeds in the described situation. (BZ#1256039)

ypserv no longer fails if the domainname parameter is unset

Previously, the ypserv service failed to start when the domainname parameter was not set in the /etc/init.d/ypserv file. This update moves the check for domainname to the yppasswdd service, and in the described circumstances, ypserv now starts as expected. (BZ#456249)

yppasswd now correctly reports a failure of a user password change

Prior to this update, when the yppasswd service failed to change the password of a yppasswdd user, it still reported a success. A test has been added to yppasswdd that verifies whether the write operation was successful. As a result, if yppasswdd fails to change a user password, an error message is now logged about it. (BZ#747334)

ypserv now correctly reports a non-existent map

The ypserv service previously incorrectly returned an Internal NIS error error message when a NIS client asked for a non-existent map using the yp_first or yp_next system calls. Now, ypserv correctly returns the No such map in server's domain error message in this scenario. (BZ#988203)

mknetid no longer crashes when the passwd file contains empty lines or an unexpected format

Previously, using the mknetid utility on the passwd file with empty lines or an unexpected format in some cases caused mknetid to terminate unexpectedly. With this update, mknetid ignores the redundant elements in the passwd file, and no longer crashes in the situation described. (BZ#1071962)

ypbind no longer restarts on every renewal of DHCP

Prior to this update, the ypbind service restarted on every renewal of the dynamic host configuration protocol (DHCP), which caused NIS lookups to be slower, and in some cases to time out. Now, ypbind restarts on a DHCP renewal only if any changes occurred on the NIS domain or the NIS domain or the NIS server. As a result, NIS lookups are faster and experience less timeouts. (BZ#1238771)