Chapter 17. Authentication and Interoperability

SSSD fails to manage sudo rules from the IdM LDAP tree

The System Security Services Daemon (SSSD) currently uses the IdM LDAP tree by default. As a consequence, it is not possible to assign sudo rules to non-POSIX groups. To work around this problem, modify the /etc/sssd/sssd.conf file to set your domain to use the compat tree again:
[domain/EXAMPLE]
...
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
As a result, SSSD will load sudo rules from the compat tree and you will be able to assign rules to non-POSIX groups.
Note that Red Hat recommends to configure groups referenced in sudo rules as POSIX groups. (BZ#1336548)

winbindd crashes when installing a new AD trust

When configuring a new Active Directory (AD) trust on a newly installed system, the ipa-adtrust-install utility might report that the winbindd service terminated unexpectedly. Otherwise, ipa-adtrust-install completes successfully.
If this problem occurs, restart the IdM services by using the ipactl restart command after running ipa-adtrust-install. This also restarts winbindd.
Note that the full extent of the functional impact of this problem is still unknown. Some trust functionality might not work until winbindd is restarted. (BZ#1399058)

nslcd fails to resolve user or group identities when it is started before the network connection is fully up

When nslcd, the local LDAP name service daemon, is started before the network connection is fully up, the daemon fails to connect to an LDAP server. As a consequence, resolving user or group identities does not work. To work around this problem, start nslcd after the network connection is up. (BZ#1401632)