Chapter 3. Authentication and Interoperability

SSSD now enables the administrator to select which domains from the AD forest can be contacted

In some environments, only a subset of domains in a joined Active Directory (AD) forest can be reached. Attempting to contact an unreachable domain might cause unwanted timeouts or switch the System Security Services Daemon (SSSD) to offline mode.
To prevent this, the administrator can now configure a list of domains to which SSSD connects by setting the ad_enabled_domains option in the /etc/sssd/sssd.conf/ file. For details, see the sssd-ad(5) man page. (BZ#1324428)

SSSD now enables selecting a list of PAM services that will not receive any environmental variables from pam_sss

In some cases, it is not desirable to propagate environment variables set by the pam_sss Pluggable Authentication Module (PAM). For example, when using the sudo -i command, users might want to transfer the KRB5CCNAME variable of the original user to the target environment.
Previously, when a non-privileged user executed the sudo -i command to become another non-privileged user, the new non-privileged user did not have the permissions to read the Kerberos credentials cache that KRB5CCNAME pointed to.
For this use case, this update adds a new option named pam_response_filter. Using pam_response_filter, the administrator can list PAM services (such as sudo-i) that do not receive any environmental variables (such as KRB5CCNAME) during login. Now, if pam_response_filter lists sudo-i, a user can switch from one non-privileged user to another without KRB5CCNAME being set in the target environment. (BZ#1329378)

IdM servers can now be configured to require TLS 1.2 or better

Version 1.2 of the Transport Layer Security (TLS) protocol is considered significantly more secure than previous versions. This update enables you to configure your Identity Management (IdM) server to forbid communication using protocols that are less secure than TLS 1.2.
For details, see the following Red Hat Knowledgebase article: (BZ#1367026)

pam_faillock can be now configured with unlock_time=never

The pam_faillock module now allows specifying using the unlock_time=never option that the user authentication lock caused by multiple authentication failures should never expire. (BZ#1404832)

The libkadm5* libraries have been moved to the libkadm5 package

In Red Hat Enterprise Linux 6.9, the libkadm5* libraries have been moved from the krb5-libs to the new libkadm5 package. As a consequence, yum is not able to downgrade the krb5-libs package automatically. Before downgrading, remove the libkadm5 package manually:
# rpm -e --nodeps libkadm5
After you have manually removed the package, use the yum downgrade command to downgrade the krb5-libs package to a previous version. (BZ#1351284)