SSSD Fully Supported Features
A number of features introduced in Red Hat Enterprise Linux 6.3 are now fully supported in Red Hat Enterprise Linux 6.4. Specifically:
New SSSD Cache Storage Type
Kerberos version 1.10 added a new cache storage type,
DIR:, which allows Kerberos to maintain Ticket Granting Tickets (TGTs) for multiple Key Distribution Centers (KDCs) simultaneously and auto-select between them when negotiating with Kerberos-aware resources. In Red Hat Enterprise Linux 6.4, SSSD has been enhanced to allow you to select the
DIR: cache for users that are logging in via SSSD. This feature is introduced as a Technology Preview.
Adding AD-based Trusted Domains to
In Red Hat Enterprise Linux 6.4, the
ipa group-add-member command allows you to add members of Active Directory-based trusted domains to groups marked as
external in Identity Management. These members may be specified by their name using domain- or UPN-based syntax, for example
User@AD.Domain. When specified in this form, members are resolved against Active Directory-based trusted domain's Global Catalog to obtain their Security Identifier (SID) value.
Alternatively, an SID value could be specified directly. In this case, the
ipa group-add-member command will only verify that the domain part of the SID value is one of the trusted Active Directory domains. No attempt will be done to verify validity of the SID within the domain.
It is recommended to use user or group name syntax to specify external members rather than providing their SID values directly.
Auto-renew Identity Management Subsystem Certificates
The default validity period for a new Certificate Authority is 10 years. The CA issues a number of certificates for its subsystems (OCSP, audit log, and others). Subsystem certificates are normally valid for 2 years. If the certificates expire, the CA does not start up or does not function properly. Therefore, in Red Hat Enterprise Linux 6.4, Identity Management servers are capable of automatically renewing their subsystem certificates. The subsystem certificates are tracked by certmonger, which automatically attempts to renew the certificates before they expire.
In Red Hat Enterprise Linux 6.4, OpenLDAP is automatically configured with the default LDAP URI, a Base DN, and a TLS certificate during Identity Management client installation. This improves user experience when performing LDAP searches to Identity Management Directory Server.
PKCS#12 Support for python-nss
The python-nss package, which provides Python bindings for Network Security Services (NSS) and the Netscape Portable Runtime (NSPR), has been updated to add PKCS #12 support.
Full Persistent Search for DNS
LDAP in Red Hat Enterprise Linux 6.4 includes support for persistent search for both zones and their resource records. Persistent search allows the bind-dyndb-ldap plug-in to be immediately informed about all changes in an LDAP database. It also decreases network bandwidth usage required by repeated polling.
New CLEANALLRUV Operation
Obsolete elements in the Database Replica Update Vector (RUV) can be removed with the
CLEANRUV operation, which removes them on a single supplier or master. Red Hat Enterprise Linux 6.4 adds a new
CLEANALLRUV operation which can remove obsolete RUV data from all replicas and needs to be run on a single supplier/master only.
samba4 Libraries Updated
libraries (provided by the samba4-libs
package) have been upgraded to the latest upstream version to improve interoperability with Active Directory (AD) domains. SSSD now uses the
library to parse the Privilege Attribute Certificate (PAC) issued by an AD Key Distribution Center (KDC). Additionally, various improvements have been made to the Local Security Authority (LSA) and Net Logon services to allow verification of trust from a Windows system. For information on the introduction of Cross Realm Kerberos Trust functionality, which depends on samba4
packages, refer to the section called “Cross Realm Kerberos Trust Functionality in Identity Management”
If you upgrade from Red Hat Enterprise Linux 6.3 to Red Hat Enterprise Linux 6.4 and you have Samba in use, make sure to uninstall the samba4 package to avoid conflicts during the upgrade.
Because the Cross Realm Kerberos Trust functionality is considered a Technology Preview, selected samba4
components are considered to be a Technology Preview. For more information on which Samba packages are considered a Technology Preview, refer to Table 5.1, “Samba4 Package Support ”
Table 5.1. Samba4 Package Support
| Package Name || New Package in 6.4? || Support Status |
| samba4-libs || No || Technology Preview, except functionality required by OpenChange |
| samba4-pidl || No || Technology Preview, except functionality required by OpenChange |
| samba4 || No || Technology Preview |
Cross Realm Kerberos Trust Functionality in Identity Management
The Cross Realm Kerberos Trust functionality provided by Identity Management is included as a Technology Preview. This feature allows to create a trust relationship between an Identity Management and an Active Directory domain. This means that users from the AD domain can access resources and services from the Identity Management domain with their AD credentials. No data needs to be synchronized between the Identity Management and AD domain controllers; AD user are always authenticated against the AD domain controller and information about users is looked up without the need for synchronization.
This feature is provided by the optional ipa-server-trust-ad package. This package depends on features which are only available in samba4. Because samba4-* packages conflicts with the corresponding samba-* packages, all samba-* packages must be removed before ipa-server-trust-ad can be installed.
When the ipa-server-trust-ad
package is installed, the
command must be run on all Identity Management servers and replicas to enable Identity Management to handle trusts. When this is done a trust can be established on the command line using the
or the WebUI. For more information, refer to section Integrating with Active Directory Through Cross-Realm Kerberos Trusts
in the Identity Management Guide
Posix Schema Support for 389 Directory Server
Windows Active Directory (AD) supports the POSIX schema (RFC 2307 and 2307bis) for user and group entries. In many cases, AD is used as the authoritative source of user and group data, including POSIX attributes. With Red Hat Enterprise Linux 6.4, Directory Server Windows Sync no longer ignores these attributes. Users are now able to synchronize POSIX attributes with Windows Sync between AD and 389 Directory Server.
When adding new user and group entries to the Directory Server, the POSIX attributes are not synced to AD. Adding new user and group entries to AD will synchronize to the Directory Server, and modifying attributes will synchronize them both ways.