Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

Chapter 5. Authentication and Interoperability

SSSD Fully Supported Features

A number of features introduced in Red Hat Enterprise Linux 6.3 are now fully supported in Red Hat Enterprise Linux 6.4. Specifically:
  • support for central management of SSH keys,
  • SELinux user mapping,
  • and support for automount map caching.

New SSSD Cache Storage Type

Kerberos version 1.10 added a new cache storage type, DIR:, which allows Kerberos to maintain Ticket Granting Tickets (TGTs) for multiple Key Distribution Centers (KDCs) simultaneously and auto-select between them when negotiating with Kerberos-aware resources. In Red Hat Enterprise Linux 6.4, SSSD has been enhanced to allow you to select the DIR: cache for users that are logging in via SSSD. This feature is introduced as a Technology Preview.

Adding AD-based Trusted Domains to external Groups

In Red Hat Enterprise Linux 6.4, the ipa group-add-member command allows you to add members of Active Directory-based trusted domains to groups marked as external in Identity Management. These members may be specified by their name using domain- or UPN-based syntax, for example AD\UserName or AD\GroupName, or User@AD.Domain. When specified in this form, members are resolved against Active Directory-based trusted domain's Global Catalog to obtain their Security Identifier (SID) value.
Alternatively, an SID value could be specified directly. In this case, the ipa group-add-member command will only verify that the domain part of the SID value is one of the trusted Active Directory domains. No attempt will be done to verify validity of the SID within the domain.
It is recommended to use user or group name syntax to specify external members rather than providing their SID values directly.

Auto-renew Identity Management Subsystem Certificates

The default validity period for a new Certificate Authority is 10 years. The CA issues a number of certificates for its subsystems (OCSP, audit log, and others). Subsystem certificates are normally valid for 2 years. If the certificates expire, the CA does not start up or does not function properly. Therefore, in Red Hat Enterprise Linux 6.4, Identity Management servers are capable of automatically renewing their subsystem certificates. The subsystem certificates are tracked by certmonger, which automatically attempts to renew the certificates before they expire.

Automatic Configuration of OpenLDAP Client Tools on Clients Enrolled in Identity Management

In Red Hat Enterprise Linux 6.4, OpenLDAP is automatically configured with the default LDAP URI, a Base DN, and a TLS certificate during Identity Management client installation. This improves user experience when performing LDAP searches to Identity Management Directory Server.

PKCS#12 Support for python-nss

The python-nss package, which provides Python bindings for Network Security Services (NSS) and the Netscape Portable Runtime (NSPR), has been updated to add PKCS #12 support.

Full Persistent Search for DNS

LDAP in Red Hat Enterprise Linux 6.4 includes support for persistent search for both zones and their resource records. Persistent search allows the bind-dyndb-ldap plug-in to be immediately informed about all changes in an LDAP database. It also decreases network bandwidth usage required by repeated polling.


Obsolete elements in the Database Replica Update Vector (RUV) can be removed with the CLEANRUV operation, which removes them on a single supplier or master. Red Hat Enterprise Linux 6.4 adds a new CLEANALLRUV operation which can remove obsolete RUV data from all replicas and needs to be run on a single supplier/master only.

samba4 Libraries Updated

The samba4 libraries (provided by the samba4-libs package) have been upgraded to the latest upstream version to improve interoperability with Active Directory (AD) domains. SSSD now uses the libndr-krb5pac library to parse the Privilege Attribute Certificate (PAC) issued by an AD Key Distribution Center (KDC). Additionally, various improvements have been made to the Local Security Authority (LSA) and Net Logon services to allow verification of trust from a Windows system. For information on the introduction of Cross Realm Kerberos Trust functionality, which depends on samba4 packages, refer to the section called “Cross Realm Kerberos Trust Functionality in Identity Management”.


If you upgrade from Red Hat Enterprise Linux 6.3 to Red Hat Enterprise Linux 6.4 and you have Samba in use, make sure to uninstall the samba4 package to avoid conflicts during the upgrade.
Because the Cross Realm Kerberos Trust functionality is considered a Technology Preview, selected samba4 components are considered to be a Technology Preview. For more information on which Samba packages are considered a Technology Preview, refer to Table 5.1, “Samba4 Package Support ”.

Table 5.1. Samba4 Package Support

Package Name New Package in 6.4? Support Status
samba4-libs No Technology Preview, except functionality required by OpenChange
samba4-pidl No Technology Preview, except functionality required by OpenChange
samba4 No Technology Preview
samba4-clientYesTechnology Preview
samba4-commonYesTechnology Preview
samba4-pythonYesTechnology Preview
samba4-winbindYesTechnology Preview
samba4-dcYesTechnology Preview
samba4-dc-libsYesTechnology Preview
samba4-swatYesTechnology Preview
samba4-testYesTechnology Preview
samba4-winbind-clientsYesTechnology Preview
samba4-winbind-krb5-locatorYesTechnology Preview

Cross Realm Kerberos Trust Functionality in Identity Management

The Cross Realm Kerberos Trust functionality provided by Identity Management is included as a Technology Preview. This feature allows to create a trust relationship between an Identity Management and an Active Directory domain. This means that users from the AD domain can access resources and services from the Identity Management domain with their AD credentials. No data needs to be synchronized between the Identity Management and AD domain controllers; AD user are always authenticated against the AD domain controller and information about users is looked up without the need for synchronization.
This feature is provided by the optional ipa-server-trust-ad package. This package depends on features which are only available in samba4. Because samba4-* packages conflicts with the corresponding samba-* packages, all samba-* packages must be removed before ipa-server-trust-ad can be installed.
When the ipa-server-trust-ad package is installed, the ipa-adtrust-install command must be run on all Identity Management servers and replicas to enable Identity Management to handle trusts. When this is done a trust can be established on the command line using the ipa trust-add or the WebUI. For more information, refer to section Integrating with Active Directory Through Cross-Realm Kerberos Trusts in the Identity Management Guide on

Posix Schema Support for 389 Directory Server

Windows Active Directory (AD) supports the POSIX schema (RFC 2307 and 2307bis) for user and group entries. In many cases, AD is used as the authoritative source of user and group data, including POSIX attributes. With Red Hat Enterprise Linux 6.4, Directory Server Windows Sync no longer ignores these attributes. Users are now able to synchronize POSIX attributes with Windows Sync between AD and 389 Directory Server.


When adding new user and group entries to the Directory Server, the POSIX attributes are not synced to AD. Adding new user and group entries to AD will synchronize to the Directory Server, and modifying attributes will synchronize them both ways.