Chapter 20. Authentication and Interoperability
Do not use SELinux in enforcing mode when sharing the root directory
Samba requires a shared directory to be labeled
samba_share_twhen SELinux is in enforcing mode. However, when sharing the whole root directory of the system by using the
path = /configuration in the
/etc/samba/smb.conffile, labeling the root directory as
samba_share_tcauses critical system malfunctions.
Red Hat strongly discourages users from labeling the root directory with the
samba_share_tlabel. Therefore, do not use SELinux in enforcing mode when sharing the root directory using Samba. (BZ#1320172)
SSSD does not support the LDAP externalUser attribute
The System Security Services Daemon (SSSD) service is missing support for the
externalUserLDAP attribute of the Identity Management (IdM) schema. In consequence, the assignment of
sudorules to local accounts, such as by using the
/etc/passwdfile, fails. The problem affects only accounts outside of the IdM domains and Active Directory (AD) trusted domains.
To work around this problem, set the LDAP
sudosearch base as follows in the
[domain]section of the
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
This enables SSSD to resolve users defined in
SSSD incorrectly creates local overrides in an AD environment
sss_overridetool creates case-insensitive distinguished names (DN) when the
id_provideroption is set to
/etc/sssd/sssd.conffile. However, the DNs in the SSSD cache are stored case-sensitive. As a consequence, local overrides are not created for users from the Active Directory (AD) subdomain or for users with mixed-case account names. (BZ#1327272)
sssd_be does not terminate forked child processes
id_provideroption is set to
/etc/sssd/sssd.conffile, a helper process inside
sssd_beprocesses sometimes fails. In consequence, the process is spawning new
sssd_beinstances, which consume additional memory. To work around this problem, install the adcli package and restart the
SSSD fails to manage sudo rules from the IdM LDAP tree
The System Security Services Daemon (SSSD) currently uses the IdM LDAP tree by default. As a consequence, it is not possible to assign sudo rules to non-POSIX groups. To work around this problem, modify the
/etc/sssd/sssd.conffile to set your domain to use the
[domain/EXAMPLE] ... ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
As a result, SSSD will load sudo rules from the
compattree and you will be able to assign rules to non-POSIX groups.
Note that Red Hat recommends to configure groups referenced in sudo rules as POSIX groups.
The HP keyboard KUS1206 does not handle smart cards correctly and can become unresponsive
When using the HP keyboard KUS1206 with a built-in smart card reader, you might experience the following problems:
- The keyboard detects smart cards inconsistently.
- When the user logs in to the system with a password and the smart card is not inserted, the following message appears continuously in the
pcscd: commands.c:957:CmdGetSlotStatus Card absent or mute
- The keyboard sometimes becomes unresponsive.