Chapter 13. Authentication and Interoperability

Improved Identity Management Cross-Realm Trusts to Active Directory

The following improvements have been implemented in cross-realm trusts to Active Directory feature of Red Hat Enterprise Linux:
  • Multiple Active Directory domains are supported in the trusted forest;
  • Access of users belonging to separate Active Directory domains in the trusted forest can be selectively disabled and enabled per-domain level;
  • Manually defined POSIX identifiers for users and groups from trusted Active Directory domains can be used instead of automatically assigned identifiers;
  • Active Directory users and groups coming from the trusted domains can be exported to legacy POSIX systems through LDAP compatibility tree;
  • For Active Directory users exported through LDAP compatibility tree, authentication can be performed against Identity Management LDAP server. As a result, both Identity Management and trusted Active Directory users are accessible to legacy POSIX systems in a unified way.

Support of POSIX User and Group IDs In Active Directory

Identity Management implementation of cross-realm trusts to Active Directory supports existing POSIX user and group ID attributes in Active Directory. When explicit mappings are not defined on the Active Directory side, algorithmic mapping based on the user or group Security Identifier (SID) is applied.

Use of AD and LDAP sudo Providers

The AD provider is a back end used to connect to an Active Directory server. In Red Hat Enterprise Linux 7, using the AD sudo provider together with the LDAP provider is supported as a Technology Preview. To enable the AD sudo provider, add the sudo_provider=ad setting in the domain section of the sssd.conf file.

Support of CA-Less Installations

IPA supports installing without an embedded Certificate Authority with user-provided SSL certificates for the HTTP servers and Directory Servers. The administrator is responsible for issuing and rotating services and hosts certificates manually.

FreeIPA GUI Improvements

Red Hat Enterprise Linux 7 brings a number of improvements to FreeIPA graphical interface, from which the most notable are the following:
  • All dialog windows can be confirmed by the Enter key even when the appropriate button or the dialog window does not have the focus;
  • Loading of web UI is significantly faster because of compression of web UI assets and RPC communication;
  • Drop-down lists can be controlled by keyboard.

Reclaiming IDs of Deleted Replicas

User and group ID ranges that belong to deleted replicas can be transferred to a suitable replica if one exists. This prevents potential exhaustion of the ID space. Additionally, ID ranges can be managed manually with the ipa-replica-manage tool.

Re-Enrolling Clients Using Existing Keytab Files

A host that has been recreated and does not have its host entry disabled or removed can be re-enrolled using a previously backed up keytab file. This ensures easy re-enrolling of the IPA client system after the user rebuilds it.

Prompt for DNS

During server interactive installation, the user is asked whether to install the DNS component. Previously, the DNS feature was installed only when the --setup-dns option was passed to the installer, leading to users not being aware of the feature.

Enhanced SSHFP DNS Records

DNS support in Identity Management was extended with support for the RFC 6954 standard. This allows users to publish Elliptic Curve Digital Signature Algorithm (ECDSA) keys and SHA-256 hashes in SSH fingerprint (SSHFP) records.

Filtering Groups by Type

New flags, --posix, --nonposix, --external, can be used to filter groups by type:
  • POSIX group is a group with the posixGroup object class;
  • Non-POSIX group is a group which is not POSIX or external, which means the group does not have the posixGroup or ipaExternalGroup object class;
  • External group is a group with the ipaExternalGroup class.

Improved Integration with the External Provisioning Systems

External provisioning systems often require extra data to correctly process hosts. A new free-form text field, class has been added to the host entries. This field can be used in automatic membership rules.

CRL and OCSP DNS Name in Certificate Profiles

A round-robin DNS name for the IPA Certificate Authority (CA) now points to all active IPA CA masters. The name is used for CRL and OCSP URIs in the IPA certificate profile. When any of the IPA CA masters is removed or unavailable, it does not affect the ability to check revocation status of any of the certificates issued by the IPA CA.

Certificates Search

The cert-find command no longer restricts users to searching certificates only by their serial number, but now also by:
  • serial number range;
  • subject name;
  • validity period;
  • revocation status;
  • and issue date.

Marking Kerberos Service as Trusted for Delegation of User Keys

Individual Identity Management services can be marked to Identity Management tools as trusted for delegation. By checking the ok_as_delegate flag, Microsoft Windows clients can determine whether the user credentials can be forwarded or delegated to a specific server or not.

Samba 4.1.0

Red Hat Enterprise Linux 7 includes samba packages upgraded to the latest upstream version, which introduce several bug fixes and enhancements, the most notable of which is support for the SMB3 protocol in the server and client tools.
Additionally, SMB3 transport enables encrypted transport connections to Windows servers that support SMB3, as well as Samba servers. Also, Samba 4.1.0 adds support for server-side copy operations. Clients making use of server-side copy support, such as the latest Windows releases, should experience considerable performance improvements for file copy operations.
Note that using the Linux kernel CIFS module with SMB protocol 3.1.1 is currently experimental and the functionality is unavailable in kernels provided by Red Hat.


The updated samba packages remove several already deprecated configuration options. The most important are the server roles security = share and security = server. Also the web configuration tool SWAT has been completely removed. More details can be found in the Samba 4.0 and 4.1 release notes:
Note that several tdb files have been updated. This means that all tdb files are upgraded as soon as you start the new version of the smbd daemon. You cannot downgrade to an older Samba version unless you have backups of the tdb files.
For more information about these changes, refer to the Release Notes for Samba 4.0 and 4.1 mentioned above.