Chapter 32. Authentication and Interoperability

Kerberos ticket requests are refused for short lifetimes

Due to a bug in Active Directory, Kerberos ticket requests for short (generally below three minutes) lifetimes, are refused. To work around this problem, request longer-lived (above five minutes) tickets instead.

Replication from a Red Hat Enterprise Linux 7 machine to a Red Hat Enterprise Linux 6 machine fails

Currently, the Camellia Kerberos encryption types (enctypes) are included as possible default enctypes in the krb5, krb5-libs, krb5-server packages. As a consequence, replication from a Red Hat Enterprise Linux 7 machine to a Red Hat Enterprise Linux 6 machine fails with an error message. To work around this problem, use the default enctype controls, or tell kadmin or ipa-getkeytab which encryption types to use.

A harmless error message is logged on SSSD startup

If SSSD is connected to an IdM server that does not have a trust relationship established with an AD server, the following harmless error message is printed to the SSSD domain log on startup:
Internal Error (Memory buffer error)
To prevent the harmless error message from occurring, set subdomains_provider to none in the sssd.conf file if the environment does not expect setting any trusted domains.

DNS zones with recently generated DNSSEC keys are not signed properly

IdM does not properly sign DNS zones with recently generated DNS Security Extensions (DNSSEC) keys. The named-pkcs11 service logs the following error in this situation:
The attribute does not exist: 0x00000002
The bug is caused by a race condition error in the DNSSEC key generation and distribution process. The race condition prevents named-pkcs11 from accessing new DNSSEC keys.
To work around this problem, restart named-pkcs11 on the affected server. After the restart, the DNS zone is properly signed. Note that the bug might reappear after the DNSSEC keys are changed again.

The old realmd version is started when updating realmd while it is running

The realmd daemon starts only when requested, then performs a given action, and after some time it times out. When realmd is updated while it is still running, the old version of realmd starts upon a next request because realmd is not restarted after the update. To work around this problem, make sure that reamld is not running before updating it.

ipa-server-install and ipa-replica-install do not validate their options

The ipa-server-install and ipa-replica-install utilities do currently not validate the options supplied to them. If the user passes incorrect values to the utilities, the installation fails. To work around the problem, make sure to supply correct values, and then run the utilities again.

Upgrading the ipa packages fails if the required openssl version is not installed

When the user attempts to upgrade the ipa packages, Identity Management (IdM) does not automatically install the required version of the openssl packages. Consequently, if the 1.0.1e-42 version of openssl is not installed before the user runs the yum update ipa* command, the upgrade fails during the DNSKeySync service configuration.
To work around this problem, update openssl manually to version 1.0.1e-42 or later before updating ipa. This prevents the upgrade failure.