Chapter 54. Authentication and Interoperability

sudo unexpectedly denies access when performing group lookups

This problem occurs on systems that meet all of these conditions:
  • A group name is configured in a sudoers rule available through multiple Name Service Switch (NSS) sources, such as files or sss.
  • The NSS priority is set to local group definitions. This is true when the /etc/nsswitch.conf file includes the following line:
sudoers: files sss
  • The sudo Defaults option named match_group_by_gid is set to true. This is the default value for the option.
Because of the NSS source priority, when the sudo utility tries to look up the GID of the specified group, sudo receives a result that describes only the local group definition. Therefore, if the user is a member of the remote group, but not the local group, the sudoers rule does not match, and sudo denies access.
To work around this problem, choose one of the following:
  • Explicitly disable the match_group_by_gid Defaults for sudoers. Open the /etc/sudoers file, and add this line:
Defaults !match_group_by_gid
  • Configure NSS to prioritize the sss NSS source over files. Open the /etc/nsswitch.conf file, and make sure it lists sss before files :
sudoers: sss files
This ensures that sudo permits access to users that belong to the remote group. (BZ#1293306)

The KCM credential cache is not suitable for a large number of credentials in a single credential cache

If the credential cache contains too many credentials, Kerberos operations, such as klist, fail due to a hardcoded limit on the buffer used to transfer data between the sssd-kcm component and the sssd-secrets component.
To work around this problem, add the ccache_storage = memory option in the [kcm] section of the /etc/sssd/sssd.conf file. This instructs the kcm responder to only store the credential caches in-memory, not persistently. Note that if you do this, restarting the system or sssd-kcm clears the credential caches. (BZ#1448094)

The sssd-secrets component crashes when it is under load

When the sssd-secrets component receives many requests, the situation triggers a bug in the Network Security Services (NSS) library that causes sssd-secrets to terminate unexpectedly. However, the systemd service restarts sssd-secrets for the next request, which means that the denial of service is only temporary. (BZ#1460689)

SSSD does not correctly handle multiple certificate matching rules with the same priority

If a given certificate matches multiple certificate matching rules with the same priority, the System Security Services Daemon (SSSD) uses only one of the rules. As a workaround, use a single certificate matching rule whose LDAP filter consists of the filters of the individual rules concatenated with the | (or) operator. For examples of certificate matching rules, see the sss-certamp(5) man page. (BZ#1447945)

SSSD can look up only unique certificates in ID overrides

When multiple ID overrides contain the same certificate, the System Security Services Daemon (SSSD) is unable to resolve queries for the users that match the certificate. An attempt to look up these users does not return any user. Note that looking up users by using their user name or UID works as expected. (BZ#1446101)

The ipa-advise command does not fully configure smart card authentication

The ipa-advise config-server-for-smart-card-auth and ipa-advise config-client-for-smart-card-auth commands do not fully configure the Identity Management (IdM) server and client for smart card authentication. As a consequence, after running the script that the ipa-advise command generated, smart card authentication fails. To work around the problem, see the manual steps for the individual use case in the Linux Domain Identity, Authentication, and Policy Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/smart-cards.html (BZ#1455946)

The libwbclient library fails to connect to Samba shares hosted on Red Hat Enterprise Linux 7.4

The interface between Samba and the System Security Services Daemon's (SSSD) Winbind plug-in implementation changed. However, this change is missing in SSSD. As a consequence, systems that use the SSSD libwbclient library instead of the Winbind daemon fail to access shares provided by Samba running on Red Hat Enterprise Linux 7.4. There is no workaround available, and Red Hat recommends to not upgrade to Red Hat Enterprise 7.4 if you are using the libwbclient library without running the Winbind daemon. (BZ#1462769)

Certificate System ubsystems experience communication problems with TLS_ECDHE_RSA_* ciphers and certain HSMs

When certain HSMs are used while TLS_ECDHE_RSA_* ciphers are enabled, subsystems experience communication problems. The issue occurs in the following scenarios:
  • When a CA has been installed and a second subsystem is being installed and tries to contact the CA as a security domain, thus preventing the installation from succeeding.
  • While performing a certificate enrollment on the CA, when archival is required, the CA encounters the same communication problem with the KRA. This scenario can only occur if the offending ciphers were temporarily disabled for the installation.
To work around this problem, keep the TLS_ECDHE_RSA_* ciphers turned off if possible. Note that while the Perfect Forward Secrecy provides added security by using the TLS_ECDHE_RSA_* ciphers, each SSL session takes about three times longer to establish. Also, the default TLS_RSA_* ciphers are adequate for the Certificate System operations. (BZ#1256901)