Red Hat Training
A Red Hat training course is available for Red Hat Enterprise Linux
Chapter 3. Authentication and Interoperability
SSSD now enables the administrator to select which domains from the AD forest can be contacted
In some environments, only a subset of domains in a joined Active Directory (AD) forest can be reached. Attempting to contact an unreachable domain might cause unwanted timeouts or switch the System Security Services Daemon (SSSD) to offline mode.
To prevent this, the administrator can now configure a list of domains to which SSSD connects by setting the
ad_enabled_domains option in the /etc/sssd/sssd.conf/ file. For details, see the sssd-ad(5) man page. (BZ#1324428)
SSSD now enables selecting a list of PAM services that will not receive any environmental variables from pam_sss
In some cases, it is not desirable to propagate environment variables set by the
pam_sss Pluggable Authentication Module (PAM). For example, when using the sudo -i command, users might want to transfer the KRB5CCNAME variable of the original user to the target environment.
Previously, when a non-privileged user executed the
sudo -i command to become another non-privileged user, the new non-privileged user did not have the permissions to read the Kerberos credentials cache that KRB5CCNAME pointed to.
For this use case, this update adds a new option named
pam_response_filter. Using pam_response_filter, the administrator can list PAM services (such as sudo-i) that do not receive any environmental variables (such as KRB5CCNAME) during login. Now, if pam_response_filter lists sudo-i, a user can switch from one non-privileged user to another without KRB5CCNAME being set in the target environment. (BZ#1329378)
IdM servers can now be configured to require TLS 1.2 or better
Version 1.2 of the Transport Layer Security (TLS) protocol is considered significantly more secure than previous versions. This update enables you to configure your Identity Management (IdM) server to forbid communication using protocols that are less secure than
TLS 1.2.
For details, see the following Red Hat Knowledgebase article: https://access.redhat.com/articles/2801181. (BZ#1367026)
pam_faillock can be now configured with unlock_time=never
The
pam_faillock module now allows specifying using the unlock_time=never option that the user authentication lock caused by multiple authentication failures should never expire. (BZ#1404832)
The libkadm5* libraries have been moved to the libkadm5 package
In Red Hat Enterprise Linux 6.9, the
libkadm5* libraries have been moved from the krb5-libs to the new libkadm5 package. As a consequence, yum is not able to downgrade the krb5-libs package automatically. Before downgrading, remove the libkadm5 package manually:
# rpm -e --nodeps libkadm5
After you have manually removed the package, use the
yum downgrade command to downgrade the krb5-libs package to a previous version. (BZ#1351284)
