Chapter 5. Authentication and Interoperability

A number of features introduced in Red Hat Enterprise Linux 6.3 are now fully supported in Red Hat Enterprise Linux 6.4. Specifically:

Kerberos version 1.10 added a new cache storage type, DIR:, which allows Kerberos to maintain Ticket Granting Tickets (TGTs) for multiple Key Distribution Centers (KDCs) simultaneously and auto-select between them when negotiating with Kerberos-aware resources. In Red Hat Enterprise Linux 6.4, SSSD has been enhanced to allow you to select the DIR: cache for users that are logging in via SSSD. This feature is introduced as a Technology Preview.

In Red Hat Enterprise Linux 6.4, the ipa group-add-member command allows you to add members of Active Directory-based trusted domains to groups marked as external in Identity Management. These members may be specified by their name using domain- or UPN-based syntax, for example AD\UserName or AD\GroupName, or User@AD.Domain. When specified in this form, members are resolved against Active Directory-based trusted domain's Global Catalog to obtain their Security Identifier (SID) value.

Alternatively, an SID value could be specified directly. In this case, the ipa group-add-member command will only verify that the domain part of the SID value is one of the trusted Active Directory domains. No attempt will be done to verify validity of the SID within the domain.

It is recommended to use user or group name syntax to specify external members rather than providing their SID values directly.

The default validity period for a new Certificate Authority is 10 years. The CA issues a number of certificates for its subsystems (OCSP, audit log, and others). Subsystem certificates are normally valid for 2 years. If the certificates expire, the CA does not start up or does not function properly. Therefore, in Red Hat Enterprise Linux 6.4, Identity Management servers are capable of automatically renewing their subsystem certificates. The subsystem certificates are tracked by certmonger, which automatically attempts to renew the certificates before they expire.

In Red Hat Enterprise Linux 6.4, OpenLDAP is automatically configured with the default LDAP URI, a Base DN, and a TLS certificate during Identity Management client installation. This improves user experience when performing LDAP searches to Identity Management Directory Server.

The python-nss package, which provides Python bindings for Network Security Services (NSS) and the Netscape Portable Runtime (NSPR), has been updated to add PKCS #12 support.

LDAP in Red Hat Enterprise Linux 6.4 includes support for persistent search for both zones and their resource records. Persistent search allows the bind-dyndb-ldap plug-in to be immediately informed about all changes in an LDAP database. It also decreases network bandwidth usage required by repeated polling.

Obsolete elements in the Database Replica Update Vector (RUV) can be removed with the CLEANRUV operation, which removes them on a single supplier or master. Red Hat Enterprise Linux 6.4 adds a new CLEANALLRUV operation which can remove obsolete RUV data from all replicas and needs to be run on a single supplier/master only.

The samba4 libraries (provided by the samba4-libs package) have been upgraded to the latest upstream version to improve interoperability with Active Directory (AD) domains. SSSD now uses the libndr-krb5pac library to parse the Privilege Attribute Certificate (PAC) issued by an AD Key Distribution Center (KDC). Additionally, various improvements have been made to the Local Security Authority (LSA) and Net Logon services to allow verification of trust from a Windows system. For information on the introduction of Cross Realm Kerberos Trust functionality, which depends on samba4 packages, refer to the section called “Cross Realm Kerberos Trust Functionality in Identity Management”.

Because the Cross Realm Kerberos Trust functionality is considered a Technology Preview, selected samba4 components are considered to be a Technology Preview. For more information on which Samba packages are considered a Technology Preview, refer to Table 5.1, “Samba4 Package Support ”.

The Cross Realm Kerberos Trust functionality provided by Identity Management is included as a Technology Preview. This feature allows to create a trust relationship between an Identity Management and an Active Directory domain. This means that users from the AD domain can access resources and services from the Identity Management domain with their AD credentials. No data needs to be synchronized between the Identity Management and AD domain controllers; AD user are always authenticated against the AD domain controller and information about users is looked up without the need for synchronization.

This feature is provided by the optional ipa-server-trust-ad package. This package depends on features which are only available in samba4. Because samba4-* packages conflicts with the corresponding samba-* packages, all samba-* packages must be removed before ipa-server-trust-ad can be installed.

When the ipa-server-trust-ad package is installed, the ipa-adtrust-install command must be run on all Identity Management servers and replicas to enable Identity Management to handle trusts. When this is done a trust can be established on the command line using the ipa trust-add or the WebUI. For more information, refer to section Integrating with Active Directory Through Cross-Realm Kerberos Trusts in the Identity Management Guide on https://access.redhat.com/site/documentation/Red_Hat_Enterprise_Linux/.

Windows Active Directory (AD) supports the POSIX schema (RFC 2307 and 2307bis) for user and group entries. In many cases, AD is used as the authoritative source of user and group data, including POSIX attributes. With Red Hat Enterprise Linux 6.4, Directory Server Windows Sync no longer ignores these attributes. Users are now able to synchronize POSIX attributes with Windows Sync between AD and 389 Directory Server.