Chapter 30. Authentication and Interoperability

The accountExpires attribute that SSSD uses to see whether an account has expired is not replicated to the Global Catalog by default. As a result, users with expired accounts can be allowed to log in when using GSSAPI authentication. To work around this problem, the Global Catalog support can be disabled by specifying ad_enable_gc=False in the sssd.conf file. With this setting, users with expired accounts will be denied access when using GSSAPI authentication. Note that SSSD connects to each LDAP server individually in this scenario, which can increase the connection count.

When DNS support is being added for an Identity Management server (for example, by using ipa-dns-install or by using the --setup-dns option with the ipa-server-install or ipa-replica-install commands), the script adds a host name of a new Identity Management DNS server to the list of name servers in the primary Identity Management DNS zone (via DNS NS record). However, it does not add the DNS name server record to other DNS zones served by the Identity Management servers. As a consequence, the list of name servers in the non-primary DNS zones has only a limited set of Identity Management name servers serving the DNS zone (only one, without user intervention). When the limited set of Identity Management name servers is not available, these DNS zones are not resolvable. To work around this problem, manually add new DNS name server records to all non-primary DNS zones when a new Identity Management replica is being added. Also, manually remove such DNS name server records when the replica is being decommissioned. Non-primary DNS zones can maintain higher availability by having a manually maintained set of Identity Management name servers serving it.

The default Unlock user accounts permission does not include the nsaccountlock attribute, which is necessary for a successful unlocking of a user entry. Consequently, a privileged user with this permission assigned cannot unlock another user, and errors like the following are displayed:

ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'nsAccountLock' attribute of entry 'uid=user,cn=users,cn=accounts,dc=example,dc=com'.

To work around this problem, add nssacountlock to the list of allowed attributes in the aforementioned permission by running the following command:

~]# ipa permission-mod "Unlock user accounts" --attrs={krbLastAdminUnlock,krbLoginFailedCount,nsaccountlock}

As a result, users with the Unlock user accounts permission assigned can unlock other users.

There are multiple problems across different tools used in the Identity Management installation, which prevents installation of user-provided certificates with intermediate certificate authority (CA). One of the errors is that incorrect trust flags are assigned to the intermediate CA certificate when importing a PKCS#12 file. Consequently, the Identity Management server installer fails due to an incomplete trust chain that is returned for Identity Management services. There is no known workaround, certificates not issued by the embedded Certificate Authority must not contain an intermediate CA in their trust chain.

Access control to lightweight directory access protocol (LDAP) objects representing trust with Active Directory (AD) is given to the Trusted Admins group in Identity Management. In order to establish the trust, the Identity Management administrator should belong to a group which is a member of the "Trusted Admins" group and this group should have relative identifier (RID) 512 assigned. To ensure this, run the ipa-adtrust-install command and then the ipa group-show admins --all command to verify that the "ipantsecurityidentifier" field contains a value ending with the "-512" string. If the field does not end with "-512", use the ipa group-mod admins --setattr=ipantsecurityidentifier=SID command, where SID is the value of the field from the ipa group-show admins --all command output with the last component value (-XXXX) replaced by the "-512" string.

Red Hat Enterprise Linux 7 contains an updated version of slapi-nis, a Directory Server plug-in, which allows users of Identity Management and the Active Directory service to authenticate on legacy clients. However, the slapi-nis component only enables identity and authentication services, but does not allow users to change their password. As a consequence, users logged to legacy clients via slapi-nis compatibility tree can change their password only via the Identity Management Server Self-Service Web UI page or directly in Active Directory.

The ipa host-add command does not verify the existence of AAAA records. As a consequence, ipa host-add fails if no A record is available for the host, although an AAAA record exists. To work around this problem, run ipa host-add with the --force option.

An IPA master is uninstalled while SSL certificates for services other than IPA servers are tracked by the certmonger service. Consequently, an unexpected error can occur, and the uninstallation fails. To work around this problem, start certmonger, and run the ipa-getcert command to list the tracked certificates. Then run the ipa-getcert stop-tracking -i <Request ID> command to stop certmonger from tracking the certificates, and run the IPA uninstall script again.

The ipa-client-install command does not process the --preserve-sssd option correctly when generating the IPA domain configuration in the sssd.conf file. As a consequence, the original configuration of the IPA domain is overwritten. To work around this problem, review sssd.conf after running ipa-client-install to identify and manually fix any unwanted changes.

The directory containing a private key or certificate can have an incorrect SELinux context. As a consequence, the ipa-getcert request -k command fails, and an unhelpful error message is displayed. To work around this problem, set the SELinux context on the directory containing the certificate and the key to cert_t. You can resubmit an existing certificate request by running the ipa-getcert resubmit -i <Request ID> command.

Under certain circumstances, the algorithm in the Privilege Attribute Certificate (PAC) responder component of the System Security Services Daemon (SSSD) does not effectively handle users who are members of a large number of groups. As a consequence, logging from Windows clients to Red Hat Enterprise Linux clients with Kerberos single sign-on (SSO) can be noticeably slow. There is currently no known workaround available.

The ipactl restart command requires the directory server to be running. Consequently, if this condition is not met, ipactl restart fails with an error message. To work around this problem, use the ipactl start command to start the directory server before executing ipactl restart. Note that the ipactl status command can be used to verify if the directory server is running.

The certificate subsystem fails to install if the system language is set to Turkish. To work around this problem, set the system language to English by putting the following line in the /etc/sysconfig/i18n file:

LANG="en_US.UTF-8"

Also, remove any other "LANG=" entries in /etc/sysconfig/i18n, then reboot the system. After reboot, you can successfully run ipa-server-install, and the original contents of /etc/sysconfig/i18n may be restored.

The ipa-server-install and ipa-replica-install commands replace the list of NTP servers in the /etc/ntp.conf file with Red Hat Enterprise Linux default servers. As a consequence, NTP servers configured before installing IPA are not contacted, and servers from rhel.pool.ntp.org are contacted instead. If those default servers are unreachable, the IPA server does not synchronize its time via NTP. To work around this problem, add any custom NTP servers to /etc/ntp.conf, and remove the default Red Hat Enterprise Linux servers if required. The configured servers are now used for time synchronization after restarting the NTP service by running the systemctl restart ntpd.service command.

The gnutls utility fails to generate a non-encrypted private key when the user enters an empty password. To work around this problem, use the certtool command with the password option as follows:

~]$ certtool --generate-privkey --pkcs8 --password "" --outfile pkcs8.key