Chapter 54. Authentication and Interoperability
sudo
unexpectedly denies access when performing group lookups
This problem occurs on systems that meet all of these conditions:
- A group name is configured in a
sudoers
rule available through multiple Name Service Switch (NSS) sources, such asfiles
orsss
. - The NSS priority is set to local group definitions. This is true when the
/etc/nsswitch.conf
file includes the following line:
sudoers: files sss
- The
sudo
Defaults option namedmatch_group_by_gid
is set totrue
. This is the default value for the option.
Because of the NSS source priority, when the
sudo
utility tries to look up the GID of the specified group, sudo
receives a result that describes only the local group definition. Therefore, if the user is a member of the remote group, but not the local group, the sudoers
rule does not match, and sudo
denies access.
To work around this problem, choose one of the following:
- Explicitly disable the
match_group_by_gid
Defaults forsudoers
. Open the/etc/sudoers
file, and add this line:
Defaults !match_group_by_gid
- Configure NSS to prioritize the
sss
NSS source overfiles
. Open the/etc/nsswitch.conf
file, and make sure it listssss
beforefiles
:
sudoers: sss files
This ensures that
sudo
permits access to users that belong to the remote group. (BZ#1293306)
The KCM credential cache is not suitable for a large number of credentials in a single credential cache
If the credential cache contains too many credentials, Kerberos operations, such as
klist
, fail due to a hardcoded limit on the buffer used to transfer data between the sssd-kcm
component and the sssd-secrets
component.
To work around this problem, add the
ccache_storage = memory
option in the [kcm]
section of the /etc/sssd/sssd.conf
file. This instructs the kcm
responder to only store the credential caches in-memory, not persistently. Note that if you do this, restarting the system or sssd-kcm
clears the credential caches. (BZ#1448094)
The sssd-secrets
component crashes when it is under load
When the
sssd-secrets
component receives many requests, the situation triggers a bug in the Network Security Services (NSS) library that causes sssd-secrets
to terminate unexpectedly. However, the systemd
service restarts sssd-secrets
for the next request, which means that the denial of service is only temporary. (BZ#1460689)
SSSD does not correctly handle multiple certificate matching rules with the same priority
If a given certificate matches multiple certificate matching rules with the same priority, the System Security Services Daemon (SSSD) uses only one of the rules. As a workaround, use a single certificate matching rule whose LDAP filter consists of the filters of the individual rules concatenated with the
|
(or) operator. For examples of certificate matching rules, see the sss-certamp(5) man page. (BZ#1447945)
SSSD can look up only unique certificates in ID overrides
When multiple ID overrides contain the same certificate, the System Security Services Daemon (SSSD) is unable to resolve queries for the users that match the certificate. An attempt to look up these users does not return any user. Note that looking up users by using their user name or UID works as expected. (BZ#1446101)
The ipa-advise
command does not fully configure smart card authentication
The
ipa-advise config-server-for-smart-card-auth
and ipa-advise config-client-for-smart-card-auth
commands do not fully configure the Identity Management (IdM) server and client for smart card authentication. As a consequence, after running the script that the ipa-advise
command generated, smart card authentication fails. To work around the problem, see the manual steps for the individual use case in the Linux Domain Identity, Authentication, and Policy Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/smart-cards.html (BZ#1455946)
The libwbclient
library fails to connect to Samba shares hosted on Red Hat Enterprise Linux 7.4
The interface between Samba and the System Security Services Daemon's (SSSD) Winbind plug-in implementation changed. However, this change is missing in SSSD. As a consequence, systems that use the SSSD
libwbclient
library instead of the Winbind daemon fail to access shares provided by Samba running on Red Hat Enterprise Linux 7.4. There is no workaround available, and Red Hat recommends to not upgrade to Red Hat Enterprise 7.4 if you are using the libwbclient
library without running the Winbind daemon. (BZ#1462769)
Certificate System ubsystems experience communication problems with TLS_ECDHE_RSA_*
ciphers and certain HSMs
When certain HSMs are used while
TLS_ECDHE_RSA_*
ciphers are enabled, subsystems experience communication problems. The issue occurs in the following scenarios:
- When a CA has been installed and a second subsystem is being installed and tries to contact the CA as a security domain, thus preventing the installation from succeeding.
- While performing a certificate enrollment on the CA, when archival is required, the CA encounters the same communication problem with the KRA. This scenario can only occur if the offending ciphers were temporarily disabled for the installation.
To work around this problem, keep the
TLS_ECDHE_RSA_*
ciphers turned off if possible. Note that while the Perfect Forward Secrecy provides added security by using the TLS_ECDHE_RSA_*
ciphers, each SSL session takes about three times longer to establish. Also, the default TLS_RSA_*
ciphers are adequate for the Certificate System operations. (BZ#1256901)