Chapter 20. Authentication and Interoperability
Do not use SELinux in enforcing mode when sharing the root directory
Samba requires a shared directory to be labeled
samba_share_t
when SELinux is in enforcing mode. However, when sharing the whole root directory of the system by using the path = /
configuration in the /etc/samba/smb.conf
file, labeling the root directory as samba_share_t
causes critical system malfunctions.
Red Hat strongly discourages users from labeling the root directory with the
samba_share_t
label. Therefore, do not use SELinux in enforcing mode when sharing the root directory using Samba. (BZ#1320172)
SSSD does not support the LDAP externalUser attribute
The System Security Services Daemon (SSSD) service is missing support for the
externalUser
LDAP attribute of the Identity Management (IdM) schema. In consequence, the assignment of sudo
rules to local accounts, such as by using the /etc/passwd
file, fails. The problem affects only accounts outside of the IdM domains and Active Directory (AD) trusted domains.
To work around this problem, set the LDAP
sudo
search base as follows in the [domain]
section of the /etc/sssd/sssd.conf
file:
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
This enables SSSD to resolve users defined in
externalUser
. (BZ#1321884)
SSSD incorrectly creates local overrides in an AD environment
The
sss_override
tool creates case-insensitive distinguished names (DN) when the id_provider
option is set to ad
in the /etc/sssd/sssd.conf
file. However, the DNs in the SSSD cache are stored case-sensitive. As a consequence, local overrides are not created for users from the Active Directory (AD) subdomain or for users with mixed-case account names. (BZ#1327272)
sssd_be
does not terminate forked child processes
When the
id_provider
option is set to ad
in the /etc/sssd/sssd.conf
file, a helper process inside sssd_be
processes sometimes fails. In consequence, the process is spawning new sssd_be
instances, which consume additional memory. To work around this problem, install the adcli package and restart the sssd
daemon. (BZ#1336453)
SSSD fails to manage sudo rules from the IdM LDAP tree
The System Security Services Daemon (SSSD) currently uses the IdM LDAP tree by default. As a consequence, it is not possible to assign sudo rules to non-POSIX groups. To work around this problem, modify the
/etc/sssd/sssd.conf
file to set your domain to use the compat
tree again:
[domain/EXAMPLE] ... ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
As a result, SSSD will load sudo rules from the
compat
tree and you will be able to assign rules to non-POSIX groups.
Note that Red Hat recommends to configure groups referenced in sudo rules as POSIX groups.
The HP keyboard KUS1206 does not handle smart cards correctly and can become unresponsive
When using the HP keyboard KUS1206 with a built-in smart card reader, you might experience the following problems:
- The keyboard detects smart cards inconsistently.
- When the user logs in to the system with a password and the smart card is not inserted, the following message appears continuously in the
/var/log/messages
file:pcscd: commands.c:957:CmdGetSlotStatus Card absent or mute
- The keyboard sometimes becomes unresponsive.