Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
Chapter 51. Authentication and Interoperability
Problem with importing a user certificate from CA over SSL
The
pki user-cert-add command provides an option to import a user certificate directly from CA. Due to incorrect client library initialization, when the command is executed over an SSL port, the command fails with the following error message:
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated.
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated.
To work around this problem, download the certificate from CA into a file using the
pki cert-show command. Then, upload the certificate from the file using the pki user-cert-add command. With the workaround, the user certificate is added correctly. (BZ#1246635)
The IdM web UI displays all certificates on one page in the Certificates table
The Certificates table, available under the Authentication tab in the Identity Management (IdM) web UI, ignores the page size limit of 20 entries. When more than 20 certificates are available, the table displays all the certificates on one page, instead of only displaying 20 certificates per page. (BZ#1358836)
Security warning when using ipa-kra-install, ipa-ca-install, or ipa-replica-install
When using the
ipa-kra-install, ipa-ca-install, and ipa-replica-install utilities to install an additional key recovery authority (KRA) component, certificate authority, or replica, the following warning appears:
SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818.
SecurityWarning: Certificate has no `subjectAltName`,
falling back to check for a `commonName` for now.
This feature is being removed by major browsers and deprecated by RFC 2818.
The error occurs due to RFC 2818, which deprecates the practice of carrying the subject host name in the subject distinguished name (DN) common name (CN) field. However, the three utilities succeed. Therefore, you can ignore the warning message. (BZ#1358457)
pam_pkcs11 only supports one token
The PKCS#11 modules in the opensc and coolkey packages provide support for various types of smart cards. However the
pam_pkcs11 module only supports one of them at a time. As a consequence, you cannot use PKCS#15 and CAC tokens using the same configuration. To work around the problem, install one of the following:
- the opensc package for PKCS#15 and PIV support
- the coolkey package for CAC, Coolkey, and PIV support (BZ#1367919)
Using ipa-ca-install on an IdM replica fails when the Directory Server is not configured with LDAPS
Installing a certificate authority (CA) using the
ipa-ca-install utility on an Identity Management (IdM) replica fails when the Directory Server on the replica is not configured with LDAPS (using the TLS protocol over port 636). The attempt fails with this error:
[2/30]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpsDHYbO' returned non-zero exit status 1 ...
[2/30]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA
instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpsDHYbO' returned non-zero exit status 1
...
Installing a replica in this situation is not possible. As a workaround, choose one of these options:
- Install the CA on the master server instead.
- Enable LDAPS on the replica manually before running
ipa-ca-install.
To manually enable LDAPS on the replica:
1. Export the server certificate from the
/etc/httpd/alias file:
pk12util -d /etc/httpd/alias -k /etc/httpd/alias/pwdfile.txt -o temp.p12 -n 'ca1/replica'
$ pk12util -d /etc/httpd/alias -k /etc/httpd/alias/pwdfile.txt -o temp.p12 -n 'ca1/replica'
Replace
ca1/replica with the nickname of your certificate.
2. Remove the trust chain from certificate, because it was already imported:
a. Extract the private key:
openssl pkcs12 -in temp.p12 -nocerts -nodes -out temp.key
$ openssl pkcs12 -in temp.p12 -nocerts -nodes -out temp.key
b. Extract the public key:
openssl pkcs12 -in temp.p12 -nokeys -clcerts -out temp.pem
$ openssl pkcs12 -in temp.p12 -nokeys -clcerts -out temp.pem
c. Create a PKCS#12 file without the CA certificate:
openssl pkcs12 -export -in temp.pem -inkey temp.key -out repl.p12 -name 'ca1/replica'
$ openssl pkcs12 -export -in temp.pem -inkey temp.key -out repl.p12 -name 'ca1/replica'
Replace
ca1/replica with the nickname of your certificate.
3. Import the created certificate into the Directory Server's NSSDB database:
pk12util -d /etc/dirsrv/slapd-EXAMPLE-COM -K '' -i repl.p12
$ pk12util -d /etc/dirsrv/slapd-EXAMPLE-COM -K '' -i repl.p12
4. Remove the temporary certificate files:
rm -f temp.p12 temp.key temp.pem repl.p12
$ rm -f temp.p12 temp.key temp.pem repl.p12
5. Create a file,
/tmp/enable_ssl.ldif, with the following contents:
6. Modify the LDAP configuration to enable SSL:
ldapmodify -H "ldap://localhost" -D "cn=directory manager" -f /tmp/enable_ssl.ldif -w dm_password
$ ldapmodify -H "ldap://localhost" -D "cn=directory manager" -f /tmp/enable_ssl.ldif -w dm_password
Replace
dm_password with your Directory Manager password.
7. Create a file,
/tmp/add_rsa.ldif, with the following contents:
Replace
ca1/replica with the nickname of your certificate.
8. Add the entry to the LDAP:
ldapadd -H "ldap://localhost" -D "cn=directory manager" -f /tmp/add_rsa.ldif -w dm_password
$ ldapadd -H "ldap://localhost" -D "cn=directory manager" -f /tmp/add_rsa.ldif -w dm_password
Replace
dm_password with your Directory Manager password.
9. Remove the temporary files:
rm -f /tmp/enable_ssl.ldif /tmp/add_rsa.ldif
$ rm -f /tmp/enable_ssl.ldif /tmp/add_rsa.ldif
10. Restart directory server:
systemctl restart dirsrv@EXAMPLE-COM.service
# systemctl restart dirsrv@EXAMPLE-COM.service
After following these steps, LDAPS is enabled, and you can successfuly run
ipa-ca-install on the replica. (BZ#1365858)
Third-party certificate trust flags are reset after installing an external CA into IdM
The
ipa-ca-install --external-ca command, used to install an external certificate authority (CA) into an existing Identity Management (IdM) domain, generates a certificate signing request (CSR) that the user must submit to the external CA.
When using a previously installed third-party certificate to sign the CSR, the third-party certificate trust flags in the NSS database are reset. Consequently, the certificate is no longer marked as trusted. In addition, checks performed by the
mod_nss module fail, and the httpd service fails to start. The CA installation fails with the following message in this situation:
CA failed to start after 300 seconds
CA failed to start after 300 seconds
As a workaround, after this message appears, reset the third-party certificate flags to their previous state and restart
httpd. For example, if the ca1 certificate previously had the C,, trust flags:
certutil -d /etc/httpd/alias -n 'ca1' -M -t C,, systemctl restart httpd.service
# certutil -d /etc/httpd/alias -n 'ca1' -M -t C,,
# systemctl restart httpd.service
This restores the system to the correct state. (BZ#1318616)
realmd fails to remove the computer account from AD
Red Hat Enterprise Linux uses Samba as default back end for Active Directory (AD) domain memberships. In this case, if you manually set a computer name using the
--computer-name option with the realm join command, the account cannot be removed from AD when you leave the domain. To work around this problem, do not use the --computer-name option and instead add the computer name to the /etc/realmd.conf file. For example:
[domain.example.com] computer-name = host_name
[domain.example.com]
computer-name = host_name
With the workaround, the host is successfully joined to the domain and the account is automatically removed if you leave the domain using the
realm leave --remove command. (BZ#1370457)
SSSD fails to manage autofs mappings from a LDAP tree
Previously, the System Security Services Daemon (SSSD) implemented incorrect default values for autofs mappings when using the
RFC2307 LDAP schema. A patch has been applied, which fixed the defaults to match the schema. However, users connecting to LDAP servers that contain mappings with the schema SSSD previously used, are not able to load the autofs attributes. Affected users see the following error reported in the /var/log/messages log file:
Your configuration uses the autofs provider with schema set to rfc2307 and default attribute mappings. The default map has changed in this release, please make sure the configuration matches the server attributes.
Your configuration uses the autofs provider with schema set to rfc2307 and default attribute mappings. The default map has changed in this release, please make sure the configuration matches the server attributes.
To work around this problem, modify the
/etc/sssd/sssd.conf file and set your domain to use the existing attribute mappings:
As a result, SSSD is able to load autofs mappings from the attributes. (BZ#1372814)
The dependency list for pkispawn does not include openssl
When the openssl package is not installed, using the
pkispawn utility fails with this error:
Installation failed: [Errno 2] No such file or directory
Installation failed: [Errno 2] No such file or directory
This problem occurs because the openssl package is not included as a runtime dependency of the pki-server package contained within the pki-core package. As a work around, install openssl before running
pkispawn. (BZ#1376488)
Enumerating a large number of users results in high CPU load and slows down other operations
When
enumerate=true is set in the etc/sssd/sssd.conf file and a large number of users (for example, 30,000 users) are present in the LDAP server, certain performance problems occur:
- the
sssd_beprocess consumes almost 99% of CPU resources - certain operations, such as logging in as a local user or logging out, take unexpectedly long to complete
- running the
ldbsearchoperation on thesysdbandtimestampcaches fails with an error reporting that the indexed and full searches both failed
Note that this is not a new known issue, as these problems occurred in previous releases of SSSD as well. (BZ#888739, BZ#1379774)
GDM fails to authenticate using a smart card
When using smart card authentication, the System Security Services Daemon's (SSSD) PAM responder does not verify if the login name is a Kerberos user principal name (UPN). As a consequence, the
gdm-password pluggable authentication module (PAM) shows the password prompt instead of the smart card PIN prompt when using a user principal name (UPN) as login name. As a result, smart card authenticating to the GNOME display manager (GDM) fails. (BZ#1389796)
The ipa passwd command fails when using uppercase or mixed case user names
Identity Management (IdM) 4.4.0 introduced unified handling of user principals in all commands. However, some commands were not fully converted. As a consequence, the
ipa passwd command fails when you use uppercase or mixed case letters in user names. To work around this issue, use only lower case letters in user names when using the ipa passwd command. (BZ#1375133)
The IdM web UI does not correctly recognize the status of a revoked certificate
The Identity Management (IdM) web UI is currently unable to determine whether a certificate has been revoked. As a consequence:
- The
Revokedsign is not displayed when viewing the certificate from the user, service, or host details page. - The
Revokeaction is still available from the details page. Attempting to revoke an already revoked certificate results in an error dialog. - The
Remove Holdbutton is always disabled even if the certificate has been revoked because of Certificate Hold (revocation reason 6). (BZ#1371479)
SSSD only applies values in sudoUser attributes from AD in lower case
Previously, when the System Security Services Daemon (SSSD) fetched
sudo rules from Active Directory (AD), the sudoUser attribute must have match the exact case of the samAccountName attribute of the user the rule was assigned to. Due to a regression in Red Hat Enterprise Linux 7.3, the sudoUser attribute now only matches lower case values. To work around this problem, rename sudoUser attribute values to lower case. With the workaround, sudo rules are applied correctly. (BZ#1380436)
Updating the ipa-client and ipa-admintools packages can fail
During the upgrade from Red Hat Enterprise Linux 7.2 to Red Hat Enterprise Linux 7.3, updating of the ipa-client and ipa-admintools packages can fail in some cases. To work around this problem, uninstall ipa-client and ipa-admintools prior to upgrading to Red Hat Enterprise Linux 7.3, and then install the new versions of these packages. (BZ#1390565)
Upgrading SSSD sometimes causes the sssd process to be terminated
When the
sssd process performs an action for an unexpectedly long time, an internal watchdog process terminates it. However, the sssd process does not start again. This problem usually occurs during an attempt to upgrade SSSD on a slow system if the SSSD database contains a large number of entries.
To work around this problem:
1. Make sure the central authentication server is available. This ensures that users will be able to authenticate after removing the SSSD cache in the next step.
2. Remove the SSSD cache using the
sss_cache utility before upgrading.
A fix for this known issue will be available with the next update. (BZ#1392441)
Directory Server fails due to bind-dyndb-ldap schema errors
The version of the
bind-dyndb-ldap LDAP schema included in Identity Management contains syntax errors and is missing a description of one attribute. If the user uses this version of the schema, the Directory Server component fails to start. Consequently, error messages are logged in the journal, informing the user about the incorrect syntax.
To work around this problem:
- Obtain a corrected schema file from the upstream
git.fedorahosted.orgrepository:wget https://git.fedorahosted.org/cgit/bind-dyndb-ldap.git/plain/doc/schema.ldif?id=17711141882aca3847a5daba2292bcbcc471ec63 -O /usr/share/doc/bind-dyndb-ldap-10.0/schema.ldif
# wget https://git.fedorahosted.org/cgit/bind-dyndb-ldap.git/plain/doc/schema.ldif?id=17711141882aca3847a5daba2292bcbcc471ec63 -O /usr/share/doc/bind-dyndb-ldap-10.0/schema.ldifCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Copy the corrected schema file into the Directory Server's instance configuration folder.
cp /usr/share/doc/bind-dyndb-ldap-10.0/schema.ldif /etc/dirsrv/slapd-[EXAMPLE-COM]/schema/[SCHEMA_FILE_NAME].ldif
# cp /usr/share/doc/bind-dyndb-ldap-10.0/schema.ldif /etc/dirsrv/slapd-[EXAMPLE-COM]/schema/[SCHEMA_FILE_NAME].ldifCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Restart Directory Server:
systemctl restart dirsrv.target
# systemctl restart dirsrv.targetCopy to Clipboard Copied! Toggle word wrap Toggle overflow
(BZ#1413805)
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}