이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 4. Authentication and Interoperability
The ca.subsystem.certreq parameter is no longer reported missing
Previously, Identity Management (IdM) expected the
ca.subsystem.certreq
parameter to be defined in the CS.cfg
public key infrastructure (PKI) configuration file. When starting the IdM server, an error occurred if ca.subsystem.certreq
was missing. The error was not necessary because neither PKI nor IdM services use the parameter. To fix this problem, PKI code has been updated to ensure the parameter is only retrieved if it exists. (BZ#1313207)
The ipa-server-install utility no longer terminates unexpectedly due to unexpected comment lines in CS.cfg
An attempt to install an Identity Management server previously sometimes failed due to a problem with the pki-common package. The fail occurred because the
CS.cfg
certificate authority (CA) configuration file which was being parsed contained unexpected comment lines before configuration. This problem has been fixed by making the parsing code ignore comment and blank lines. (BZ#1306989)
Installing an IdM server no longer fails if Java 1.8 is installed
The Public Key Infrastructure (PKI) server, included in Identity Management (IdM), supports Java version 1.7 on Red Hat Enterprise Linux 6. The
ipa-server-install
installation script failed on systems where the java-1.8 package was installed and selected as the current system java
using the alternatives
utility. To fix this problem, the pki-core code has been updated to bypass alternatives
on Red Hat Enterprise Linux 6 by forcing PKI servers to always run under OpenJDK version 1.7 regardless of the version of java
selected using alternatives
. (BZ#1290535)
Samba no longer denies access when sharing the root directory of the system
Previously, due to a missing path check, Samba denied access when sharing the root directory of the system by using the
path = /
setting in the /etc/samba/smb.conf
file. With this update, Samba no longer incorrectly treats the /
path as a symbolic link and does not incorrectly deny access in the described situation. (BZ#1305870)
Acquiring keytabs takes longer with SELinux after memory leaks have been fixed
Previously, SELinux support in the krb5 packages caused krb5 to leak memory. This bug has been fixed. Note that acquiring keytabs now takes longer than before when SELinux is in
enforcing
or permissive
mode. (BZ#1311287)
sudo
smart refresh updates no longer fail due to USN parsing errors
System Security Services Daemon (SSSD) did not correctly handle the format of the
modifyTimestamp
attribute of the OpenLDAP server. Consequently, smart refresh updates for the sudo
utility did not work. After the user changed a sudo
rule with SSSD running, the logs showed an error stating that SSSD was unable to parse the Update Sequence Number (USN) scheme. This update fixes the problem, and smart refresh updates now work in the described situation. (BZ#1312062)
SSSD stores sudo rules correctly when id_provider = ipa
is set
Identity Management version 3.0 and previous use different format for the
ipasudocmd
distinguished name (DN). Consequently, the System Security Services Daemon (SSSD) service was unable to store sudo
rules correctly when the id_provider
option was set to ipa
in the /etc/sssd/sssd.conf
file. This update fixes the problem, and sudo
rules now work as expected in the described situation. (BZ#1313940)
The user is prompted for smart card PIN as expected
Due to insufficient SELinux policy rules, the
ppl_child
process, running in the sssd_t
SELinux domain, was unable to manage the authentication cache and connect to Apache ports. Consequently, the system did not prompt the user for smart card PIN. The SELinux policy rules, provided by the selinux-policy package, have been updated to allow this functionality. As a result, the user is prompted for smart card PIN as expected in the described situation. (BZ#1299066)
Cloning a PKI server with an externally-signed CA certificate to Red Hat Enterprise Linux 7 no longer fails
Previously, when a Red Hat Enterprise Linux 6 public key infrastructure (PKI) server was installed with an externally-signed certificate authority (CA) certificate, the subsystem user was not created properly. Consequently, cloning to Red Hat Enterprise Linux 7 failed.
For new Red Hat Enterprise Linux 6 installations, the code has been fixed to create the subsystem user, add it to the subsystem group, and map the subsystem certificate to the user properly. For existing Red Hat Enterprise Linux 6 installations, the code has been modified to automatically restore the subsystem user to the correct configuration on restart.
As a result, cloning to Red Hat Enterprise Linux 7 now succeeds in the described situation. (BZ#1256039)
ypserv
no longer fails if the domainname
parameter is unset
Previously, the
ypserv
service failed to start when the domainname
parameter was not set in the /etc/init.d/ypserv
file. This update moves the check for domainname
to the yppasswdd
service, and in the described circumstances, ypserv
now starts as expected. (BZ#456249)
yppasswd
now correctly reports a failure of a user password change
Prior to this update, when the
yppasswd
service failed to change the password of a yppasswdd
user, it still reported a success. A test has been added to yppasswdd
that verifies whether the write operation was successful. As a result, if yppasswdd
fails to change a user password, an error message is now logged about it. (BZ#747334)
ypserv
now correctly reports a non-existent map
The
ypserv
service previously incorrectly returned an Internal NIS error
error message when a NIS client asked for a non-existent map using the yp_first
or yp_next
system calls. Now, ypserv
correctly returns the No such map in server's domain
error message in this scenario. (BZ#988203)
mknetid
no longer crashes when the passwd
file contains empty lines or an unexpected format
Previously, using the
mknetid
utility on the passwd
file with empty lines or an unexpected format in some cases caused mknetid
to terminate unexpectedly. With this update, mknetid
ignores the redundant elements in the passwd
file, and no longer crashes in the situation described. (BZ#1071962)
ypbind
no longer restarts on every renewal of DHCP
Prior to this update, the
ypbind
service restarted on every renewal of the dynamic host configuration protocol (DHCP), which caused NIS lookups to be slower, and in some cases to time out. Now, ypbind
restarts on a DHCP renewal only if any changes occurred on the NIS domain or the NIS domain or the NIS server. As a result, NIS lookups are faster and experience less timeouts. (BZ#1238771)