SSSD 1.13.0


  • Support for separate prompts when using two-factor authentication was added
  • Added support for one-way trusts between an IPA and Active Directory environment. Please note that this SSSD functionality depends on IPA code that will be released in the IPA 4.2 version
  • The fast memory cache now also supports the initgroups operation.
  • The PAM responder is now capable of caching authentication for configurable period, which might reduce server load in cases where accounts authenticate very frequently. Please refer to the cached_auth_timeout option in the sssd.conf manual page.
  • The Active Directory provider has changed the default value of the ad_gpo_access_control option from permissive to enforcing. As a consequence, the GPO access control now affects all clients that set access_provider to ad. In order to restore the previous behaviour, set ad_gpo_access_control to permissive or use a different access_provider type.
  • Group Policy objects defined in a different AD domain that the computer object is defined in are now supported.
  • Credential caching and Offline authentication are also available when using two-factor authentication
  • Many enhancements to the InfoPipe D-Bus API. Notably, the SSSD users and groups are now exposed as first-class objects. The users and groups can also be marked as cached and would subsequently show up in the Introspection output
  • The DBus interface is now also able to look up User objects by certificate. This is a first part of work that will eventually allow smart-card authentication in SSSD.
  • The LDAP cleanup task is now disabled by default, unless enumeration is enabled. Please refer to the ldap_purge_cache_timeout option in case your environment requires the cleanup task
  • The Python bindings are now built for both Python2 and Python3
  • The LDAP bind timeout, StartTLS timeout and password change timeout are now configurable using the ldap_opt_timeout option

Packaging Changes

  • A new directory /var/lib/sss/keytabs is present and owned by the sssd-ipa subpackage. The SSSD stores keytabs for one-way trust relationships in this directory. Downstreams should make sure that the directory is only readable to the user who runs the SSSD service.
  • Several packaging changes are present in this release to support the Python3 bindings, notably new python-sss and python-sss-murmur subpackages are introduced in upstream RPM packaging
  • All python bindings now have a Python3 and a Python2 version in the upstream RPM packaging scheme
  • The OpenSSL development library such as openssl-devel on RHEL/Fedora or Debian/Ubuntu libssl-dev is now required to support certificate operations
  • A new internal library is present in this release.
  • The fast initgroups memcache is represented by a new file /var/lib/sss/mc/initgroups

Documentation Changes

  • The ad_gpo_access_control option default has changed from permissive to enforcing
  • The default value of ldap_purge_cache_timeout changed to 0, thus effectivelly disabling the cleanup task.
  • A new option cache_credentials_minimal_first_factor_length was added. This option sets constraints on the password length if One-Time passwords are used and credentials are to be cached. Please see the sssd.conf(5) man page for more details
  • The cached authentication is controlled by new option cached_auth_timeout. By default the cached authentication is disabled.

Tickets Fixed

sssd should pass -d to nsupdate when running with high log level
Make the LDAP bind operation timeout configurable
[RFE] Expose listing calls over D-BUS
nsupdate stderr is not captured
The cleanup task has no DEBUG statements
SBUS: Flush the UID cache when we receive NameOwnerChanged
[RFE] Implement object caching on the bus
IFP: support multiple interfaces for object
SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname’s domain
In ipa-ad trust, with ‘default_domain_suffix’ set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set
SSSD should be able to build python2 and python3 bindings in a one build
[RFE] Homedir is always overwritten with subdomain_homedir value in server mode
Does sssd-ad use the most suitable attribute for group name?
Add a way to lookup users based on CAC identity certificates
Make SSSD’s HBAC validation more permissive if deny rules are not used
[bug] sssd always appends default_domain_suffix when checking for host keys
Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all
id_provider=proxy with auth_provider=ldap does not work reliably
Sudo responder does not respect filter_users and filter_groups
Disable the cleanup task by default
RFE: Fetch keytabs for one-way trusts in IPA subdomain code
RFE: Change ad_id_ctx instantiation in the IPA subdomain code to support one-way trusts
[RFE] Support GPOs from different domain controllers
RFE: Change AD GPO default to enforcing
sssd with ldap backend throws error domain log
[RFE] authenticate against cache in SSSD
[RFE] Python 3 support
[RFE] The fast memory cache should cache initgroups
SSSD doesn’t re-read resolv.conf if the file doesn’t exist during boot
Kerberos-based providers other than krb5 do not queue requests

Detailed Changelog

Jakub Hrozek (73):

  • MAN: Fix a typo
  • SYSDB: Reduce code duplication in sysdb_gpo.c
  • UTIL: Make two child_common.c functions static
  • TESTS: Cover child_common.c with unit tests
  • LDAP: Use child_io_destructor instead of child_cleanup in a custom desctructor
  • UTIL: Remove child_cleanup
  • UTIL: Unify the fd_nonblocking implementation
  • RESOLV: Remove obsolete in-tree implementation of SRV and TXT parsing
  • PAM: print the pam status as string, too
  • KRB5: More debugging for create_ccache()
  • SDAP: Make simple bind timeout configurable
  • SDAP: Make password change timeout configurable with ldap_opt_timeout
  • SDAP: Make StartTLS bind configurable with ldap_opt_timeout
  • SDAP: Decorate the sdap_op functions with DEBUG messages
  • IPA: Remove the ipa_hbac_treat_deny_as option
  • MAN: Clarify debug_level a bit
  • SSH: Ignore the default_domain_suffix
  • LDAP: Set sdap handle as explicitly connected in LDAP auth
  • tests: Revert strcmp condition
  • ncache: Fix sss_ncache_reset_permanent
  • ncache: Silence critical error from filter_users when default_domain_suffix is set
  • ncache: Add sss_ncache_reset_repopulate_permanent
  • responders: reset ncache after domains are discovered during startup
  • NSS: Reset negcache after checking domains
  • MAN: Clarify how are GPO mappings called in GPO editor
  • UTIL: Add a simple function to get the fd of debug_file
  • dyndns: Log nsupdate stderr with a high debug level
  • nsupdate: Append -d/-D to nsupdate with a high debug level
  • subdom: Remove unused function get_flat_name_from_subdomain_name
  • nss: Use negcache for getbysid requests
  • tests: Add NSS responder tests for bysid requests
  • LDAP: disable the cleanup task by default
  • TESTS: Use the right testcase
  • TESTS: Add test for get_next_domain
  • LDAP: Do not print verbose DEBUG messages from providers that don’t set UUID
  • SYSDB: Store trust direction for subdomains
  • UTIL/SYSDB: Move new_subdomain() to sysdb_subdomains.c and make it private
  • TESTS: Add a test for sysdb_subdomains.c
  • SYSDB: Add realm to sysdb_master_domain_add_info
  • SYSDB: Add a forest root attribute to sss_domain_info
  • IPA: Add ipa_subdomains_handler_get_{start,cont} wrappers
  • IPA: Check master domain record before subdomain records
  • IPA: Fold ipa_subdom_enumerates into ipa_subdom_store
  • IPA: Also update master domain when initializing subdom handler
  • IPA: Move server-mode functions to a separate module
  • IPA: Split two functions to new module ipa_subdomains_utils.c
  • IPA: Include ipaNTTrustDirection in the attribute set for trusted domains
  • IPA: Read forest name for trusted forest roots as well
  • IPA: Make constructing an IPA server mode context async
  • TESTS: Split off keytab creation into a common module
  • TESTS: Add a common mock_be_ctx function
  • TESTS: Add a common function to set up sdap_id_ctx
  • TESTS: Move krb5_try_kdcip to nested group test
  • TESTS: Add unit test for the subdomain_server.c module
  • IPA: Fetch keytab for 1way trusts
  • AD: Rename ad_set_ad_id_options to ad_set_sdap_options
  • AD: Rename ad_create_default_options to ad_create_2way_trust_options
  • AD: Split off ad_create_default_options
  • IPA/AD: Set up AD domain in ad_create_2way_trust_options
  • IPA: Do not set AD_KRB5_REALM twice
  • AD: Add ad_create_1way_trust_options
  • IPA: Utility function for setting up one-way trust context
  • LDAP: Do not set keytab through environment variable
  • LDAP: Consolidate SDAP_SASL_REALM/SDAP_KRB5_REALM behaviour
  • BUILD: Store keytabs in /var/lib/sss/keytabs
  • Updating the translations for the 1.13 Alpha release
  • Updating the version.m4 file for the 1.13 Beta release
  • tests: Reduce duplication with new function test_ev_done
  • KRB5: Add and use krb5_auth_queue_send to queue requests by default
  • PAM: Only cache first-factor
  • Updating the translations for the 1.13.0 release
  • Updating the version for the 1.13.0 release

John Dickerson (1):

  • MAN: Amend the description of ignore_group_members

Lukas Slebodnik (67):

  • MAN: Remove indentation in element programlistening
  • Fix warning: for loop has empty body
  • Bump version to track 1.13 development
  • SPEC: Use libnl3 for epel6
  • MAKE: Don’t include autoconf generated file to tarball
  • TESTS: Mock return value of sdap_get_generic_recv
  • test_nested_groups: Additional unit tests
  • Fix warning: equality comparison with extraneous parentheses
  • LDAP: Conditional jump depends on uninitialised value
  • BUILD: Remove unused libraries for
  • BUILD: Remove unused variables
  • BUILD: Remove detection of type Py_ssize_t
  • UTIL: Remove python wrapper sss_python_set_new
  • UTIL: Remove python wrapper sss_python_set_add
  • UTIL: Remove python wrapper sss_python_set_check
  • UTIL: Remove compatibility macro PyModule_AddIntMacro
  • UTIL: Remove python wrapper sss_python_unicode_from_string
  • BUILD: Use python-config for detection *FLAGS
  • SPEC: Use new convention for python packages
  • SPEC: Move python bindings to separate packages
  • BUILD: Add possibility to build python{2,3} bindings
  • TESTS: Run python tests with all supported python versions
  • SPEC: Replace python_ macros with python2_
  • SPEC: Build python3 bindings on available platforms
  • BUILD: Uninstall also symbolic links to python bindings
  • Remove unused argument from be_nsupdate_create_fwd_msg
  • IPA: Remove unused argument from ipa_id_get_group_uuids
  • Remove useless assignment to function parameter
  • PAC: Fix memory leak
  • responder_cache: Fix warning may be used uninitialized
  • debug-tests: Fix test with new line in debug message
  • BUILD: Add missing header file to tarball
  • pam_client: fix casting to const pointer
  • test_expire: Use right assertion macro for standard functions
  • test_ldap_auth: Use right assertion for integer comparison
  • test_resolv_fake: Fix alignment warning
  • PAC: Remove unused function
  • KRB5: Unify prototype and definition
  • util-tests: Initialize boolean variable to default value
  • SPEC: Drop workaround for old libtool
  • SPEC: Drop workarounds for old rpmbuild
  • SPEC: Remove unused option
  • SPEC: Few cosmetic changes
  • simple_access-tests: Simplify assertion
  • sysdb-tests: Add missing assertions
  • sysdb-tests: test return value before output arguments
  • ad_opts: Use different default attribute for group name
  • BUILD: Write hints about optional python bindings
  • sss_client: Fix mixed enums
  • LDAP: Remove dead assignment
  • sss_client: Fix warning “_” redefined
  • SSSDConfigTest: Use unique temporary directory
  • util-tests: Add validation of internal error messages
  • SDAP: Check return value before using output arguments
  • SDAP: Log failure from sysdb_handle_original_uuid
  • test_ipa_subdomains_server: Run clean-up after success
  • IFP: Fix warnings with enabled optimisation
  • SDAP: Remove user from cache for missing user in LDAP
  • test_ipa_subdom_server: Add missing assert
  • test_ipa_subdomains_server: Fix build with –coverage
  • nss: Store entries in responder to initgr mmap cache
  • mmap_cache: Invalidate entry in right memory cache
  • nss: Invalidate entry in initgr mmap cache
  • sss_client: Use initgr mmap cache in client code
  • sss_cache: Clear also initgroups fast cache
  • sss_client: Use unique lock for memory cache
  • sss_client: Re-check memcache after acquiring the lock

Michal Zidek (5):

  • Use FQDN if default domain was set
  • MAN: default_domain_suffix with use_fully_qualified_names.
  • views: Add is_default_view helper function
  • MONITOR: Poll for resolv.conf if not available during boot
  • MONITOR: Do not report missing file as fatal in monitor_config_file

Nikolai Kondrashov (3):

  • Add integration tests
  • BUILD: Fix variable substitution in cwrap.m4

Pavel Březina (53):

  • tests: refactor create_dom_test_ctx()
  • tests: add create_multidom_test_ctx()
  • tests: add test_multidom_suite_cleanup()
  • tests: remove code duplication in single domain cleanup
  • responders: new interface for cache request
  • responders: enable views in cache request
  • IFP: use new cache interface
  • server-tests: use strtouint32 instead strtol
  • sbus: add new iface via sbus_conn_register_iface()
  • sbus: move iface and object path code to separate file
  • sbus: use ‘path/*’ to represent a D-Bus fallback
  • sbus: support multiple interfaces on single path
  • sbus: add object path to sbus request
  • sbus: add sbus_opath_hash_lookup_supported()
  • sbus: support org.freedesktop.DBus.Introspectable
  • sbus: support org.freedesktop.DBus.Properties
  • sbus: unify naming of handler data variable
  • sbus: move common opath functions from ifp to sbus code
  • sbus: add sbus_opath_get_object_name()
  • ifp: fix potential memory leak in check_and_get_component_from_path()
  • sbus: use hard coded getters instead of generated
  • sbus: remove unused ‘reply as’ functions
  • IFP: move interface definitions from ifpsrv.c into separate file
  • IFP: unify generated interfaces names
  • sbus codegen: do not prefix getters with iface name
  • IFP: simplify object path constant names
  • sbus: add constant to represent subtree
  • be_refresh: get rid of callback pointers
  • sysdb: use sysdb_user/group_dn
  • cache_req tests: rename test_user to test_user_by_name
  • cache_req tests: define user name constant
  • cache_req: preparations for different input type
  • cache_req: add support for user by UID
  • cache_req: add support for group by name
  • cache_req: remove default branch from switches
  • cache_req: add support for group by id
  • cmocka: include mock_parse_inp in header file
  • cache_req: parse input name if needed
  • cache_req: return ERR_INTERNAL if more than one entry is found
  • sbus: provide custom error names
  • sbus: add sbus_opath_decompose[_exact]
  • sbus: add a{sas} get invoker
  • IFP: add org.freedesktop.sssd.infopipe.Users
  • IFP: add org.freedesktop.sssd.infopipe.Users.User
  • IFP: add org.freedesktop.sssd.infopipe.Groups
  • IFP: add org.freedesktop.sssd.infopipe.Groups.Group
  • IFP: deprecate GetUserAttr
  • IFP: Implement org.freedesktop.sssd.infopipe.Cache[.Object]
  • SBUS: Use default GetAll invoker if none is set
  • SBUS: Add support for <node /> in introspection
  • IFP: Export nodes
  • sbus: add support for incoming signals
  • sbus: listen to NameOwnerChanged

Pavel Reichl (20):

  • add missing ‘\n’ in debug messages
  • PROXY: add missing space in debug message
  • BUILD: fix chmake not to generate warning
  • SDAP: log expired accounts at lower severity level
  • KRB5: add debug hint
  • TESTS: test expiration
  • ldap: refactor check_pwexpire_kerberos to use util func
  • ldap: refactor nds_check_expired to use util func
  • Fix a few typos in comments
  • sbus: sbus_opath_hash_add_iface free tmp talloc ctx
  • krb5: remove field run_as_user
  • localauth plugin: fix coverity warning
  • dyndns: remove dupl declaration of ipa_dyndns_update
  • dyndns: don’t pass zone directive to nsupdate
  • dyndns: ipa_dyndns.h missed declaration of used data
  • krb: remove duplicit decl. of write_krb5info_file
  • IPA: Don’t override homedir with subdomain_homedir
  • sysdb: new attribute lastOnlineAuthWithCurrentToken
  • PAM: authenticate agains cache
  • Minor code improvements

Stephen Gallagher (5):

  • LDAP: Support returning referral information
  • AD GPO: Support processing referrals
  • AD GPO: Change default to “enforcing”
  • Add Vagrant configuration for SSSD
  • GPO: Fix incorrect strerror on GPO access denial

Sumit Bose (22):

  • Add leak check and command line option to test_authtok
  • utils: add sss_authtok_[gs]et_2fa
  • pam: handle 2FA authentication token in the responder
  • Add pre-auth request
  • krb5-child: add preauth and split 2fa token support
  • IPA: create preauth indicator file at startup
  • pam_sss: add pre-auth and 2fa support
  • Add cache_credentials_minimal_first_factor_length config option
  • sysdb: add sysdb_cache_password_ex()
  • krb5: save hash of the first authentication factor to the cache
  • krb5: try delayed online authentication only for single factor auth
  • 2FA offline auth
  • pam_sss: move message encoding into separate file
  • PAM: add PAM responder unit test
  • adding ldap_user_auth_type where missing
  • LDAP: add ldap_user_certificate option
  • certs: add PEM/DER conversion utilities
  • sysdb: add sysdb_search_user_by_cert() and sysdb_search_object_by_cert()
  • LDAP/IPA: add user lookup by certificate
  • ncache: add calls for certificate based searches
  • utils: add get_last_x_chars()
  • IFP: add FindByCertificate method for User objects