SSSD 1.13.1


  • Initial support for Smart Card authentication was added. The feature can be activated with the new pam_cert_auth option
  • The PAM prompting was enhanced so that when Two-Factor Authentication is used, both factors (password and token) can be entered separately on separate prompts. At the same time, only the long-term password is cached, so offline access would still work using the long term password
  • A new command line tool sss_override is present in this release. The tools allows to override attributes on the SSSD side. It’s helpful in environment where e.g. some hosts need to have a different view of POSIX attributes than others. Please note that the overrides are stored in the cache as well, so removing the cache will also remove the overrides
  • New methods were added to the SSSD D-Bus interface. Notably support for looking up a user by certificate and looking up multiple users using a wildcard was added. Please see the interface introspection or the design pages for full details
  • Several enhancements to the dynamic DNS update code. Notably, clients that update multiple interfaces work better with this release
  • This release supports authenticating againt a KDC proxy
  • The fail over code was enhanced so that if a trusted domain is not reachable, only that domain will be marked as inactive but the backed would stay in online mode
  • Several fixes to the GPO access control code are present

Packaging Changes

  • The Smart Card authentication feature requires a helper process p11_child that needs to be marked as setgid if SSSD needs to be able to. Please note the p11_child requires the NSS crypto library at the moment
  • The sss_override tool was added along with its own manpage
  • The upstream RPM can now build on RHEL/CentOS 6.7

Documentation Changes

  • The config_file_version configuration option now defaults to 2. As an effect, this option doesn’t have to be set anymore unless the config file format is changed again by SSSD upstream
  • It is now possible to specify a comma-separated list of interfaces in the dyndns_iface option
  • The InfoPipe responder and the LDAP provider gained a new option wildcard_lookup that specifies an upper limit on the number of entries that can be returned with a wildcard lookup
  • A new option dyndns_server was added. This option allows to attempt a fallback DNS update against a specific DNS server. Please note this option only works as a fallback, the first attempt will always be performed against autodiscovered servers.
  • The PAM responder gained a new option ca_db that allows the storage of trusted CA certificates to be specified
  • The time the p11_child is allowed to operate can be specified using a new option p11_child_timeout

Tickets Fixed

[RFE] Support for smart cards
sssd: incorrect checks on length values during packet decoding
[RFE] Start the dynamic DNS update after the SSSD has been setup for the first time
Complain loudly if backend doesn’t start due to missing or invalid keytab
nested netgroups do not work in IPA provider
test dyndns failed.
Investigate using the krb5 responder for driving the PAM conversation with OTPs
Pass error messages via the extdom plugin
[RFE]Allow sssd to add a new option that would specify which server to update DNS with
RFE: Support multiple interfaces with the dyndns_iface option
RFE: Add support for wildcard-based cache updates
Add dualstack and multihomed support
Too much logging
TRACKER: Support one-way trusts for IPA
Re-check memcache after acquiring the lock in the client code
RFE: Support client-side overrides
Add index for ‘objectSIDString’ and maybe to other cache attributes
RFE: Don’t mark the main domain as offline if SSSD can’t connect to a subdomain
RFE: Detect re-established trusts in the IPA subdomain code
KDC proxy not working with SSSD krb5_use_kdcinfo enabled
Group members are not turned into ghost entries when the user is purged from the SSSD cache
sudoOrder not honored as expected
Default to config_file_version=2
GPO: PAM system error returned for PAM_ACCT_MGMT and offline mode
GPO: Access denied due to using wrong sam_account_name
SSSDConfig: wrong return type returned on python3
krb5_child should always consider online state to allow use of MS-KKDC proxy
Logging messages from user point of view
[RFE] Provide interface for SSH to fetch user certificate
Initgroups memory cache does not work with fq names
Initgroups mmap cache needs update after db changes
well-known SID check is broken for NetBIOS prefixes
SSSD keytab validation check expects root ownership
IPA: returned unknown dp error code with disabled migration mode
Missing config options in gentoo init script
Could not resolve AD user from root domain
getgrgid for user’s UID on a trust client prevents getpw*
If AD site detection fails, not even ad_site override skipped
Do not send SSS_OTP if both factors were entered separately
searching SID by ID always checks all domains
Don’t use deprecated libraries (libsystemd-*)
sss_override: add import and export commands
Cannot build rpms from upstream spec file on rawhide
When certificate is added via user-add-cert, it cannot be looked up via org.freedesktop.sssd.infopipe.Users.FindByCertificate
memory cache can work intermittently
cleanup_groups should sanitize dn of groups
the PAM srv test often fails on RHEL-7
test_memory_cache failed in invalidation cache before stop
Fix crash in nss responder
Clear environment and set restrictive umask in p11_child
sss_override does not work correctly when ‘use_fully_qualified_names = True’
sss_override contains an extra parameter –debug but is not listed in the man page or in the arguments help
[RFE] sssd: better feedback form constraint password change
Test ‘test_id_cleanup_exp_group’ failed
sssd cannot resolve user names containing backslash with ldap provider
Make p11_child timeout configurable
Fix memory leak in GPO
sss_override : The local override user is not found
REGRESSION: Dyndns soes not update reverse DNS records
sss_override –name doesn’t work with RFC2307 and ghost users
unit tests do not link correctly on Debian
Memory leak / possible DoS with krb auth.
AD: Conditional jump or move depends on uninitialised value

Detailed Changelog

Jakub Hrozek (52):

  • Updating the version for 1.13.1 development
  • tests: Move N_ELEMENTS definition to tests/common.h
  • SYSDB: Add functions to look up multiple entries including name and custom filter
  • cache_req: Extend cache_req with wildcard lookups
  • UTIL: Add sss_filter_sanitize_ex
  • LDAP: Fetch users and groups using wildcards
  • LDAP: Add sdap_get_and_parse_generic_send
  • LDAP: Use sdap_get_and_parse_generic_/_recv
  • LDAP: Add sdap_lookup_type enum
  • LDAP: Add the wildcard_limit option
  • IFP: Add wildcard requests
  • Use NSCD path in execl()
  • KRB5: Use the right domain for case-sensitive flag
  • IPA: Better debugging
  • UTIL: Lower debug level in perform_checks()
  • IPA: Handle sssd-owned keytabs when running as root
  • IPA: Remove MPG groups if getgrgid was called before getpw()
  • LDAP: use ldb_binary_encode when printing attribute values
  • IPA: Change the default of ldap_user_certificate to userCertificate;binary
  • UTIL: Provide a common interface to safely create temporary files
  • IPA: Always re-fetch the keytab from the IPA server
  • DYNDNS: Add a new option dyndns_server
  • p11child: set restrictive umask and clear environment
  • KRB5: Use sss_unique file in krb5_child
  • KRB5: Use sss_unique_file when creating kdcinfo files
  • LDAP: Use sss_unique_filename in ldap_child
  • SSH: Use sss_unique_file_ex to create the known hosts file
  • SYSDB: Index the objectSIDString attribute
  • sbus: Initialize errno if constructing message fails and add debug messages
  • sbus: Add a special error code for messages sent by the bus itself
  • GPO: Use sss_unique_file and close fd on failure
  • SDAP: Remove unused function
  • KRB5: Don’t error out reading a minimal krb5.conf
  • UTIL: Convert domain->disabled into tri-state with domain states
  • DP: Provide a way to mark subdomain as disabled and auto-enable it later with offline_timeout
  • SDAP: Do not set is_offline if ignore_mark_offline is set
  • AD: Only ignore errors from SDAP lookups if there’s another connection to fallback to
  • KRB5: Offline operation with disabled domain
  • AD: Do not mark the whole back end as offline if subdomain lookup fails
  • AD: Set ignore_mark_offline=false when resolving AD root domain
  • IPA: Do not allow the AD lookup code to set backend as offline in server mode
  • BUILD: link dp tests with LDB directly to fix builds on Debian
  • LDAP: imposing sizelimit=1 for single-entry searches breaks overlapping domains
  • tests: Move named_domain from test_utils to common test code
  • LDAP: Move sdap_create_search_base from ldap to sdap code
  • LDAP: Filter out multiple entries when searching overlapping domains
  • IPA: Change ipa_server_trust_add_send request to be reusable from ID code
  • FO: Add an API to reset all servers in a single service
  • FO: Also reset the server common data in addition to SRV
  • IPA: Retry fetching keytab if IPA user lookup fails
  • Updating translations for the 1.13.1 release

Lukas Slebodnik (49):

  • KRB5: Return right data provider error code
  • Update few debug messages
  • intg: Invalidate memory cache before removing files
  • SPEC: Update spec file for krb5_local_auth_plugin
  • SSSDConfig: Return correct types in python3
  • intg: Modernize ‘except’ clauses
  • mmap_cache: Rename variables
  • mmap_cache: “Override” functions for initgr mmap cache
  • mmap: Invalidate initgroups memory cache after any change
  • sss_client: Update integrity check of records in mmap cache
  • intg_test: Add module for simulation of utility id
  • intg_test: Add integration test for memory cache
  • NSS: Initgr memory cache should work with fq names
  • test_memory_cache: Add test for initgroups mc with fq names
  • SPEC: Workaround for build with rpm 4.13
  • KRB5: Do not try to remove missing ccache
  • test_memory_cache: Test mmap cache after initgroups
  • test_memory_cache: Test invalidation with sss_cache
  • krb5_utils-tests: Remove unused variables
  • sss_cache: Wait a while for invalidation of mc by nss responder
  • test_memory_cache: Fix few python issues
  • NSS: Fix use after free
  • NSS: Don’t ignore backslash in usernames with ldap provider
  • intg_tests: Add regression test for 2163
  • BUILD: Build as a dynamic library
  • BUILD: Speed up build of some tests
  • BUILD: Simplify build of simple_access_tests
  • CI: Set env variable for all tabs in screen
  • dyndns-tests: Simulate job in wrapped execv
  • AUTOMAKE: Disable portability warnings
  • tests: Use unique name for TEST_PATH
  • tests: Move test_dom_suite_setup to different module
  • test_ipa_subdomains_server: Use unique dorectory for keytabs
  • test_copy_keytab: Create keytabs in unique directory
  • test_ad_common: Use unique directory for keytabs
  • Revert “LDAP: end on ENOMEM”
  • Partially revert “LDAP: sanitize group name when used in filter”
  • LDAP: Sanitize group dn before using in filter
  • test_ldap_id_cleanup: Fix coding style issues
  • DYNDNS: Return right error code in case of failure
  • BUILD: Simplify build of test_data_provider_be
  • BUILD: Remove unused variable CHECK_OBJ
  • BUILD: Do not build as library
  • BUILD: Remove unused variable SSSD_UTIL_OBJ
  • CONFIGURE: Remove bashism
  • IFP: Suppress warning from static analyzer
  • BUILD: Link test_data_provider_be with -ldl
  • sysdb-tests: Use valid base64 encoded certificate for search
  • test_pam_srv: Run cert test only with NSS

Michal Židek (13):

  • DEBUG: Add new debug category for fail over.
  • pam: Incerease p11 child timeout
  • sdap_async: Use specific errmsg when available
  • TESTS: ldap_id_cleanup timeouts
  • sssd: incorrect checks on length values during packet decoding
  • CONFDB: Assume config file version 2 if missing
  • Add missing AM_CFLAGS
  • SYSDB: Add function to expire entry
  • cleanup task: Expire all memberof targets when removing user
  • CI: Add regression test for #2676
  • intg: Fix some PEP 8 violations
  • PAM: Make p11_child timeout configurable
  • tests: Set p11_child_timeout to 30 in tests

Nikolai Kondrashov (1):

  • TESTS: Add trailing whitespace test

Pavel Březina (18):

  • VIEWS TEST: add null-check
  • SYSDB: prepare for LOCAL view
  • TOOLS: add common command framework
  • TOOLS: add sss_override for local overrides
  • AD: Use ad_site also when site search fails
  • IFP: use default limit if provided is 0
  • sudo: use “higher value wins” when ordering rules
  • sss_override: print input name if unable to parse it
  • sss_override: support domains that require fqname
  • TOOLS: add sss_colondb API
  • sss_override: decompose code better
  • sss_override: support import and export
  • sss_override: document –debug options
  • sss_override: support fqn in override name
  • views: do not require overrideDN in grous when LOCAL view is set
  • views: fix two typos in debug messages
  • views: allow ghost members for LOCAL view
  • sss_override: remove -d from manpage

Pavel Reichl (23):

  • DYNDNS: sss_iface_addr_list_get return ENOENT
  • DYNDNS: support mult. interfaces for dyndns_iface opt
  • DYNDNS: special value ‘*’ for dyndns_iface option
  • TESTS: dyndns tests support AAAA addresses
  • DYNDNS: support for dualstack
  • TESTS: fix compiler warnings
  • IPA: Improve messages about failures
  • DYNDNS: Don’t use server cmd in nsupdate by default
  • DYNDNS: remove redundant talloc_steal()
  • DYNDNS: remove zone command
  • DYNDNS: rename field of sdap_dyndns_update_state
  • DYNDNS: remove code duplication
  • TESTS: UT for sss_iface_addr_list_as_str_list()
  • LDAP: sanitize group name when used in filter
  • LDAP: minor improvements in ldap id cleanup
  • TESTS: fix fail in test_id_cleanup_exp_group
  • LDAP: end on ENOMEM
  • AD: send less logs to syslog
  • Remove trailing whitespace
  • GPO: fix memory leak
  • DDNS: execute nsupdate for single update of PTR rec
  • AD: inicialize root_domain_attrs field

Petr Cech (6):

  • BUILD: Repair dependecies on deprecated libraries
  • TESTS: Removing part of responder_cache_req-tests
  • UTIL: Function 2string for enum sss_cli_command
  • UTIL: Fixing for util/sss_cli_cmd.h
  • DATA_PROVIDER: BE_REQ as string in log message
  • IPA PROVIDER: Resolve nested netgroup membership

Robin McCorkell (1):

  • man: List alternative schema defaults for LDAP AutoFS parameters

Stephen Gallagher (1):

  • AD: Handle cases where no GPOs apply

Sumit Bose (17):

  • test common: sss_dp_get_account_recv() fix assignment
  • nss_check_name_of_well_known_sid() improve name splitting
  • negcache: allow domain name for UID and GID
  • nss: use negative cache for sid-by-id requests
  • krb5: do not send SSS_OTP if two factors were used
  • utils: add NSS version of cert utils
  • Add NSS version of p11_child
  • pack_message_v3: allow empty name
  • authok: add support for Smart Card related authtokens
  • PAM: add certificate support to PAM (pre-)auth requests
  • pam_sss: add sc support
  • ssh: generate public keys from certificate
  • krb5 utils: add sss_krb5_realm_has_proxy()
  • krb5: do not create kdcinfo file if proxy configuration exists
  • krb5: assume online state if KDC proxy is configured
  • GPO: use SDAP_SASL_AUTHID as samAccountName
  • utils: make sss_krb5_get_primary() private

Thomas Oulevey (1):

  • Fix memory leak in sssdpac_verify()

Tyler Gates (1):

  • CONTRIB: Gentoo daemon startup options as declared in conf.d/sssd

Yuri Chornoivan (1):

  • Fix minor typos