SSSD 1.13.2


  • This is primarily a bugfix release, with minor features added to the local overrides feature
  • The sss_override tool gained new user-show, user-find, group-show and group-find commands
  • The PAM responder was crashing if PAM_USER was set to an empty string. This bug was fixed
  • The sssd_be process could crash when looking up groups in setups with IPA-AD trusts that use POSIX attributes but do not replicate them to the Global Catalog
  • A socket leak in case SSSD couldn’t establish a connection to an LDAP server was fixed
  • SSSD’s memory cache now behaves better when used by long-running applications such as system daemons and the administrator invalidates the cache
  • The SSSDConfig Python API no longer throws an exception when config_file_version is missing
  • The InfoPipe D-Bus interface is able to retrieve user groups correctly if the user is a member of non-POSIX groups like ipausers as well
  • Lookups by certificate now work correctly in multi-domain environment
  • The lookup of POSIX attributes after startup was relaxed to only check attribute presence, not validity. The POSIX check was also made less verbose.
  • A bug when looking up a subdomain user by UPN users was fixed

Packaging Changes

  • The memory cache for initgroups results was previously not packaged. This bug was fixed.
  • Python 2/3 packaging in the RPM specfile was improved

Tickets Fixed

warn if memcache_timeout is greater than entry_cache_timeout
Check chown_debug_file() usage
Consider also disabled domains when link_forest_roots() is called
extend PAM responder unit test
Contribute and DevelTips are duplicate
Long living applicantion can use removed memory cache.
responder_cache_req-tests failed
sss_override: add find and show commands
sbus_codegen_tests leaves a process running
Review and update wiki pages for 1.13.2
Create a wiki page that lists security-sensitive options
SSSD is not closing sockets properly
Relax POSIX check
sss_override segfaults when accidentally adding –help flag to some commands
Size limit exceeded too loud during POSIX check
CI: configure script failed on CentOS {6,7}
sssd_be crashed
PAM responder crashed if user was not set
avoid symlinks witih python modules
CI: test_ipa_subdomains_server failed on rhel6 + –coverage (FAIL: test_ipa_subdom_server)
sss_override: memory violation
bug in UPN lookups for subdomain users
local overrides: don’t contact server with overriden name/id
REGRESSION: ipa-client-automout failed
sssd crashes if non-UTF-8 locale is used
IFP: ifp_users_user_get_groups doesn’t handle non-POSIX groups

Detailed Changelog

Dan Lavu (1):

  • sss_override: Add restart requirements to man page

Jakub Hrozek (10):

  • Bump the version for the 1.13.2 development
  • AD: Provide common connection list construction functions
  • AD: Consolidate connection list construction on ad_common.c
  • tests: Fix compilation warning
  • tools: Don’t shadow ‘exit’
  • IFP: Skip non-POSIX groups properly
  • DP: Drop dp_pam_err_to_string
  • DP: Check callback messages for valid UTF-8
  • sbus: Check string arguments for valid UTF-8 strings
  • Updating translations for the 1.13.2 release

Lukas Slebodnik (33):

  • CI: Fix configure script arguments for CentOS
  • CI: Don’t depend on user input with apt-get
  • CI: Add missing dependency for debian
  • CI: Run integration tests on debian testing
  • BUILD: Link just libsss_crypto with crypto libraries
  • BUILD: Link crypto_tests with existing library
  • BUILD: Remove unused variable TEST_MOCK_OBJ
  • BUILD: Avoid symlinks with python modules
  • SSSDConfigTest: Try load saved config
  • SSSDConfigTest: Test real config without config_file_version
  • intg_tests: Fix PEP8 warnings
  • BUILD: Accept krb5 1.14 for building the PAC plugin
  • BUILD: Fix detection of pthread with strict CFLAGS
  • BUILD: Fix doc directory for sss_simpleifp
  • LDAP: Fix leak of file descriptors
  • CI: Workaroung for code coverage with old gcc
  • cache_req: Fix warning -Wshadow
  • SBUS: Fix warnings -Wshadow
  • TESTS: Fix warnings -Wshadow
  • INIT: Drop from service file
  • sbus_codegen_tests: Suppress warning Wmaybe-uninitialized
  • DP_PTASK: Fix warning may be used uninitialized
  • UTIL: Fix memory leak in switch_creds
  • TESTS: Initialize leak check
  • TESTS: Check return value of check_leaks_pop
  • TESTS: Make check_leaks static function
  • TESTS: Add warning for unused result of leak check functions
  • sss_client: Fix underflow of active_threads
  • sssd_client: Do not use removed memory cache
  • test_memory_cache: Test removing mc without invalidation
  • Revert “intg: Invalidate memory cache before removing files”
  • test_sysdb_subdomains: Do not use assignment in assertions

Michal Židek (7):

  • SSSDConfig: Do not raise exception if config_file_version is missing
  • spec: Missing initgroups mmap file
  • util: Update get_next_domain’s interface
  • tests: Add get_next_domain_flags test
  • sysdb: Include disabled domains in link_forest_roots
  • sysdb: Use get_next_domain instead of dom->next
  • Refactor some conditions

Nikolai Kondrashov (13):

  • CI: Update reason blocking move to DNF
  • CI: Exclude whitespace_test from Valgrind checks
  • intg: Get base DN from LDAP connection object
  • intg: Add support for specifying all user attrs
  • intg: Split LDAP test fixtures for flexibility
  • intg: Reduce sssd.conf duplication in
  • intg: Fix RFC2307bis group member creation
  • intg: Do not use non-existent pre-increment
  • CI: Do not skip tests not checked with Valgrind
  • CI: Handle dashes in valgrind-condense
  • intg: Fix all PEP8 issues
  • CI: Enforce coverage make check failures
  • intg: Add more LDAP tests

Pavel Březina (23):

  • sss tools: improve option handling
  • sbus codegen tests: free ctx
  • cache_req: provide extra flag for oob request
  • cache_req: add support for UPN
  • cache_req tests: reduce code duplication
  • cache_req: remove raw_name and do not touch orig_name
  • sss_override: fix comment describing format
  • sss_override: explicitly set ret = EOK
  • sss_override: steal msgs string to objs
  • nss: send original name and id with local views if possible
  • sudo: search with view even if user is found
  • sudo: send original name and id with local views if possible
  • sss_tools: always show common and help options
  • sss_override: fix exporting multiple domains
  • sss_override: add user-find
  • sss_override: add group-find
  • sss_override: add user-show
  • sss_override: add group-show
  • sss_override: do not free ldb_dn in get_object_dn()
  • sss_override: use more generic help text
  • sss_tools: do not allow unexpected free argument
  • BE: Add IFP to known clients
  • AD: remove annoying debug message

Pavel Reichl (12):

  • AD: add debug messages for netlogon get info
  • confdb: warn if memcache_timeout > than entry_cache
  • SDAP: Relax POSIX check
  • SDAP: optional warning - sizelimit exceeded in POSIX check
  • SDAP: allow_paging in sdap_get_generic_ext_send()
  • SDAP: change type of attrsonly in sdap_get_generic_ext_state
  • SDAP: pass params in sdap_get_and_parse_generic_send
  • sss_override: amend man page - overrides do not stack
  • sss_override: Removed overrides might be in memcache
  • pam-srv-tests: split pam_test_setup() so it can be reused
  • pam-srv-tests: Add UT for cached ‘online’ auth.
  • intg: Add test for user and group local overrides

Petr Cech (9):

  • DEBUG: Preventing chown_debug_file if journald on
  • TEST: Add test_user_by_recent_filter_valid
  • TEST: Refactor of test_responder_cache_req.c
  • TEST: Refactor of test_responder_cache_req.c
  • TEST: Add common function are_values_in_array()
  • TEST: Add test_users_by_recent_filter_valid
  • TEST: Add test_group_by_recent_filter_valid
  • TEST: Refactor of test_responder_cache_req.c
  • TEST: Add test_groups_by_recent_filter_valid

Stephen Gallagher (2):

  • LDAP: Inform about small range size
  • Monitor: Show service pings at debug level 8

Sumit Bose (5):

  • PAM: only allow missing user name for certificate authentication
  • fix ldb_search usage
  • fix upn cache_req for sub-domain users
  • nss: fix UPN lookups for sub-domain users
  • cache_req: check all domains for lookups by certificate