SSSD 1.16.3

Highlights

New Features

  • The kdcinfo files that SSSD uses to inform libkrb5 about which KDCs were discovered for a Kerberos realm used to be only generated for the joined domain, not the trusted domains. Starting with this release, the kdcinfo files are generated automatically also for trusted domains in setups that use id_provider=ad and IPA masters in a trust relationship with an AD domain.
  • The SSSD Kerberos locator plugin which processes the kdcinfo files and actually tells libkrb5 about the available KDCs can now process multiple address if SSSD generates more than one. At the moment, this feature is only used on IPA clients (see below). Please see the sssd_krb5_locator_plugin(8) manual page for more information about the Kerberos locator plugin.
  • On IPA clients, the AD DCs or the AD site which should be used to authenticate users can now be listed in a subdomain section. Please see the feature design page or the section “trusted domains configuration” for more details.

Notable bug fixes

  • SECURITY: The permissions on /var/lib/sss/pipes/sudo were set so that anyone could read anyone else’s sudo rules. This was considered an information leak and assigned CVE-2018-10852 (#3766)
  • IMPORTANT: The 1.16.2 release was storing the cached passwords without a salt prefix string. This bug was fixed in this release, but any password hashes generated by 1.16.2 are incompatible with the hashes generated by 1.16.3. The effect is that upgrade from 1.16.2 to 1.16.3 should be done when the authentication server is reachable so that the first authentication after the upgrade fix the cached password.
  • The sss_ssh proces leaked file descriptors when converting more than one x509 certificate to SSH public key (#3794)
  • SSSD, when configured with id_provider=ad was using too expensive LDAP search to find out whether the required POSIX attributes were replicated to the Global Catalog. Instead, SSSD now consults the Partial Attribute Set, which is much more effective (#3755)
  • The PAC responder is now able to process Domain Local in case the PAC uses SID compression. Typicaly this is the case with Windows Server 2012 and newer (#3767)
  • Some versions of OpenSSH (e.g. the one shipped in RHEL-7.5) would close the pipe towards sss_ssh_authorizedkeys when the matching key is found before the rest of the output is read. The sss_ssh_authorizedkeys helper was not handling this behaviour well and would exit with SIGPIPE, which also meant the public key authentication failed (#3747)
  • User lookups no longer fail if user’s e-mail address conflicts with another user’s fully qualified name (#3607)
  • The override_shell and override_homedir options are no longer applied to entries from the files domain. (#3758)
  • Several bugs related to the FleetCommander integration were fixed (#3773, #3774)
  • The grace logins with an expired password when authenticating against certain newer versions of the 389DS/RHDS LDAP server did not work (#3597)
  • Whitespace around netgroup triple separator is now stripped
  • The sss_ssh_knownhostproxy utility can now print the host key without proxying the connection.
  • Due to an overly restrictive check, the fast in-memory cache was sometimes skipped, which caused a high load on the sssd_nss process (#3776).

Packaging Changes

  • The python2 bindings are not built by default on Fedora 29 or newer
  • The sssd-secrets responder is now packaged in the sssd-kcm subpackage and might be removed in a future release

Documentation Changes

  • sss_ssh_knownhostsproxy has a new option -k/–print.

Tickets Fixed

  • 3796 - The IPA selinux provider can return an error if SELinux is completely disabled
  • 3794 - sssd_ssh leaks file descriptors when more than one certificate is converted into an SSH key
  • 3791 - The cached password does not store the salt prefix
  • 3778 - When sssd is running as non-root user, the sudo pipe is created as sssd:sssd but then the private pipe ownership fails
  • 3777 - If access check for a privileged pipe fails, the responder loops indefinitely
  • 3776 - Spurious check in the sssd nss memcache can cause the memory cache to be skipped
  • 3774 - Desktop Profile: The 10th policy is producing a wrong file name
  • 3773 - SSSD bails out saving desktop profiles in case an invalid profile is found
  • 3767 - Groups go missing with PAC enabled in sssd
  • 3766 - CVE-2018-10852: information leak from the sssd-sudo responder
  • 3758 - override_homedir should not apply to the files provider
  • 3755 - The search filter for detecting POSIX attributes in global catalog is too broad and can cause a high load on the servers
  • 3754 - SSSD AD uses LDAP filter to detect POSIX attributes stored in AD GC also for regular AD DC queries
  • 3747 - sss_ssh_authorizedkeys exits abruptly if SSHD closes its end of the pipe before reading all the SSH keys
  • 3652 - kdcinfo doesn’t get populated for other domains
  • 3607 - Handle conflicting e-mail addresses more gracefully
  • 3597 - sssd doesn’t allow user with expired password to login when PasswordgraceLimit set
  • 3596 - A combination of the same qualified and unqualified sudoUser causes Error: 17: File exists
  • 3542 - Get host key without proxying connection
  • 3475 - Full information regarding priority of lookup of principal in keytab not in man page
  • 3291 - RFE: sssd in cross realm trust configuration should be use AD KDC from a list or site defined in the config file

Detailed Changelog

  • Alexander Bokovoy (2):

    • ipa provider: always use a special keytab to talk to a trusted DC
    • ipa provider: expand search base to cover trusted domain objects
  • Alexey Sheplyakov (1):

    • nss: skip incomplete groups instead of bailing out
  • Amit Kumar (1):

    • Responder: simplify if-else structure in sss_dp_get_account_msg()
  • Fabiano Fidêncio (18):

    • intg: Do not hardcode nsslibdir
    • files: do not apply override_homedir to files provider
    • tests: add override_homedir tests for files provider
    • files: do not apply override_shell to files provider
    • tests: add override_shell tests for files provider
    • util: add is_files_provider() helper
    • files: make use of is_files_provider() helper
    • cache_req: keep the files provider as the first domain to be searched
    • tests: add basic tests for cache_req_domain_new_list_from_domain_resolution_order()
    • tests: add a test to ensure the output_fqnames is false for files provider
    • deskprofile: don’t bail if we fail to save one profile
    • sdap: respect passwordGracelimit
    • deskprofile: fix a typo in _get_filename_path()
    • tests: add tests for ipa_deskprofile_get_filename_path()
    • util: introduce sss_ssh_print_pubkey()
    • ssh: make use of sss_ssh_print_pubkey()
    • sss_ssh_knownhostsproxy: add option to only print the pubkey
    • nss: remove unused label
  • Jakub Hrozek (38):

    • Bumping the version to track the 1.16.3 development
    • TESTS: Extend the schema with sshPublicKey attribute
    • TESTS: Allow adding sshPublicKey for users
    • TESTS: Add a basic SSH responder test
    • SSH: Do not exit abruptly if SSHD closes its end of the pipe before reading all the SSH keys
    • TESTS: Add a helper binary that can trigger the SIGPIPE to authorizedkeys
    • TESTS: Add a regression test for SIGHUP handling in sss_ssh_authorizedkeys
    • Revert “LDAP/IPA: add local email address to aliases”
    • util: Remove the unused function is_email_from_domain
    • TESTS: Allow storing e-mail address for users
    • TESTS: Add regression test for looking up users with conflicting e-mail addresses
    • AD/LDAP: Do not misuse the ignore_mark_offline to check if a connection needs to be checked for POSIX attribute presence
    • MAN: Remove outdated notes from the re_expression description
    • MAN: Document the re_expression needed to suport @-signs in the groupnames
    • SUDO: Create the socket with stricter permissions
    • AD: expose the helper function to format the site DNS query
    • RESOLV: Add a resolv_hostport_list request
    • KRB5/IPA/AD: Add a utility function to create a krb5_service instance
    • KRB5: Allow writing multiple addresses to the kdcinfo plugin
    • IPA: Add the options that the IPA subdomains code will read for trusted domains on the client
    • IPA: Populate kdcinfo files on trust clients with configured AD servers
    • MAN: Document the options available for AD trusted domains
    • SDAP: Detect schemaNamingContext from the rootDSE
    • AD: Add Global Catalog usability check in subdomain code by looking at the schema
    • AD: Remove the legacy check from ad_get_account_domain_posix_check request
    • LDAP/AD: Remove the legacy POSIX check from user, group and enumeration searches
    • LDAP: Remove the legacy POSIX check itself
    • sudo testcli: Use hand-crafted JSON for output so that the test CLI is usable in tests
    • TESTS: Load the sudo schema in the default OpenLDAP test instance and create ou=sudoers
    • TESTS: Add API to add sudo rules in tests
    • TESTS: Add a simple sudo LDAP test
    • SUDO: Don’t save duplicates when saving qualified names
    • crypto: Silence a Coverity warning in OpenSSL version of sss_hmac_sha1()
    • crypto: Make one condition more defensive in NSS version of sss_hmac_sha1()
    • SDAP: Improve a confusing DEBUG message when initgroups search matches multiple entries
    • RESP: Terminate client connection if the permissions check on the priv pipe fails
    • SELINUX: Also call is_selinux_enabled as a check for selinux child
    • P11: Don’t return int failure from a bool function
  • Josef Cejka (1):

    • Strip whitespaces in netgroup triple.
  • Lukas Slebodnik (15):

    • sss_seed: Remove unused parameter from seed_domain_user_info
    • SUDO: Fix running in unprivileged responder
    • SUDO: Root should be able to read/write sssd-sudo socket
    • SPEC: Drop unnecessary check for minor version of el7
    • test_ssh_client: Do not ignore failure from read
    • SPEC: Move openssl deps away from unit tests deps
    • PYTHON: Avoid warnings with python3.7
    • SPEC: Move secrets responder to the package sssd-kcm
    • SPEC: Do not build python2 bindings on latest distros
    • BUILD: Replace also runstatedir in templates
    • SYSTEMD: Allow to use “/run” in ListenStream
    • Revert “Revert “CRYPTO: Suppress warning Wstringop-truncation”“
    • CRYPTO: Save prefix in s3crypt_sha512
    • crypto-tests: Add unit test for s3crypt_sha512
    • SSS_CERT: Close file descriptors after executing p11_child
  • Michal Židek (1):

    • Revert “CRYPTO: Suppress warning Wstringop-truncation”
  • Stanislav Levin (1):

    • Fix “test-find-uid” and “find_uid-tests” tests
  • Sumit Bose (14):

    • krb5 locator: add support for multiple addresses
    • krb5 locator: fix IPv6 support
    • krb5 locator: make plugin more robust
    • krb5 locator: add unit tests
    • AD/IPA: Create kdcinfo file for sub-domains
    • krb5: refactor removal of krb5info files
    • krb5_common: add callback only once
    • data provider: run offline callbacks only once
    • utils: add libsss_child dependency to libsss_cert
    • AD: consider resource_groups in PAC as well
    • utils: make create_ipa_preauth_indicator() public as create_preauth_indicator()
    • PAM: create pre-auth indicator file
    • MC: Remove check if record is in the mapped address space
    • tests: fix sss_nss_idmap-tests
  • amitkumar50 (1):

    • MAN: Give information regarding priority of ldap lookup