SSSD 1.16.5

Highlights

New Features

• New option ad_gpo_ignore_unreadable was added that allows SSSD to ignore unreadable GPO containers in AD.
• It is possible to configure auto_private_groups per subdomain or with subdomain_inherit.

Security issues fixed

• A flaw was found in sssd Group Policy Objects implementation. When the GPO is not readable by SSSD due to a too strict permission settings on the server side, SSSD will allow all authenticated users to login instead of denying access. (CVE-2018-16838)

Notable bug fixes

• Multiple URI specified in ldap_uri did not work properly if they differed only in port number.
• Several issues with SUDO rules processing have been fixed.
• SSSD sometimes incorrectly started in offline mode. This was fixed.
• Issue with missing nested groups after add/remove operation on the sever was fixed.
• A use-after-free error causing SSSD service to crash was fixed.

Tickets Fixed

• 3960 - cached_auth_timeout not honored for AD users authenticated via trust with FreeIPA
• 3974 - Write a list of host names up to a configurable limit to the kdcinfo files
• 3867 - [RFE] Need an option in SSSD so that it will skip GPOs that have groupPolicyContainers, unreadable by SSSD
• 3965 - [RFE]: Optionally disable generating auto private groups for subdomains of an AD provider
• 3957 - sudo: runAsUser/Group does not work with domain_resolution_order
• 3838 - KCM: If the default ccache cannot be found, fall back to the first one
• 3467 - online detection in case sssd starts before network does appears to be broken
• 3964 - Responders: is_user_local_by_name() should avoid calling nss API entirely
• 3975 - Lookahead resolving of host names to provide names for the kdcinfo plugin
• 4015 - The server error message is not returned if password change fails
• 3917 - Double free error in tev_curl
• 3905 - SSSD doesn’t clear cache entries for IDs below min_id.
• 2854 - FAIL test-find-uid
• 2878 - sssd failover does not work on connecting to non-responsive ldaps:// server
• 4050 - nss_cmd_endservent resets the wrong index
• 4009 - Removing domain from ad_enabled_domains is not reflected in cache
• 4058 - Paging not enabled when fetching external groups, limits the number of external groups to 2000
• 2607 - sssd should not always read entire autofs map from ldap
• 4065 - IFP: GetUserAttr does not search by UPN
• 4078 - Trusted domain user logins succeed after using ipa trustdomain-disable
• 4074 - Integration tests use python2 unconditionally
• 4116 - autofs: delete possible duplicate of an autofs entry
• 2660 - SSSD service is crashing: dbus_watch_handle() is invoked with corrupted ‘watch’ value
• 3996 - sudo: do not update last usn when updating expired rules
• 3997 - sudo: always use server highest usn for smart refresh
• 4046 - sudo: incorrect usn value for openldap
• 4085 - support for defaults entry is failing in sssd sudo against Openldap server
• 4124 - Impossible to enforce GID on the AD’s “domain users” group in the IPA-AD trust setup
• 3463 - TESTS: make intgcheck is not always passing in the internal CI (enumeration tests)
• 4131 - Force LDAPS over 636 with AD Provider
• 4089 - Watchdog implementation or usage is incorrect
• 3636 - nested group missing after updates on provider
• 4112 - ldap_uri failover doesn’t work with different ports
• 4148 - Expecting appropriate error message when new password length is less than 8 characters when ldap_pwmodify_mode = ldap_modify in sssd.conf
• 4168 - SSSD-1-16: sbus_auto_reconnect(): “off-by-one error” in reconnection_retries interpretation `

Packaging Changes

• None.

Documentation Changes

• Added new option ldap_sasl_maxssf
• Added new option ad_gpo_ignore_unreadable

Detailed Changelog

• Alexey Tikhonov (13):

  • Util: added facility to load nss lib syms
  • responder/negcache: avoid calling nsswitch NSS API
  • negcache_files: got rid of large array on stack
  • TESTS: moved cwrap/test_negcache to cmocka tests
  • ci/sssd.supp: getpwuid() leak suppression
  • util/tev_curl: Fix double free error in schedule_fd_processing()
  • util/find_uid.c: fixed debug message
  • util/find_uid.c: fixed race condition bug
  • providers/ipa/: add_v1_user_data() amended
  • SBUS: defer deallocation of sbus_watch_ctx
  • util/watchdog: fixed watchdog implementation
  • TESTS: added sss_ptr_hash unit test
  • SBUS: fixed off-by-one error” in sbus_auto_reconnect()

• Branen Salmon (1):

  • knownhostsproxy: friendly error msg for NXDOMAIN

• Fabiano Fidêncio (1):

  • INTG: Increase the sleep() time so the changes are reflected on SSSD

• Jakub Hrozek (34):

  • Updating the version for 1.16.5
  • SYSDB: Inherit cached_auth_timeout from the main domain
  • AD: Allow configuring auto_private_groups per subdomain or with subdomain_inherit
  • SDAP: Add sdap_has_deref_support_ex()
  • IPA: Use dereference for host groups even if the configuration disables dereference
  • KCM: Fall back to using the first ccache if the default does not exist
  • krb5: Do not use unindexed objectCategory in a search filter
  • SYSDB: Index the ccacheFile attribute
  • krb5: Silence an error message if no cache entries have ccache stored but renewal is enabled
  • PAM: Also cache SSS_PAM_PREAUTH
  • LDAP: Return the error message from the extended operation password change also on failure
  • TESTS: Add a unit test for UPNs stored by sss_ncache_prepopulate
  • IPA: Allow paging when fetching external groups
  • SYSDB: Add sysdb_search_with_ts_attr
  • BE: search with sysdb_search_with_ts_attr
  • BE: Enable refresh for multiple domains
  • BE: Make be_refresh_ctx_init set up the periodical task, too
  • BE/LDAP: Call be_refresh_ctx_init() in the provider libraries, not in back end
  • BE: Pass in attribute to look up with instead of hardcoding SYSDB_NAME
  • BE: Change be_refresh_ctx_init to return errno and set be_ctx->refresh_ctx
  • BE/LDAP: Split out a helper function from sdap_refresh for later reuse
  • BE: Pass in filter_type when creating the refresh account request
  • BE: Send refresh requests in batches
  • BE: Extend be_ptask_create() with control when to schedule next run after success
  • BE: Schedule the refresh interval from the finish time of the last run
  • AD: Implement background refresh for AD domains
  • IPA: Implement background refresh for IPA domains
  • BE/IPA/AD/LDAP: Add inigroups refresh support
  • BE/IPA/AD/LDAP: Initialize the refresh callback from a list to reduce logic duplication
  • IPA/AD/SDAP/BE: Generate refresh callbacks with a macro
  • MAN: Amend the documentation for the background refresh
  • DP/SYSDB: Move the code to set initgrExpireTimestamp to a reusable function
  • IPA/AD/LDAP: Increase the initgrExpireTimestamp after finishing refresh request
  • sudo: use objectCategory instead of objectClass in ad sudo provider

• Lukas Slebodnik (16):

  • BUILD: Add macro for checking python3 modules
  • BUILD: Fix typo of detecting python module for intgcheck
  • BUILD: Move checking of python2 modules for intgcheck
  • BUILD: Add macro for checking pytest for intgcheck
  • BUILD: Change value of variable HAVE_PYTHON2/3_BINDINGS
  • BUILD: Move python checks for intgcheck to macro
  • INTG: Do hot hardcode version of python/pytest in intgcheck
  • BUILD: Prefer python3 for intgcheck
  • intg: Install python3 dependencies for intgcheck on new distros
  • pyhbac: Fix warning Wdiscarded-qualifiers
  • SSSDConfig: Add minimal test for parse method
  • SSSDConfig: Fix SyntaxWarning “is not” with a literal
  • TESTS: Add minimal test for pysss encrypt
  • pysss: Fix DeprecationWarning PY_SSIZE_T_CLEAN
  • pysss_murmur: Fix DeprecationWarning PY_SSIZE_T_CLEAN
  • testlib: Fix SyntaxWarning “is” with a literal

• Michal Židek (3):

  • GPO: Add option ad_gpo_ignore_unreadable
  • Updated translation files.
  • translation: Add missing new lines

• Pavel Březina (79):

  • ipa: store sudo runas attribute with internal fqname
  • sudo: format runas attributes to correct output name
  • ci: enable sssd-ci for 1-16 branch
  • ci: switch to new tooling and remove ‘Read trusted files’ stage
  • ci: rebase pull request on the target branch
  • ci: print node on which the test is being run
  • ad: remove subdomain that has been disabled through ad_enabled_domains from sysdb
  • sysdb: add sysdb_domain_set_enabled()
  • ad: set enabled=false attribute for subdomains that no longer exists
  • sysdb: read and interpret domain’s enabled attribute
  • sysdb: add sysdb_list_subdomains()
  • ad: remove all subdomains if only master domain is enabled
  • ad: make ad_enabled_domains case insensitive
  • sss_ptr_hash: add sss_ptr_get_value to make it useful in delete callbacks
  • sss_ptr_hash: keep value pointer when destroying spy
  • autofs: fix typo in test tool
  • sysdb: add expiration time to autofs entries
  • sysdb: add sysdb_get_autofsentry
  • sysdb: add enumerationExpireTimestamp
  • sysdb: store enumeration expiration time in autofs map
  • sysdb: store original dn in autofs map
  • sysdb: add sysdb_del_autofsentry_by_key
  • autofs: move data provider functions to responder common code
  • cache_req: add autofs map entries plugin
  • cache_req: add autofs map by name plugin
  • cache_req: add autofs entry by name plugin
  • autofs: convert code to cache_req
  • autofs: use cache_req to obtain single entry in getentrybyname
  • autofs: use cache_req to obtain map in setent
  • dp: replace autofs handler with enumerate method
  • dp: add additional autofs methods
  • ldap: add base_dn to sdap_search_bases
  • ldap: rename sdap_autofs_get_map to sdap_autofs_enumerate
  • ldap: implement autofs get map
  • ldap: implement autofs get entry
  • autofs: allow to run only setent without enumeration in test tool
  • autofs: always refresh auto.master
  • sysdb: invalidate also autofs entries
  • sss_cache: invalidate also autofs entries
  • ci: add Debian 10
  • ci: allow distribution specific supression files
  • ci: suppress Debian valgrind errors
  • ifp: let cache_req parse input name so it can fallback to upn search
  • ifp: call tevent_req_post in case of error in ifp_user_get_attr_send
  • ci: add Debian suppresion path
  • ci: use python2 version of pytest
  • ci: pep8 was renamed to pycodestyle in Fedora 31
  • ci: remove left overs from previous rebase
  • pysss: use METH_VARARGS | METH_KEYWORDS instead of just METH_KEYWORDS
  • ci: enable on demand runs
  • ci: set build name to pull request or branch name
  • ci: notify that build awaits executor
  • ci: convert to scripted pipeline
  • autofs: remove unused enum
  • autofs: delete possible duplicate of an autofs entry
  • ci: store artifacts in jenkins for on-demand runs
  • ci: allow to specify systems where tests should be run for on-demand tests
  • ci: add Fedora 31
  • ci: install python2 on Fedora 31 and RHEL 8 so python2 bindings can be built
  • ci: disable python2 bindings on Fedora 32+
  • sudo: do not update last usn value on rules refresh
  • sudo: always use server highest known usn for smart refresh
  • man: update sudo smart refresh documentation to reflect new USN behavior
  • sudo: use proper datetime for default modifyTimestamp value
  • sudo: get timezone information from previous value when constructing new usn
  • sudo: add ldap_sudorule_object_class_attr
  • nss: use real primary gid if the value is overriden
  • ci: add rhel7
  • ci: set sssd-ci notification to pending state when job is started
  • ci: archive ci-mock-result
  • tests: fix race condition in enumeration tests
  • ci: add CentOS 7
  • sss_sockets: pass pointer instead of integer
  • memberof: keep memberOf attribute for nested member
  • ci: keep system list outside repository
  • ci: remove old dependency repository
  • sss_ptr_hash: pass new hash_entry_t to custom delete callback
  • failover: make sure we switch to another server if only port differs
  • sdap: provide error message when password change fail in ldap_modify mode

• Samuel Cabrero (2):

  • SUDO: Allow defaults sudoRole without sudoUser attribute
  • nss: Fix command ‘endservent’ resetting wrong struct member

• Simo Sorce (1):

  • Add TCP level timeout to LDAP services

• Sumit Bose (30):

  • ipa: ipa_getkeytab don’t call libnss_sss
  • pam: introduce prompt_config struct
  • authtok: add dedicated type for 2fa with single string
  • pam_sss: use configured prompting
  • PAM: add initial prompting configuration
  • getsockopt_wrapper: add support for PAM clients
  • intg: add test for password prompt configuration
  • winbind idmap plugin: update struct idmap_domain to latest version
  • SDAP: allow GSS-SPNEGO for LDAP SASL bind as well
  • sdap: inherit SDAP_SASL_MECH if not set explicitly
  • DP: add NULL check to be_ptask_{enable|disable}
  • tests: fix enctypes in test_copy_keytab
  • CI: use python3-pep8 on Fedora 31 and later
  • BUILD: fix libpython handling in Python3.8
  • negcache: add fq-usernames of know domains to all UPN neg-caches
  • ci: add pam wrapper
  • utils: extend some find_domain_* calls to search disabled domain
  • ipa: support disabled domains
  • ipa: ignore objects from disabled domains on the client
  • sysdb: add sysdb_subdomain_content_delete()
  • ipa: delete content of disabled domains
  • ipa: use LDAP not extdom to lookup IPA users and groups
  • ipa: use the right context for autofs
  • ipa: add failover to override lookups
  • ipa: add failover to access checks
  • sdap: update last_usn on reconnect
  • ad: allow booleans for ad_inherit_opts_if_needed()
  • ad: add ad_use_ldaps
  • ldap: add new option ldap_sasl_maxssf
  • ad: set min and max ssf for ldaps

• Tomas Halman (7):

  • krb5: Write multiple dnsnames into kdc info file
  • Providers: Delay online check on startup
  • krb5: Lookahead resolving of host names
  • CACHE: SSSD doesn’t clear cache entries
  • LDAP: failover does not work on non-responsive ldaps
  • CONFDB: Files domain if activated without .conf
  • TESTS: adapt tests to enabled default files domain