SSSD 1.16.5¶
Highlights¶
New Features¶
- New option ad_gpo_ignore_unreadable was added that allows SSSD to ignore unreadable GPO containers in AD.
- It is possible to configure auto_private_groups per subdomain or with subdomain_inherit.
Security issues fixed¶
- A flaw was found in sssd Group Policy Objects implementation. When the GPO is not readable by SSSD due to a too strict permission settings on the server side, SSSD will allow all authenticated users to login instead of denying access. (CVE-2018-16838)
Notable bug fixes¶
- Multiple URI specified in ldap_uri did not work properly if they differed only in port number.
- Several issues with SUDO rules processing have been fixed.
- SSSD sometimes incorrectly started in offline mode. This was fixed.
- Issue with missing nested groups after add/remove operation on the sever was fixed.
- A use-after-free error causing SSSD service to crash was fixed.
Tickets Fixed¶
- 3960 - cached_auth_timeout not honored for AD users authenticated via trust with FreeIPA
- 3974 - Write a list of host names up to a configurable limit to the kdcinfo files
- 3867 - [RFE] Need an option in SSSD so that it will skip GPOs that have groupPolicyContainers, unreadable by SSSD
- 3965 - [RFE]: Optionally disable generating auto private groups for subdomains of an AD provider
- 3957 - sudo: runAsUser/Group does not work with domain_resolution_order
- 3838 - KCM: If the default ccache cannot be found, fall back to the first one
- 3467 - online detection in case sssd starts before network does appears to be broken
- 3964 - Responders: is_user_local_by_name() should avoid calling nss API entirely
- 3975 - Lookahead resolving of host names to provide names for the kdcinfo plugin
- 4015 - The server error message is not returned if password change fails
- 3917 - Double free error in tev_curl
- 3905 - SSSD doesn’t clear cache entries for IDs below min_id.
- 2854 - FAIL test-find-uid
- 2878 - sssd failover does not work on connecting to non-responsive ldaps:// server
- 4050 - nss_cmd_endservent resets the wrong index
- 4009 - Removing domain from ad_enabled_domains is not reflected in cache
- 4058 - Paging not enabled when fetching external groups, limits the number of external groups to 2000
- 2607 - sssd should not always read entire autofs map from ldap
- 4065 - IFP: GetUserAttr does not search by UPN
- 4078 - Trusted domain user logins succeed after using ipa trustdomain-disable
- 4074 - Integration tests use python2 unconditionally
- 4116 - autofs: delete possible duplicate of an autofs entry
- 2660 - SSSD service is crashing: dbus_watch_handle() is invoked with corrupted ‘watch’ value
- 3996 - sudo: do not update last usn when updating expired rules
- 3997 - sudo: always use server highest usn for smart refresh
- 4046 - sudo: incorrect usn value for openldap
- 4085 - support for defaults entry is failing in sssd sudo against Openldap server
- 4124 - Impossible to enforce GID on the AD’s “domain users” group in the IPA-AD trust setup
- 3463 - TESTS: make intgcheck is not always passing in the internal CI (enumeration tests)
- 4131 - Force LDAPS over 636 with AD Provider
- 4089 - Watchdog implementation or usage is incorrect
- 3636 - nested group missing after updates on provider
- 4112 - ldap_uri failover doesn’t work with different ports
- 4148 - Expecting appropriate error message when new password length is less than 8 characters when ldap_pwmodify_mode = ldap_modify in sssd.conf
- 4168 - SSSD-1-16: sbus_auto_reconnect(): “off-by-one error” in reconnection_retries interpretation `
Packaging Changes¶
- None.
Documentation Changes¶
- Added new option ldap_sasl_maxssf
- Added new option ad_gpo_ignore_unreadable
Detailed Changelog¶
- Alexey Tikhonov (13):
- Util: added facility to load nss lib syms
- responder/negcache: avoid calling nsswitch NSS API
- negcache_files: got rid of large array on stack
- TESTS: moved cwrap/test_negcache to cmocka tests
- ci/sssd.supp: getpwuid() leak suppression
- util/tev_curl: Fix double free error in schedule_fd_processing()
- util/find_uid.c: fixed debug message
- util/find_uid.c: fixed race condition bug
- providers/ipa/: add_v1_user_data() amended
- SBUS: defer deallocation of sbus_watch_ctx
- util/watchdog: fixed watchdog implementation
- TESTS: added sss_ptr_hash unit test
- SBUS: fixed off-by-one error” in sbus_auto_reconnect()
- Branen Salmon (1):
- knownhostsproxy: friendly error msg for NXDOMAIN
- Fabiano Fidêncio (1):
- INTG: Increase the sleep() time so the changes are reflected on SSSD
- Jakub Hrozek (34):
- Updating the version for 1.16.5
- SYSDB: Inherit cached_auth_timeout from the main domain
- AD: Allow configuring auto_private_groups per subdomain or with subdomain_inherit
- SDAP: Add sdap_has_deref_support_ex()
- IPA: Use dereference for host groups even if the configuration disables dereference
- KCM: Fall back to using the first ccache if the default does not exist
- krb5: Do not use unindexed objectCategory in a search filter
- SYSDB: Index the ccacheFile attribute
- krb5: Silence an error message if no cache entries have ccache stored but renewal is enabled
- PAM: Also cache SSS_PAM_PREAUTH
- LDAP: Return the error message from the extended operation password change also on failure
- TESTS: Add a unit test for UPNs stored by sss_ncache_prepopulate
- IPA: Allow paging when fetching external groups
- SYSDB: Add sysdb_search_with_ts_attr
- BE: search with sysdb_search_with_ts_attr
- BE: Enable refresh for multiple domains
- BE: Make be_refresh_ctx_init set up the periodical task, too
- BE/LDAP: Call be_refresh_ctx_init() in the provider libraries, not in back end
- BE: Pass in attribute to look up with instead of hardcoding SYSDB_NAME
- BE: Change be_refresh_ctx_init to return errno and set be_ctx->refresh_ctx
- BE/LDAP: Split out a helper function from sdap_refresh for later reuse
- BE: Pass in filter_type when creating the refresh account request
- BE: Send refresh requests in batches
- BE: Extend be_ptask_create() with control when to schedule next run after success
- BE: Schedule the refresh interval from the finish time of the last run
- AD: Implement background refresh for AD domains
- IPA: Implement background refresh for IPA domains
- BE/IPA/AD/LDAP: Add inigroups refresh support
- BE/IPA/AD/LDAP: Initialize the refresh callback from a list to reduce logic duplication
- IPA/AD/SDAP/BE: Generate refresh callbacks with a macro
- MAN: Amend the documentation for the background refresh
- DP/SYSDB: Move the code to set initgrExpireTimestamp to a reusable function
- IPA/AD/LDAP: Increase the initgrExpireTimestamp after finishing refresh request
- sudo: use objectCategory instead of objectClass in ad sudo provider
- Lukas Slebodnik (16):
- BUILD: Add macro for checking python3 modules
- BUILD: Fix typo of detecting python module for intgcheck
- BUILD: Move checking of python2 modules for intgcheck
- BUILD: Add macro for checking pytest for intgcheck
- BUILD: Change value of variable HAVE_PYTHON2/3_BINDINGS
- BUILD: Move python checks for intgcheck to macro
- INTG: Do hot hardcode version of python/pytest in intgcheck
- BUILD: Prefer python3 for intgcheck
- intg: Install python3 dependencies for intgcheck on new distros
- pyhbac: Fix warning Wdiscarded-qualifiers
- SSSDConfig: Add minimal test for parse method
- SSSDConfig: Fix SyntaxWarning “is not” with a literal
- TESTS: Add minimal test for pysss encrypt
- pysss: Fix DeprecationWarning PY_SSIZE_T_CLEAN
- pysss_murmur: Fix DeprecationWarning PY_SSIZE_T_CLEAN
- testlib: Fix SyntaxWarning “is” with a literal
- Michal Židek (3):
- GPO: Add option ad_gpo_ignore_unreadable
- Updated translation files.
- translation: Add missing new lines
- Pavel Březina (79):
- ipa: store sudo runas attribute with internal fqname
- sudo: format runas attributes to correct output name
- ci: enable sssd-ci for 1-16 branch
- ci: switch to new tooling and remove ‘Read trusted files’ stage
- ci: rebase pull request on the target branch
- ci: print node on which the test is being run
- ad: remove subdomain that has been disabled through ad_enabled_domains from sysdb
- sysdb: add sysdb_domain_set_enabled()
- ad: set enabled=false attribute for subdomains that no longer exists
- sysdb: read and interpret domain’s enabled attribute
- sysdb: add sysdb_list_subdomains()
- ad: remove all subdomains if only master domain is enabled
- ad: make ad_enabled_domains case insensitive
- sss_ptr_hash: add sss_ptr_get_value to make it useful in delete callbacks
- sss_ptr_hash: keep value pointer when destroying spy
- autofs: fix typo in test tool
- sysdb: add expiration time to autofs entries
- sysdb: add sysdb_get_autofsentry
- sysdb: add enumerationExpireTimestamp
- sysdb: store enumeration expiration time in autofs map
- sysdb: store original dn in autofs map
- sysdb: add sysdb_del_autofsentry_by_key
- autofs: move data provider functions to responder common code
- cache_req: add autofs map entries plugin
- cache_req: add autofs map by name plugin
- cache_req: add autofs entry by name plugin
- autofs: convert code to cache_req
- autofs: use cache_req to obtain single entry in getentrybyname
- autofs: use cache_req to obtain map in setent
- dp: replace autofs handler with enumerate method
- dp: add additional autofs methods
- ldap: add base_dn to sdap_search_bases
- ldap: rename sdap_autofs_get_map to sdap_autofs_enumerate
- ldap: implement autofs get map
- ldap: implement autofs get entry
- autofs: allow to run only setent without enumeration in test tool
- autofs: always refresh auto.master
- sysdb: invalidate also autofs entries
- sss_cache: invalidate also autofs entries
- ci: add Debian 10
- ci: allow distribution specific supression files
- ci: suppress Debian valgrind errors
- ifp: let cache_req parse input name so it can fallback to upn search
- ifp: call tevent_req_post in case of error in ifp_user_get_attr_send
- ci: add Debian suppresion path
- ci: use python2 version of pytest
- ci: pep8 was renamed to pycodestyle in Fedora 31
- ci: remove left overs from previous rebase
- pysss: use METH_VARARGS | METH_KEYWORDS instead of just METH_KEYWORDS
- ci: enable on demand runs
- ci: set build name to pull request or branch name
- ci: notify that build awaits executor
- ci: convert to scripted pipeline
- autofs: remove unused enum
- autofs: delete possible duplicate of an autofs entry
- ci: store artifacts in jenkins for on-demand runs
- ci: allow to specify systems where tests should be run for on-demand tests
- ci: add Fedora 31
- ci: install python2 on Fedora 31 and RHEL 8 so python2 bindings can be built
- ci: disable python2 bindings on Fedora 32+
- sudo: do not update last usn value on rules refresh
- sudo: always use server highest known usn for smart refresh
- man: update sudo smart refresh documentation to reflect new USN behavior
- sudo: use proper datetime for default modifyTimestamp value
- sudo: get timezone information from previous value when constructing new usn
- sudo: add ldap_sudorule_object_class_attr
- nss: use real primary gid if the value is overriden
- ci: add rhel7
- ci: set sssd-ci notification to pending state when job is started
- ci: archive ci-mock-result
- tests: fix race condition in enumeration tests
- ci: add CentOS 7
- sss_sockets: pass pointer instead of integer
- memberof: keep memberOf attribute for nested member
- ci: keep system list outside repository
- ci: remove old dependency repository
- sss_ptr_hash: pass new hash_entry_t to custom delete callback
- failover: make sure we switch to another server if only port differs
- sdap: provide error message when password change fail in ldap_modify mode
- Samuel Cabrero (2):
- SUDO: Allow defaults sudoRole without sudoUser attribute
- nss: Fix command ‘endservent’ resetting wrong struct member
- Simo Sorce (1):
- Add TCP level timeout to LDAP services
- Sumit Bose (30):
- ipa: ipa_getkeytab don’t call libnss_sss
- pam: introduce prompt_config struct
- authtok: add dedicated type for 2fa with single string
- pam_sss: use configured prompting
- PAM: add initial prompting configuration
- getsockopt_wrapper: add support for PAM clients
- intg: add test for password prompt configuration
- winbind idmap plugin: update struct idmap_domain to latest version
- SDAP: allow GSS-SPNEGO for LDAP SASL bind as well
- sdap: inherit SDAP_SASL_MECH if not set explicitly
- DP: add NULL check to be_ptask_{enable|disable}
- tests: fix enctypes in test_copy_keytab
- CI: use python3-pep8 on Fedora 31 and later
- BUILD: fix libpython handling in Python3.8
- negcache: add fq-usernames of know domains to all UPN neg-caches
- ci: add pam wrapper
- utils: extend some find_domain_* calls to search disabled domain
- ipa: support disabled domains
- ipa: ignore objects from disabled domains on the client
- sysdb: add sysdb_subdomain_content_delete()
- ipa: delete content of disabled domains
- ipa: use LDAP not extdom to lookup IPA users and groups
- ipa: use the right context for autofs
- ipa: add failover to override lookups
- ipa: add failover to access checks
- sdap: update last_usn on reconnect
- ad: allow booleans for ad_inherit_opts_if_needed()
- ad: add ad_use_ldaps
- ldap: add new option ldap_sasl_maxssf
- ad: set min and max ssf for ldaps
- Tomas Halman (7):
- krb5: Write multiple dnsnames into kdc info file
- Providers: Delay online check on startup
- krb5: Lookahead resolving of host names
- CACHE: SSSD doesn’t clear cache entries
- LDAP: failover does not work on non-responsive ldaps
- CONFDB: Files domain if activated without .conf
- TESTS: adapt tests to enabled default files domain