SSSD 2.3.1

Highlights

New features

• Domains can be now explicitly enabled or disabled using enable option in domain section. This can be especially used in configuration snippets.
• New configuration options memcache_size_passwd, memcache_size_group, memcache_size_initgroups that can be used to control memory cache size.

Notable bug fixes

• Fixed several regressions in GPO processing introduced in sssd-2.3.0
• Fixed regression in PAM responder: failures in cache only lookups are no longer considered fatal
• Fixed regression in proxy provider: pwfield=x is now default value only for sssd-shadowutils target

Packaging changes

• libwbclient is now deprecated and is not being built by default (use --with-libwibclient to build it)

Documentation Changes

• Added option memcache_size_passwd
• Added option memcache_size_group
• Added option memcache_size_initgroups
• Added option enable in domain sections
• Minor text improvements

Tickets Fixed

• #1024 - SSSD user/group filtering is failing after “files” provider rebuilds cache
• #1031 - When the passwd or group files are replaced, sssd stops monitoring the file for inotify events, and no updates are triggered
• #3728 - When sssd service fails to start due to misconfiguration, the error message would be nice in /var/log/messages as well
• #3920 - Add multiple domains tests to responder_cache_req-tests
• #4578 - sssctl: Add memcache diagnostic and inspection commands
• #4667 - sssd fails to release file descriptor on child logs after receiving HUP
• #4743 - [RFE] Add “enabled” option to domain section
• #5075 - sssd failover leads to delayed and failed logins
• #5103 - GPO: Incorrect processing / inheritance order of HBAC GPOs
• #5115 - mem-cache bug: only small fraction of memory allocated is actually used
• #5129 - id_provider = proxy proxy_lib_name = files returns * in password field, breaking PAM authentication
• #5135 - Certificate attributes are not sanitized prior to ldap search
• #5142 - RFE: Add option to specify alternate sssd config file location with “sssctl config-check” command.
• #5151 - sssd is failing to discover other subdomains in the forest if LDAP entries do not contain AD forest root information
• #5153 - Oddjob-mkhomedir fails when using NSS compat
• #5155 - Document how to prevent invalid selinux context for default home directories in SSSD-AD direct integration.
• #5164 - Change the message “Please enter smart card” to “Please insert smart card” on GDM login with smart-card
• #5167 - AD: ad_access.c performs out-of memory check for wrong tevent request pointer
• #5170 - SSSD must be able to resolve membership involving root with files provider
• #5181 - system not enforcing GPO rule restriction. ad_gpo_implicit_deny = True is not working
• #5183 - sssd 2.3.0 breaks AD auth due to GPO parsing failure
• #5186 - sssd 2.3.0 buld errors due to issue with sv translation of man page
• #5190 - GDM password prompt when cert mapped to multiple users and promptusername is False
• #5199 - do not add fully-qualified suffix to already fully-qualified externalUser values in sudoers for IPA provider
• #5201 - sssd-common: missing comma in file sssd_functions.stp
• #5217 - NULL dereference in rotate_debug_files()
• #5230 - Deprecate SSSD’s version of libwbclient
• #5236 - sss_ssh_knownhostsproxy leads to silent failure for non-existent or non-co-operative hosts

Detailed changelog

• Alejandro Visiedo (2):
  • systemtap: Missing a comma
  • config: [RFE] Add “enabled” option to domain section
• Alexander Bokovoy (1):
  • ipa: Do not qualify already qualified users in sudo rules
• Alexey Tikhonov (30):
  • DEBUG: only open child process log files when required
  • CLIENT: fixed few CHECKED_RETURN (CWE-252) warnings
  • NSS: fixed FORWARD_NULL (CWE-476)
  • KCM: fixed NO_EFFECT (CWE-398)
  • PROXY: suppress CPPCHECK_WARNING (CWE-456)
  • MC: fixed CPPCHECK_WARNING
  • CLIENT: fixed CPPCHECK_WARNING (CWE-476)
  • util/inotify: fixed CLANG_WARNING
  • util/inotify: fixed bug in inotify event processing
  • TOOLS: fixed CLANG_WARNING
  • TOOLS: fixed a couple of CLANG_WARNINGs
  • CLIENT: fixed “Dereference of null pointer” warning
  • RESPONDER/SUDO: fixed CLANG_WARNING
  • RESPONDER/NSS: fixed few CLANG_WARNINGs
  • CACHE_REQ: fixed CLANG_WARNING
  • PROVIDERS/LDAP: fixed CLANG_WARNING
  • PROVIDERS/LDAP: fixed CLANG_WARNING
  • PROVIDERS/IPA: fixed few CLANG_WARNINGs
  • DEBUG: fixed potential NULL dereference
  • TRANSLATIONS: updated translations to include new source file
  • NEGCACHE: skip permanent entries in [users/groups] reset
  • NSS: fixed UNINIT (CWE-457)
  • mem-cache: sizes of free and data tables were made consistent
  • NSS: avoid excessive log messages
  • NSS: enhanced debug during mem-cache initialization
  • mem-cache: added log message in case cache is full
  • NSS: make memcache size configurable in megabytes
  • mem-cache: comment added
  • mem-cache: always cleanup old content
  • Updated translation files: Japanese, Chinese (China), French
• David Ward (1):
  • failover: fix documentation of default timeouts
• Lukas Slebodnik (2):
  • python-test.py: Do not use letter similar to numbers
  • INTG: Do not use letter similar to numbers in python code
• Michal Židek (1):
  • NSS: make memcache size configurable
• Niranjan M.R (1):
  • pytest/testlib: Remove explcit encryption types from kdc.conf
• Pavel Březina (12):
  • Update version in version.m4 to track the next release.
  • test: avoid endian issues in network tests
  • Provide new link for documentation: change sssd.github.io to sssd.io
  • pam_sss: fix missing initializer
  • files: allow root membership
  • proxy: use ‘x’ as default pwfield only for sssd-shadowutils target
  • monitor: log to syslog when service fails to start
  • po: fix sv translation
  • sss_ssh_knownhostsproxy: print error when unable to connect
  • sss_ssh_knownhostsproxy: print error when unable to proxy data
  • Update the translations for the 2.3.1 release
  • tests: discard const in test_confdb_get_enabled_domain_list
• Paweł Poławski (1):
  • AD: Enforcing GPO rule restriction on user
• Sumit Bose (19):
  • NSS client: preserve errno during _nss_sss_end* calls
  • ad: remove unused libsbmclient form libsss_ad.so
  • pam_sss: add SERVICE_IS_GDM_SMARTCARD
  • pam_sss: special handling for gdm-smartcard
  • ad_gpo_ndr.c: more ndr updates
  • GPO: fix link order in a SOM
  • sysdb: make sysdb_update_subdomains() more robust
  • ad: rename ad_master_domain_* to ad_domain_info_*
  • sysdb: make new_subdomain() public
  • ad: rename ads_get_root_id_ctx() to ads_get_dom_id_ctx
  • ad: remove unused trust_type from ad_subdom_store()

  • ad: add ad_check_domain_{send

    recv}

  • ad: check forest root directly if not present on local DC
  • DEBUG: use new exec_child(_ex) interface in tests
  • ipa: add failover to subdomain override lookups
  • pam_sss: make sure old certificate data is removed before retry
  • PAM: do not treat error for cache-only lookups as fatal
  • libwbclient-sssd: deprecate libwbclient-sssd
  • certmap: sanitize LDAP search filter
• Thomas Reim (1):
  • Minor fix in ad_access.c out of memory check
• Tomas Halman (3):
  • sssctl: sssctl config-check alternative config file
  • man: Document invalid selinux context for homedirs
  • sssctl: sssctl config-check alternative snippet dir
• Yuri Chornoivan (1):
  • general: fix minor typos
• ikerexxe (7):
  • db/sysdb.c: remove unused variable
  • data_provider/dp_target_id: remove store statement from a never read variable
  • p11_child/p11_child_common: remove store statement from a never read variable
  • autofs_test_client and sss_tools: remove store statements from never read variables
  • responder/common/responder_packet: get packet length only once
  • Test: Add users_by_filter_multiple_domains_valid
  • Test: Add groups_by_filter_multiple_domains_valid
• vinay mishra (1):
  • Replaced ‘enter’ with ‘insert’