Link Search Menu Expand Document

SSSD 2.3.1

Highlights

New features

  • Domains can be now explicitly enabled or disabled using enable option in domain section. This can be especially used in configuration snippets.
  • New configuration options memcache_size_passwd, memcache_size_group, memcache_size_initgroups that can be used to control memory cache size.

Notable bug fixes

  • Fixed several regressions in GPO processing introduced in sssd-2.3.0
  • Fixed regression in PAM responder: failures in cache only lookups are no longer considered fatal
  • Fixed regression in proxy provider: pwfield=x is now default value only for sssd-shadowutils target

Packaging changes

  • libwbclient is now deprecated and is not being built by default (use --with-libwibclient to build it)

Documentation Changes

  • Added option memcache_size_passwd
  • Added option memcache_size_group
  • Added option memcache_size_initgroups
  • Added option enable in domain sections
  • Minor text improvements

Tickets Fixed

  • #1024 - SSSD user/group filtering is failing after “files” provider rebuilds cache
  • #1031 - When the passwd or group files are replaced, sssd stops monitoring the file for inotify events, and no updates are triggered
  • #3728 - When sssd service fails to start due to misconfiguration, the error message would be nice in /var/log/messages as well
  • #3920 - Add multiple domains tests to responder_cache_req-tests
  • #4578 - sssctl: Add memcache diagnostic and inspection commands
  • #4667 - sssd fails to release file descriptor on child logs after receiving HUP
  • #4743 - [RFE] Add “enabled” option to domain section
  • #5075 - sssd failover leads to delayed and failed logins
  • #5103 - GPO: Incorrect processing / inheritance order of HBAC GPOs
  • #5115 - mem-cache bug: only small fraction of memory allocated is actually used
  • #5129 - id_provider = proxy proxy_lib_name = files returns * in password field, breaking PAM authentication
  • #5135 - Certificate attributes are not sanitized prior to ldap search
  • #5142 - RFE: Add option to specify alternate sssd config file location with “sssctl config-check” command.
  • #5151 - sssd is failing to discover other subdomains in the forest if LDAP entries do not contain AD forest root information
  • #5153 - Oddjob-mkhomedir fails when using NSS compat
  • #5155 - Document how to prevent invalid selinux context for default home directories in SSSD-AD direct integration.
  • #5164 - Change the message “Please enter smart card” to “Please insert smart card” on GDM login with smart-card
  • #5167 - AD: ad_access.c performs out-of memory check for wrong tevent request pointer
  • #5170 - SSSD must be able to resolve membership involving root with files provider
  • #5181 - system not enforcing GPO rule restriction. ad_gpo_implicit_deny = True is not working
  • #5183 - sssd 2.3.0 breaks AD auth due to GPO parsing failure
  • #5186 - sssd 2.3.0 buld errors due to issue with sv translation of man page
  • #5190 - GDM password prompt when cert mapped to multiple users and promptusername is False
  • #5199 - do not add fully-qualified suffix to already fully-qualified externalUser values in sudoers for IPA provider
  • #5201 - sssd-common: missing comma in file sssd_functions.stp
  • #5217 - NULL dereference in rotate_debug_files()
  • #5230 - Deprecate SSSD’s version of libwbclient
  • #5236 - sss_ssh_knownhostsproxy leads to silent failure for non-existent or non-co-operative hosts

Detailed changelog

  • Alejandro Visiedo (2):
    • systemtap: Missing a comma
    • config: [RFE] Add “enabled” option to domain section
  • Alexander Bokovoy (1):
    • ipa: Do not qualify already qualified users in sudo rules
  • Alexey Tikhonov (30):
    • DEBUG: only open child process log files when required
    • CLIENT: fixed few CHECKED_RETURN (CWE-252) warnings
    • NSS: fixed FORWARD_NULL (CWE-476)
    • KCM: fixed NO_EFFECT (CWE-398)
    • PROXY: suppress CPPCHECK_WARNING (CWE-456)
    • MC: fixed CPPCHECK_WARNING
    • CLIENT: fixed CPPCHECK_WARNING (CWE-476)
    • util/inotify: fixed CLANG_WARNING
    • util/inotify: fixed bug in inotify event processing
    • TOOLS: fixed CLANG_WARNING
    • TOOLS: fixed a couple of CLANG_WARNINGs
    • CLIENT: fixed “Dereference of null pointer” warning
    • RESPONDER/SUDO: fixed CLANG_WARNING
    • RESPONDER/NSS: fixed few CLANG_WARNINGs
    • CACHE_REQ: fixed CLANG_WARNING
    • PROVIDERS/LDAP: fixed CLANG_WARNING
    • PROVIDERS/LDAP: fixed CLANG_WARNING
    • PROVIDERS/IPA: fixed few CLANG_WARNINGs
    • DEBUG: fixed potential NULL dereference
    • TRANSLATIONS: updated translations to include new source file
    • NEGCACHE: skip permanent entries in [users/groups] reset
    • NSS: fixed UNINIT (CWE-457)
    • mem-cache: sizes of free and data tables were made consistent
    • NSS: avoid excessive log messages
    • NSS: enhanced debug during mem-cache initialization
    • mem-cache: added log message in case cache is full
    • NSS: make memcache size configurable in megabytes
    • mem-cache: comment added
    • mem-cache: always cleanup old content
    • Updated translation files: Japanese, Chinese (China), French
  • David Ward (1):
    • failover: fix documentation of default timeouts
  • Lukas Slebodnik (2):
    • python-test.py: Do not use letter similar to numbers
    • INTG: Do not use letter similar to numbers in python code
  • Michal Židek (1):
    • NSS: make memcache size configurable
  • Niranjan M.R (1):
    • pytest/testlib: Remove explcit encryption types from kdc.conf
  • Pavel Březina (12):
    • Update version in version.m4 to track the next release.
    • test: avoid endian issues in network tests
    • Provide new link for documentation: change sssd.github.io to sssd.io
    • pam_sss: fix missing initializer
    • files: allow root membership
    • proxy: use ‘x’ as default pwfield only for sssd-shadowutils target
    • monitor: log to syslog when service fails to start
    • po: fix sv translation
    • sss_ssh_knownhostsproxy: print error when unable to connect
    • sss_ssh_knownhostsproxy: print error when unable to proxy data
    • Update the translations for the 2.3.1 release
    • tests: discard const in test_confdb_get_enabled_domain_list
  • Paweł Poławski (1):
    • AD: Enforcing GPO rule restriction on user
  • Sumit Bose (19):
    • NSS client: preserve errno during _nss_sss_end* calls
    • ad: remove unused libsbmclient form libsss_ad.so
    • pam_sss: add SERVICE_IS_GDM_SMARTCARD
    • pam_sss: special handling for gdm-smartcard
    • ad_gpo_ndr.c: more ndr updates
    • GPO: fix link order in a SOM
    • sysdb: make sysdb_update_subdomains() more robust
    • ad: rename ad_master_domain_* to ad_domain_info_*
    • sysdb: make new_subdomain() public
    • ad: rename ads_get_root_id_ctx() to ads_get_dom_id_ctx
    • ad: remove unused trust_type from ad_subdom_store()
    • ad: add ad_check_domain_{send recv}
    • ad: check forest root directly if not present on local DC
    • DEBUG: use new exec_child(_ex) interface in tests
    • ipa: add failover to subdomain override lookups
    • pam_sss: make sure old certificate data is removed before retry
    • PAM: do not treat error for cache-only lookups as fatal
    • libwbclient-sssd: deprecate libwbclient-sssd
    • certmap: sanitize LDAP search filter
  • Thomas Reim (1):
    • Minor fix in ad_access.c out of memory check
  • Tomas Halman (3):
    • sssctl: sssctl config-check alternative config file
    • man: Document invalid selinux context for homedirs
    • sssctl: sssctl config-check alternative snippet dir
  • Yuri Chornoivan (1):
    • general: fix minor typos
  • ikerexxe (7):
    • db/sysdb.c: remove unused variable
    • data_provider/dp_target_id: remove store statement from a never read variable
    • p11_child/p11_child_common: remove store statement from a never read variable
    • autofs_test_client and sss_tools: remove store statements from never read variables
    • responder/common/responder_packet: get packet length only once
    • Test: Add users_by_filter_multiple_domains_valid
    • Test: Add groups_by_filter_multiple_domains_valid
  • vinay mishra (1):
    • Replaced ‘enter’ with ‘insert’