SSSD 1.13.1 Release Notes
Highlights
Initial support for Smart Card authentication was added. The feature can be activated with the new
pam_cert_auth
optionThe PAM prompting was enhanced so that when Two-Factor Authentication is used, both factors (password and token) can be entered separately on separate prompts. At the same time, only the long-term password is cached, so offline access would still work using the long term password
A new command line tool
sss_override
is present in this release. The tools allows to override attributes on the SSSD side. It’s helpful in environment where e.g. some hosts need to have a different view of POSIX attributes than others. Please note that the overrides are stored in the cache as well, so removing the cache will also remove the overridesNew methods were added to the SSSD D-Bus interface. Notably support for looking up a user by certificate and looking up multiple users using a wildcard was added. Please see the interface introspection or the design pages for full details
Several enhancements to the dynamic DNS update code. Notably, clients that update multiple interfaces work better with this release
This release supports authenticating againt a KDC proxy
The fail over code was enhanced so that if a trusted domain is not reachable, only that domain will be marked as inactive but the backed would stay in online mode
Several fixes to the GPO access control code are present
Packaging Changes
The Smart Card authentication feature requires a helper process
p11_child
that needs to be marked as setgid if SSSD needs to be able to. Please note thep11_child
requires the NSS crypto library at the momentThe
sss_override
tool was added along with its own manpageThe upstream RPM can now build on RHEL/CentOS 6.7
Documentation Changes
The
config_file_version
configuration option now defaults to 2. As an effect, this option doesn’t have to be set anymore unless the config file format is changed again by SSSD upstreamIt is now possible to specify a comma-separated list of interfaces in the
dyndns_iface
optionThe InfoPipe responder and the LDAP provider gained a new option
wildcard_lookup
that specifies an upper limit on the number of entries that can be returned with a wildcard lookupA new option
dyndns_server
was added. This option allows to attempt a fallback DNS update against a specific DNS server. Please note this option only works as a fallback, the first attempt will always be performed against autodiscovered servers.The PAM responder gained a new option
ca_db
that allows the storage of trusted CA certificates to be specifiedThe time the
p11_child
is allowed to operate can be specified using a new optionp11_child_timeout
Tickets Fixed
#1588 [RFE] Support for smart cards
#2739 sssd: incorrect checks on length values during packet decoding
#2968 [RFE] Start the dynamic DNS update after the SSSD has been setup for the first time
#3036 Complain loudly if backend doesn’t start due to missing or invalid keytab
#3317 nested netgroups do not work in IPA provider
#3325 test dyndns failed.
#3377 Investigate using the krb5 responder for driving the PAM conversation with OTPs
#3505 Pass error messages via the extdom plugin
#3537 [RFE]Allow sssd to add a new option that would specify which server to update DNS with
#3591 RFE: Support multiple interfaces with the dyndns_iface option
#3595 RFE: Add support for wildcard-based cache updates
#3600 Add dualstack and multihomed support
#3603 Too much logging
#3620 TRACKER: Support one-way trusts for IPA
#3622 Re-check memcache after acquiring the lock in the client code
#3625 RFE: Support client-side overrides
#3638 Add index for ‘objectSIDString’ and maybe to other cache attributes
#3678 RFE: Don’t mark the main domain as offline if SSSD can’t connect to a subdomain
#3680 RFE: Detect re-established trusts in the IPA subdomain code
#3693 KDC proxy not working with SSSD krb5_use_kdcinfo enabled
#3717 Group members are not turned into ghost entries when the user is purged from the SSSD cache
#3723 sudoOrder not honored as expected
#3729 Default to config_file_version=2
#3732 GPO: PAM system error returned for PAM_ACCT_MGMT and offline mode
#3733 GPO: Access denied due to using wrong sam_account_name
#3740 SSSDConfig: wrong return type returned on python3
#3741 krb5_child should always consider online state to allow use of MS-KKDC proxy
#3749 Logging messages from user point of view
#3752 [RFE] Provide interface for SSH to fetch user certificate
#3753 Initgroups memory cache does not work with fq names
#3757 Initgroups mmap cache needs update after db changes
#3758 well-known SID check is broken for NetBIOS prefixes
#3759 SSSD keytab validation check expects root ownership
#3760 IPA: returned unknown dp error code with disabled migration mode
#3763 Missing config options in gentoo init script
#3764 Could not resolve AD user from root domain
#3765 getgrgid for user’s UID on a trust client prevents getpw*
#3766 If AD site detection fails, not even ad_site override skipped
#3770 Do not send SSS_OTP if both factors were entered separately
#3772 searching SID by ID always checks all domains
#3774 Don’t use deprecated libraries (libsystemd-*)
#3778 sss_override: add import and export commands
#3779 Cannot build rpms from upstream spec file on rawhide
#3783 When certificate is added via user-add-cert, it cannot be looked up via org.freedesktop.sssd.infopipe.Users.FindByCertificate
#3784 memory cache can work intermittently
#3785 cleanup_groups should sanitize dn of groups
#3787 the PAM srv test often fails on RHEL-7
#3789 test_memory_cache failed in invalidation cache before stop
#3790 Fix crash in nss responder
#3795 Clear environment and set restrictive umask in p11_child
#3798 sss_override does not work correctly when ‘use_fully_qualified_names = True’
#3799 sss_override contains an extra parameter –debug but is not listed in the man page or in the arguments help
#3803 [RFE] sssd: better feedback form constraint password change
#3809 Test ‘test_id_cleanup_exp_group’ failed
#3813 sssd cannot resolve user names containing backslash with ldap provider
#3814 Make p11_child timeout configurable
#3818 Fix memory leak in GPO
#3823 sss_override : The local override user is not found
#3824 REGRESSION: Dyndns soes not update reverse DNS records
#3831 sss_override –name doesn’t work with RFC2307 and ghost users
#3840 unit tests do not link correctly on Debian
#3844 Memory leak / possible DoS with krb auth.
Detailed Changelog
$ git shortlog --pretty=format:"%h %s" -w0,4 sssd-1_13_0..sssd-1_13_1
Jakub Hrozek (52):
585ea4eb0 Updating the version for 1.13.1 development
429f8454a tests: Move N_ELEMENTS definition to tests/common.h
696c17580 SYSDB: Add functions to look up multiple entries including name and custom filter
cdc44abdf DP: Add DP_WILDCARD and SSS_DP_WILDCARD_USER/SSS_DP_WILDCARD_GROUP
fd04b25ea cache_req: Extend cache_req with wildcard lookups
fa7921c82 UTIL: Add sss_filter_sanitize_ex
2922461ea LDAP: Fetch users and groups using wildcards
f4e643ed7 LDAP: Add sdap_get_and_parse_generic_send
5b2ca5cc0 LDAP: Use sdap_get_and_parse_generic_/_recv
1f2fc55ec LDAP: Add sdap_lookup_type enum
b9e74a747 LDAP: Add the wildcard_limit option
bdf32fbb3 IFP: Add wildcard requests
f6a71ab5f Use NSCD path in execl()
61015cf52 KRB5: Use the right domain for case-sensitive flag
146e024b3 IPA: Better debugging
698601256 UTIL: Lower debug level in perform_checks()
6ed964cf2 IPA: Handle sssd-owned keytabs when running as root
6fe057efb IPA: Remove MPG groups if getgrgid was called before getpw()
32445affe LDAP: use ldb_binary_encode when printing attribute values
619e21ed9 IPA: Change the default of ldap_user_certificate to userCertificate;binary
d95bcfe23 UTIL: Provide a common interface to safely create temporary files
db5f9ab3f IPA: Always re-fetch the keytab from the IPA server
8145ab51b DYNDNS: Add a new option dyndns_server
13f30f69e p11child: set restrictive umask and clear environment
f5db13d44 KRB5: Use sss_unique file in krb5_child
df07d54f8 KRB5: Use sss_unique_file when creating kdcinfo files
51ae9cb4e LDAP: Use sss_unique_filename in ldap_child
84493af37 SSH: Use sss_unique_file_ex to create the known hosts file
e61b0e41c SYSDB: Index the objectSIDString attribute
6c2a29a91 sbus: Initialize errno if constructing message fails and add debug messages
9118a539a sbus: Add a special error code for messages sent by the bus itself
3954cd07d GPO: Use sss_unique_file and close fd on failure
63fb08573 SDAP: Remove unused function
f0815f5df KRB5: Don't error out reading a minimal krb5.conf
b5825c74b UTIL: Convert domain->disabled into tri-state with domain states
99c5f2f6b DP: Provide a way to mark subdomain as disabled and auto-enable it later with offline_timeout
0561d532c SDAP: Do not set is_offline if ignore_mark_offline is set
7fc8692d4 AD: Only ignore errors from SDAP lookups if there's another connection to fallback to
dd0a21738 KRB5: Offline operation with disabled domain
64d4b1e5f AD: Do not mark the whole back end as offline if subdomain lookup fails
ece345a74 AD: Set ignore_mark_offline=false when resolving AD root domain
201623520 IPA: Do not allow the AD lookup code to set backend as offline in server mode
2ddacb721 BUILD: link dp tests with LDB directly to fix builds on Debian
67625b1b4 LDAP: imposing sizelimit=1 for single-entry searches breaks overlapping domains
cffe3defa tests: Move named_domain from test_utils to common test code
cf66c53e4 LDAP: Move sdap_create_search_base from ldap to sdap code
fb83de069 LDAP: Filter out multiple entries when searching overlapping domains
4c53f8b74 IPA: Change ipa_server_trust_add_send request to be reusable from ID code
669ce24f8 FO: Add an API to reset all servers in a single service
bc58e1cfe FO: Also reset the server common data in addition to SRV
42bd89dbe IPA: Retry fetching keytab if IPA user lookup fails
261cdde02 Updating translations for the 1.13.1 release
Lukas Slebodnik (49):
da17e4c19 KRB5: Return right data provider error code
890ae77c5 Update few debug messages
eabc1732e intg: Invalidate memory cache before removing files
b0ee27fd9 SPEC: Update spec file for krb5_local_auth_plugin
2ab9822a7 SSSDConfig: Return correct types in python3
872aa0d01 intg: Modernize 'except' clauses
39b31427e mmap_cache: Rename variables
225dc6914 mmap_cache: "Override" functions for initgr mmap cache
ea7839cec mmap: Invalidate initgroups memory cache after any change
ba847347c sss_client: Update integrity check of records in mmap cache
38b070198 intg_test: Add module for simulation of utility id
a2c10cf31 intg_test: Add integration test for memory cache
dda025870 NSS: Initgr memory cache should work with fq names
cb8c24707 test_memory_cache: Add test for initgroups mc with fq names
85fe1601d SPEC: Workaround for build with rpm 4.13
e693e9c67 KRB5: Do not try to remove missing ccache
c3baf4d7c test_memory_cache: Test mmap cache after initgroups
089db891b test_memory_cache: Test invalidation with sss_cache
6c676de3f krb5_utils-tests: Remove unused variables
32c6db689 sss_cache: Wait a while for invalidation of mc by nss responder
137d5dd0d test_memory_cache: Fix few python issues
b9901fe3d NSS: Fix use after free
90b8e2e47 NSS: Don't ignore backslash in usernames with ldap provider
03a4bb070 intg_tests: Add regression test for 2163
1116fbbf0 BUILD: Build libdlopen_test_providers.la as a dynamic library
802909e59 BUILD: Speed up build of some tests
af3a627a3 BUILD: Simplify build of simple_access_tests
447d32b6f CI: Set env variable for all tabs in screen
b3074dca3 dyndns-tests: Simulate job in wrapped execv
d71cd46ed AUTOMAKE: Disable portability warnings
50c9d542e tests: Use unique name for TEST_PATH
c106bfdf2 tests: Move test_dom_suite_setup to different module
bee2f31ca test_ipa_subdomains_server: Use unique dorectory for keytabs
83788fb29 test_copy_keytab: Create keytabs in unique directory
295c8e301 test_ad_common: Use unique directory for keytabs
9c563db82 Revert "LDAP: end on ENOMEM"
3d8b576bf Partially revert "LDAP: sanitize group name when used in filter"
6cb5bad3c LDAP: Sanitize group dn before using in filter
2cec08a31 test_ldap_id_cleanup: Fix coding style issues
75889713a DYNDNS: Return right error code in case of failure
71493344f BUILD: Simplify build of test_data_provider_be
e3c06950b BUILD: Remove unused variable CHECK_OBJ
a801d42c4 BUILD: Do not build libsss_ad_common.la as library
f3d84d2b6 BUILD: Remove unused variable SSSD_UTIL_OBJ
d9378e644 CONFIGURE: Remove bashism
afdc0179a IFP: Suppress warning from static analyzer
73ec8fdfd BUILD: Link test_data_provider_be with -ldl
40fa5c38d sysdb-tests: Use valid base64 encoded certificate for search
f182ede71 test_pam_srv: Run cert test only with NSS
Michal Židek (13):
c4fb8f55f DEBUG: Add new debug category for fail over.
9da121c08 pam: Incerease p11 child timeout
06987186f sdap_async: Use specific errmsg when available
f02b62138 TESTS: ldap_id_cleanup timeouts
9f0bffebd sssd: incorrect checks on length values during packet decoding
175613be0 CONFDB: Assume config file version 2 if missing
3b1aa479b Makefile.am: Add missing AM_CFLAGS
b0d6d14b5 SYSDB: Add function to expire entry
4d8f0f92e cleanup task: Expire all memberof targets when removing user
95b2c5177 CI: Add regression test for #2676
60713f738 intg: Fix some PEP 8 violations
d85be8ad4 PAM: Make p11_child timeout configurable
ab3c0e05d tests: Set p11_child_timeout to 30 in tests
Nikolai Kondrashov (1):
cbff3fcdc TESTS: Add trailing whitespace test
Pavel Březina (18):
166a622bc VIEWS TEST: add null-check
a8d31510d SYSDB: prepare for LOCAL view
284937e6b TOOLS: add common command framework
b69cb1787 TOOLS: add sss_override for local overrides
cbbd8ce52 AD: Use ad_site also when site search fails
ef7de95fc IFP: use default limit if provided is 0
52e3ee5c5 sudo: use "higher value wins" when ordering rules
4285cf181 sss_override: print input name if unable to parse it
7eba58cfc sss_override: support domains that require fqname
a76f63544 TOOLS: add sss_colondb API
5df5a6b85 sss_override: decompose code better
23fb01bf6 sss_override: support import and export
5e2ffb69d sss_override: document --debug options
4649f19ea sss_override: support fqn in override name
9571c9ba5 views: do not require overrideDN in grous when LOCAL view is set
d5e26a3ec views: fix two typos in debug messages
87e0dcaff views: allow ghost members for LOCAL view
8ca1a503c sss_override: remove -d from manpage
Pavel Reichl (23):
aa3fd6fde DYNDNS: sss_iface_addr_list_get return ENOENT
038b9ba28 DYNDNS: support mult. interfaces for dyndns_iface opt
0a26e92fb DYNDNS: special value '*' for dyndns_iface option
1112e8449 TESTS: dyndns tests support AAAA addresses
b0a8ed519 DYNDNS: support for dualstack
4f68747b1 TESTS: fix compiler warnings
4b1a46396 SDAP: rename SDAP_CACHE_PURGE_TIMEOUT
afa6ac75f IPA: Improve messages about failures
7c3cc1ee2 DYNDNS: Don't use server cmd in nsupdate by default
e4d6e9cca DYNDNS: remove redundant talloc_steal()
4f2a07c42 DYNDNS: remove zone command
76604931b DYNDNS: rename field of sdap_dyndns_update_state
b42bf6c0c DYNDNS: remove code duplication
6fd530614 TESTS: UT for sss_iface_addr_list_as_str_list()
e2e334b2f LDAP: sanitize group name when used in filter
4772d3f1f LDAP: minor improvements in ldap id cleanup
e0f2a7834 TESTS: fix fail in test_id_cleanup_exp_group
f31a57321 LDAP: end on ENOMEM
bfa5e3869 AD: send less logs to syslog
2b490bc94 Remove trailing whitespace
5dbdcc2c7 GPO: fix memory leak
eeac17ebb DDNS: execute nsupdate for single update of PTR rec
101628a48 AD: inicialize root_domain_attrs field
Petr Cech (6):
cebf9d194 BUILD: Repair dependecies on deprecated libraries
bdf422fde TESTS: Removing part of responder_cache_req-tests
11e8f3ecd UTIL: Function 2string for enum sss_cli_command
46e362869 UTIL: Fixing Makefile.am for util/sss_cli_cmd.h
376eaf187 DATA_PROVIDER: BE_REQ as string in log message
e6595222c IPA PROVIDER: Resolve nested netgroup membership
Robin McCorkell (1):
e6b6719ec man: List alternative schema defaults for LDAP AutoFS parameters
Stephen Gallagher (1):
7c18b65db AD: Handle cases where no GPOs apply
Sumit Bose (17):
b1bea7c3d test common: sss_dp_get_account_recv() fix assignment
4f1897ad4 nss_check_name_of_well_known_sid() improve name splitting
e1aed98d7 negcache: allow domain name for UID and GID
c2cc00e8d nss: use negative cache for sid-by-id requests
b698a04b3 krb5: do not send SSS_OTP if two factors were used
0d5bb3836 utils: add NSS version of cert utils
45726939a Add NSS version of p11_child
35f3a213e pack_message_v3: allow empty name
10703cd55 authok: add support for Smart Card related authtokens
a8d887323 PAM: add certificate support to PAM (pre-)auth requests
5242964d2 pam_sss: add sc support
4de84af23 ssh: generate public keys from certificate
7bb9ba868 krb5 utils: add sss_krb5_realm_has_proxy()
05ed6a29c krb5: do not create kdcinfo file if proxy configuration exists
67c68b563 krb5: assume online state if KDC proxy is configured
560b624b3 GPO: use SDAP_SASL_AUTHID as samAccountName
9a847b5d7 utils: make sss_krb5_get_primary() private
Thomas Oulevey (1):
b4c44ebb8 Fix memory leak in sssdpac_verify()
Tyler Gates (1):
cbe70d47d CONTRIB: Gentoo daemon startup options as declared in conf.d/sssd
Yuri Chornoivan (1):
f91029dd8 Fix minor typos