SSSD 1.13.4 Release Notes
Highlights
The IPA sudo provider was reimplemented. The new version reads the data from IPA’s LDAP tree (as opposed to the compat tree populated by the
slapi-nis
plugin that was used previously). The benefit is that deployments which don’t require the compat tree for other purposes, such as support for non-SSSD clients can disable those autogenerated LDAP trees to conserve resources that slapi-nis otherwise requires. There should be no visible changes to the end user.SSSD now has the ability to renew the machine credentials (keytabs) when the
ad
provider is used. Please note that a recent version of theadcli
(0.8 or newer) package is required for this feature to work.The automatic ID mapping feature was improved so that the administrator is no longer required to manually set the range size in case a RID in the AD domain is larger than the default range size
A potential infinite loop in the NFS ID mapping plugin that was resulting in an excessive memory usage was fixed
Clients that are pinned to a particular AD site using the
ad_site
option no longer communicate with DCs outside that site during service discovery.The IPA identity provider is now able to resolve external (typically coming from a trusted AD forest) group members during get-group-information requests. Please note that resolving external group memberships for AD users during the initgroup requests used to work even prior to this update. This feature is mostly useful for cases where an IPA client is using the compat tree to resolve AD trust users.
The IPA ID views feature now works correctly even for deployments without a trust relationship. Previously, the
subdomains
IPA provider failed to read the views data if no master domain record was created on the IPA server during trust establishment.A race condition in the client libraries between the SSSD closing the socket as idle and the client application using the socket was fixed. This bug manifested with a
Broken Pipe
error message on the client.SSSD is now able to resolve users with the same usernames in different OUs of an AD domain
The smartcard authentication now works properly with
gnome-screensaver
Packaging Changes
The
krb5.include.d
directory is now owned by thesssd
user and packaged in thekrb5-common
subpackage
Documentation Changes
A new option
ldap_idmap_helper_table_size
was added. This option can help tune allocation of new ID mapping slices for AD domains with a high RID values. Most deployments can use the default value of this option.Several PAM services were added to the lists that are used to map Windows logon services to GNU/Linux PAM services. The newly added PAM services include login managers (
lightdm
,lxdm
,sddm
andxdm
) as well as thecockpit
service.The AD machine credentials renewal task can be fine-tuned using the
ad_machine_account_password_renewal_opts
to change the initial delay and period of the credentials renewal task. In addition, the newad_maximum_machine_account_password_age
option allows the administrator to select how old the machine credential must be before trying to renew it.The administrator can use the new option
pam_account_locked_message
to set a custom informational message when the account logging in is locked.
Tickets Fixed
#2083 [RFE] Support Automatic Renewing of Kerberos Host Keytabs
#2150 [RFE] SUDO: Support the IPA schema
#3230 automatically assign new slices for any AD domain
#3564 [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid
#3667 Retry EPIPE from clients
#3805 the colondb intreface has no unit tests
#3806 ad_site parameter does not work
#3826 incompatibility between sparkleshare and sss_ssh_knownhostsproxy due to setlocale()
#3832 sssd dereference processing failed : Input/output error
#3870 collapse_srv_lookups frees fo_server structure that is returned by fail over API
#3880 Allow SSSD to notify user of denial due to AD account lockout
#3890 cache_req: don’t search override values in LDAP when using LOCAL view
#3906 sssd_nss memory usage keeps growing on sssd-1.12.4-47.el6.x86_64 (RHEL6.7) when trying to retrieve non-existing netgroups
#3922 MAN: Clarify that subdomains always use service discovery
#3929 SRV lookups with id_provider=proxy and auth_provider=krb5
#3940 [sssd] Trusted (AD) user’s info stays in sssd cache for much more than expected.
#3943 Review and update wiki pages for 1.13.4
#3945 sssd_be AD segfaults on missing A record
#3947 Cannot retrieve users after upgrade from 1.12 to 1.13
#3950 extreme memory usage in libnfsidmap sss.so plug-in when resolving groups with many members
#3951 sssd mixup nested group from AD trusted domains
#3953 refresh_expired_interval stops sss_cache from working
#3958 Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore
#3963 ID mapping - bug in computing max id for slice range
#3966 Add gnome-screensaver to the list of PAM services considered for Smartcard authentication
#3972 Warn if user cannot read krb5.conf
#3975 After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user
#3978 sss_obfuscate: SyntaxError: Missing parentheses in call to ‘print’
#3979 Cannot start sssd after switching to non-root
#4000 The delete operation of the memberof plugin allocates memory on NULL context
#4001 IPA view: view name not stored properly with default FreeIPA installation
#4002 Initgroups in AD provider might fail if user is stored in a non-default ou
#4003 GPO: Access denied in non-root mode
#4005 GPO: Access denied after blocking connection to AD.
#4010 sudorule not working with ipa sudo_provider on older freeipa
#4011 sudo smart refresh does not work correctly on openldap
#4012 SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo
#4013 IPA sudo: support the externalUser attribute
#4021 sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 error 4 in libsss_ipa.so[7ff889fcf000+5d000]
#4030 local overrides: issues with sub-domain users and mixed case names
Detailed Changelog
$ git shortlog --pretty=format:"%h %s" -w0,4 sssd-1_13_4..sssd-1_13_4