The IPA sudo provider was reimplemented. The new version reads the data from IPA’s LDAP tree (as opposed to the compat tree populated by the
slapi-nisplugin that was used previously). The benefit is that deployments which don’t require the compat tree for other purposes, such as support for non-SSSD clients can disable those autogenerated LDAP trees to conserve resources that slapi-nis otherwise requires. There should be no visible changes to the end user.
SSSD now has the ability to renew the machine credentials (keytabs) when the
adprovider is used. Please note that a recent version of the
adcli(0.8 or newer) package is required for this feature to work.
The automatic ID mapping feature was improved so that the administrator is no longer required to manually set the range size in case a RID in the AD domain is larger than the default range size
A potential infinite loop in the NFS ID mapping plugin that was resulting in an excessive memory usage was fixed
Clients that are pinned to a particular AD site using the
ad_siteoption no longer communicate with DCs outside that site during service discovery.
The IPA identity provider is now able to resolve external (typically coming from a trusted AD forest) group members during get-group-information requests. Please note that resolving external group memberships for AD users during the initgroup requests used to work even prior to this update. This feature is mostly useful for cases where an IPA client is using the compat tree to resolve AD trust users.
The IPA ID views feature now works correctly even for deployments without a trust relationship. Previously, the
subdomainsIPA provider failed to read the views data if no master domain record was created on the IPA server during trust establishment.
A race condition in the client libraries between the SSSD closing the socket as idle and the client application using the socket was fixed. This bug manifested with a
Broken Pipeerror message on the client.
SSSD is now able to resolve users with the same usernames in different OUs of an AD domain
The smartcard authentication now works properly with
krb5.include.ddirectory is now owned by the
sssduser and packaged in the
A new option
ldap_idmap_helper_table_sizewas added. This option can help tune allocation of new ID mapping slices for AD domains with a high RID values. Most deployments can use the default value of this option.
Several PAM services were added to the lists that are used to map Windows logon services to GNU/Linux PAM services. The newly added PAM services include login managers (
xdm) as well as the
The AD machine credentials renewal task can be fine-tuned using the
ad_machine_account_password_renewal_optsto change the initial delay and period of the credentials renewal task. In addition, the new
ad_maximum_machine_account_password_ageoption allows the administrator to select how old the machine credential must be before trying to renew it.
The administrator can use the new option
pam_account_locked_messageto set a custom informational message when the account logging in is locked.
#2083 [RFE] Support Automatic Renewing of Kerberos Host Keytabs
#2150 [RFE] SUDO: Support the IPA schema
#3230 automatically assign new slices for any AD domain
#3564 [RFE] IPA: resolve external group memberships of IPA groups during getgrnam and getgrgid
#3667 Retry EPIPE from clients
#3805 the colondb intreface has no unit tests
#3806 ad_site parameter does not work
#3826 incompatibility between sparkleshare and sss_ssh_knownhostsproxy due to setlocale()
#3832 sssd dereference processing failed : Input/output error
#3870 collapse_srv_lookups frees fo_server structure that is returned by fail over API
#3880 Allow SSSD to notify user of denial due to AD account lockout
#3890 cache_req: don’t search override values in LDAP when using LOCAL view
#3906 sssd_nss memory usage keeps growing on sssd-1.12.4-47.el6.x86_64 (RHEL6.7) when trying to retrieve non-existing netgroups
#3922 MAN: Clarify that subdomains always use service discovery
#3929 SRV lookups with id_provider=proxy and auth_provider=krb5
#3940 [sssd] Trusted (AD) user’s info stays in sssd cache for much more than expected.
#3943 Review and update wiki pages for 1.13.4
#3945 sssd_be AD segfaults on missing A record
#3947 Cannot retrieve users after upgrade from 1.12 to 1.13
#3950 extreme memory usage in libnfsidmap sss.so plug-in when resolving groups with many members
#3951 sssd mixup nested group from AD trusted domains
#3953 refresh_expired_interval stops sss_cache from working
#3958 Properly remove OriginalMemberOf attribute in SSSD cache if user has no secondary groups anymore
#3963 ID mapping - bug in computing max id for slice range
#3966 Add gnome-screensaver to the list of PAM services considered for Smartcard authentication
#3972 Warn if user cannot read krb5.conf
#3975 After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user
#3978 sss_obfuscate: SyntaxError: Missing parentheses in call to ‘print’
#3979 Cannot start sssd after switching to non-root
#4000 The delete operation of the memberof plugin allocates memory on NULL context
#4001 IPA view: view name not stored properly with default FreeIPA installation
#4002 Initgroups in AD provider might fail if user is stored in a non-default ou
#4003 GPO: Access denied in non-root mode
#4005 GPO: Access denied after blocking connection to AD.
#4010 sudorule not working with ipa sudo_provider on older freeipa
#4011 sudo smart refresh does not work correctly on openldap
#4012 SSSD PAM module does not support multiple password prompts (e.g. Password + Token) with sudo
#4013 IPA sudo: support the externalUser attribute
#4021 sssd_be: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 error 4 in libsss_ipa.so[7ff889fcf000+5d000]
#4030 local overrides: issues with sub-domain users and mixed case names
$ git shortlog --pretty=format:"%h %s" -w0,4 sssd-1_13_4..sssd-1_13_4