SSSD 1.15.0 Release Notes
Highlights
SSSD now allows the responders to be activated by the systemd service manager and exit when idle. This means the
services
line in sssd.conf is optional and the responders can be started on-demand, simplifying the sssd configuration. Please note that this change is backwards-compatible and the responders listed explicitly in sssd.conf’s services line are managed by sssd in the same manner as in previous releases. Please refer toman sssd.conf(5)
for more informationThe sudo provider is no longer disabled for configurations that do not explicitly include the
sudo
responder in theservices
list. In order to disable the sudo-related back end code that executes the periodic LDAP queries, set thesudo_provider
tonone
explicitlyThe watchdog signal handler no longer uses signal-unsafe functions. This bug was causing a deadlock in case the watchdog was about to kill a stuck process
A bug that prevented TLS to be set up correctly on systems where libldap links with GnuTLS was fixed
The functionality to alter SSSD configuration through the D-Bus interface provided by the IFP responder was removed. This functionality was not used to the best of our knowledge, had no tests and prevented the InfoPipe responder from running as a non-privileged user.
A bug that prevented statically-linked applications from using libnss_sss was fixed by removing dependency on
-lpthreads
from thelibnss_sss
library (please see <https://sourceware.org/bugzilla/show_bug.cgi?id=20500for an example on why linking with-lpthread
from an NSS modules is problematic)Previously, SSSD did not ignore GPOs that were missing the gPCFunctionalityVersion attribute and failed the whole GPO processing. Starting with this version, the GPOs without the gPCFunctionalityVersion are skipped.
Packaging Changes
The Augeas development libraries are no longer required since the configuration manipulation interface was dropped from the InfoPipe responder
The libsss_config.so internal library was removed as well due to removal of the InfoPipe config management
In order to manage socket-activated or bus activated responders, each responder is now represented by a systemd service file (e.g. sssd-nss.service). All responders except InfoPipe, which is bus-activated, are also managed by a socket unit file (e.g. sssd-nss.socket)
Documentation Changes
The sssd-secrets responder gained a new option max_payload_size that allows the administrator to limit the maximum size of a secret
A new option responder_idle_timeout was added to support idle termination of socket-activated responders
The sssd-ad and sssd-ipa man pages now summarize differences between the generic Kerberos/LDAP back end and the specialized IPA/AD back ends
Tickets Fixed
#1739 - Use command line arguments instead env vars for krb5_child
#1243 - Man pages do not specify that sssd dyndns_refresh_interval < 60 is pulled to 60 seconds
#1285 - [RFE] Socket-activate responders
#1559 - krb5_child: Remove getenv() ran as root
#3060 - better debugging of timestamp cache modifications
#1171 - [RFE] socket-activate the IFP responder
#1193 - cache_req: complete the needs of NSS responders
#1198 - nss_sss might leak memory when calling thread goes away
#1256 - Update man pages for any AD provider config options that differ from ldap/krb5 providers defaults
#1257 - Review and update SSSD’s wiki pages for 1.15 Alpha release
#1277 - SSSCTL should not be case sensitive when searching for usernames or groups in a case-insensitive domain
#1287 - [RFE] Shutdown timeout for {socket,bus}-activated responders
#1317 - Unchecked return value of sss_cmd_empty_packet(pctx->creq->out);
#1325 - getsidbyid can fail in some cases due to cache_req refactoring
#1326 - getsidbyname does not work properly with case insensitive domains
Detailed Changelog
$ git shortlog --pretty=format:"%h %s" -w0,4 sssd-1_14_2..sssd-1_15_0
Amith Kumar (1):
dfbbe39f4 MAN: Updation of sssd-ad man page for case when dyndns_refresh_interval < 60 seconds
Carl Henrik Lunde (1):
9676b464d Prevent use after free in fd_input_available
David Michael (1):
baadb6080 BUILD: Find a host-prefixed krb5-config when cross-compiling
Fabiano Fidêncio (34):
da8801c36 SECRETS: Fix secrets rule in the allowed sections
682c9c346 SECRETS: Add allowed_sec_users_options
9ba53ac52 SECRETS: Delete all secrets stored during "max_secrets" test
7171a7584 SECRETS: Add configurable payload size limit of a secret
99b2352f9 BUILD: Drop libsss_config
78b4b7e5e IFP: Remove "ChangeDebugTemporarily" method
51ce94d00 AUTOFS: Check return of sss_cmd_empty_packet()
a290ab27e SUDO: Drop logic to disable the backend in case the provider is not set
953236782 MONITOR: Expose the monitor's services type
eaff953c6 MONITOR: Pass the service type to the RegisterService method
41e9e8b60 UTIL: Introduce --socket-activated cmdline option for responders
9e59f73f8 UTIL: Introduce --dbus-activated cmd option for responders
b1829f05c RESPONDER: Make responders' common code ready for socket activation
61cd5c830 AUTOFS: Make AutoFS responder socket-activatable
40e9ad2bf NSS: Make NSS responder socket-activatable
e40936053 PAC: Make PAC responder socket-activatable
6a7e28f06 PAM: Make PAM responder socket-activatable
b33c275eb SSH: Make SSH responder socket-activatable
f37e795cd SUDO: Make Sudo responder socket-activatable
9222a4fcb IFP: Make IFP responder dbus-activatable
9b3cd1171 MONITOR: Split up check_services()
2c9040b98 MONITOR: Deal with no services set up
006ba8944 MONITOR: Deal with socket-activated responders
9cd29d64f MAN: Mention that the services' list is optional
2797aca4d MAN: "user" doesn't work with socket-activated services
26f11a75d MONITOR: Don't expose monitor_common_send_id()
b46c4c0d3 SBUS: Add a time_t pointer to the sbus_connection
7622d9d97 SBUS: Add destructor data to sbus_connection
386c7340d RESPONDER: Make clear {reset_,}idle_timer() are related to client
32c766422 RESPONDER: Don't expose client_idle_handler()
151a6de47 RESPONDER: Shutdown {dbus,socket}-activated responders in case they're idle
560daa14e RESPONDER: Change how client timeout is calculated
087162b85 SERVER: Set the process group during server_setup()
e6a5f8c58 WATCHDOG: Avoid non async-signal-safe from the signal_handler
Howard Guo (1):
d2f935426 sss_client: Defer thread cancellation until completion of nss/pam operations
Jakub Hrozek (18):
ae30cff21 Updating the version for the 1.14.3 development
ef390162e Updating the version to track sssd-1-15 development
e5a984093 SYSDB: Split sysdb_try_to_find_expected_dn() into smaller functions
24d8c85fa SYSDB: Augment sysdb_try_to_find_expected_dn to match search base as well
fbe6644aa MONITOR: Do not set up watchdog for monitor
ab792150c MONITOR: Remove deprecated pong sbus method
fd25e6844 MONITOR: Remove unused shutDown sbus method
538a7f1dd Qualify ghost user attribute in case ldap_group_nesting_level is set to 0
65e791f84 tests: Add a test for group resolution with ldap_group_nesting_level=0
2927dc45b BUILD: Fix a typo in inotify.m4
ed71fba97 SSH: Use default_domain_suffix for users' authorized keys
ee576602d SYSDB: Suppress sysdb_delete_ts_entry failed: 0
150a0cc8f STAP: Only print transaction statistics if the script caught some transactions
1a71eeb4d test_sssctl: Add an integration test for sssctl netgroup-show
b4dd0867c KRB5: Advise the user to inspect the krb5_child.log if the child fails with a System Error
9e74a7ce9 IFP: Fix GetUserAttr
36b56482c Updating the translations for the 1.15.0 release
885a47df0 Updating the version for the 1.15.0 release
Justin Stephenson (2):
6e27e8572 MAN: Document different defaults for AD provider
8caf7ba50 MAN: Document different defaults for IPA provider
Lukas Slebodnik (45):
8f1316a0c crypto: Port libcrypto code to openssl-1.1
4117ae323 BUILD: Fix build without samba
0c2be9700 libcrypto: Check right value of CRYPTO_memcmp
65c85654d crypto-tests: Add unit test for sss_encrypt + sss_decrypt
96d239e83 crypto-tests: Rename encrypt decrypt test case
11d2a1183 BUILD: Accept krb5 1.15 for building the PAC plugin
bacc66dc6 dlopen-test: Use portable macro for location of .libs
558b8f3cd dlopen-test: Add missing libraries to the check list
d708e53d0 dlopen-test: Move libraries to the right "sections"
c7b3c43cf dlopen-test: Add check for untested libraries
6d11fdcd8 BUILD: Fix linking with librt
a7f085d6a KRB5: Remove spurious warning in logs
900778b5a TESTS: Check new line at end of file
58aa8d645 UTIL: Fix implicit declaration of function 'htobe32'
52cdb4275 SYSDB: Remove unused prototype from header file
73c9330fa sssctl: Fix missing declaration
c101cb130 UTIL: Fix compilation of sss_utf8 with libunistring
13b1d270f CONFDB: Supress clang false passitive warnings
8618716d6 SIFP: Fix warning format-security
3d5bf48ac RESPONDER: Remove dead assignment to the variable ret
69fb159e1 Fix compilation with python3.6
929bb1170 intg: Generate tmp dir with lowercase
64344539b LDAP: Fix debug messages after errors in *_get_send
2df7a1fe4 LDAP: Removed unused attr_type from users_get_send
823d8292c LDAP: Remove unused parameter attr_type from groups_get_send
8b026b55f DP: Remove unused constants BE_ATTR_*
ca68b1b4b DP: Remove unused attr_type from struct dp_id_data
3f2f973fa LDAP: Remove attrs_type related TODO comments
adc5f0d9d sssd_ldb.py: Remove a leftover debug message
c46dec3df intg: Fix python2,3 urllib
1fef02f87 intg: Avoid using xrange in tests
00fc94cbe intg: Avoid using iteritems for dictionary
e1711a2b2 intg: Use bytes with hash function
73c9e3d71 intg: Fix creating of slapd configuration
1097a61a8 intg: Use bytes for value of attributes in ldif
19398379a intg: Use bytes as input in ctypes
fd2dfed53 intg: Return strings from ctypes wrappers
69f6b919b intg: Convert output of executed commands to strings
554734a20 intg: Return list for enumeration functions
2a2014d70 SYSDB: Update filter for get object by id
126698070 sysdb-tests: Add test for sysdb_search_object_by_id
8a4a2b87f sysdb: Search also aliases in sysdb_search_object_by_name
daf3714bd sysdb-tests: Add test for sysdb_search_object_by_name
9657c178f MONITOR: Fix warning with undefined macro HAVE_SYSTEMD
31459a014 UTIL: Unset O_NONBLOCK for ldap connection
Michal Židek (9):
cbee11e91 sssctl: Flags for command initialization
ff565da10 ipa: Nested netgroups do not work
867bb85ec common: Fix domain case sensitivity init
d6e875c49 sssctl: Search by alias
715abb607 sssctl: Case insensitive filters
35ecfab87 tests: sssctl user/group-show basic tests
1af143e25 MAN: sssctl debug level
6a490b312 GPO: Skip GPOs without gPCFunctionalityVersion
47680083e gpo: Improve debug messages
Mike Ely (1):
cf5357ae8 ad_access_filter search for nested groups
Pavel Březina (41):
274996466 cache_req: move from switch to plugins; add logic
0db2f3402 cache_req: move from switch to plugins, add plugins
4169fb26e cache_req: switch to new code
e083a6bcf cache_req: delete old code
46703740e sudo: do not store usn if no rules are found
a22b0af19 nss: move nss_ctx->global_names to rctx
1d5e69346 ifp: remove unused fields from state
e4b147ed0 setent_notify: remove unused private context
35d161765 sss_crypto.h: include required headers
7b293a509 sss_output_name: do not require fq name
39b4feb50 cache_req: fix initgroups by name
f63607bfc cache_req: skip first search on bypass cache
b206e1abb cache_req: encapsulate output data into structure
3df5c41c1 cache_req: add ability to gather result from all domains
9c98397b6 cache_req: add ability to filter domains by enumeration
a79acee18 cache_req: add user enumeration
12d771585 cache_req: add group enumeration
2e13817e6 cache_req: add support for service by name
c2fc9459c cache_req: add support for service by port
0ae7e46a3 cache_req: add support for services enumeration
6b159f14f cache_req: add support for netgroups
4e2c15e6b cache_req: allow shallow copy of result
7be55c7de cache_req: allow to return well known object as result
7a2ca8d77 cache_req: return well known objects in object by sid
1b33f4d5c cache_req: make sure that we always fetch default attrs
c85f75189 cache_req: allow upn search with attrs
488518dde cache_req: add object by name
3be2628d8 cache_req: add object by id
8f895983e cache_req: make plug-ins definition const
817e3ec31 cache_req: improve debugging
bad19f954 cache_req: fix plugin function description
122228f49 cache_req: allow to search subdomains without fqn
2d12aae08 cache_req: do not set ncache if dp request fails
0713b92ec responders: unify usage of sss_cmd_send_empty and _error
87d85db07 responders: remove checks that are handled inside cache_req
7162dc780 responders: do not try to contact DP with LOCAL provider
a5a3bbb0b utils: add sss_ptr_hash module
4049b63f8 nss: rewrite nss responder so it uses cache_req
8d5292227 nss: make nss responder tests work with new code
075d89886 nss: remove the old code
ca367e0cb dp_request_table: remove unused #includes
Petr Cech (2):
cb056fe82 SYSDB: Adding message to inform which cache is used
0be56bb4a SYSDB: Adding message about reason why cache changed
Petr Čech (5):
f4a1046bb SYSDB: Adding lowercase sudoUser form
23637e2fd TESTS: Extending sysdb sudo store tests
8c256b670 RESPONDER: Adding of return value checking
e16b3174e UTIL: Removing of never read value
7e23edbaa SYSDB: Fixing of sudorule without a sudoUser
Sorah Fukumori (1):
13adcd070 BUILD: Fix installation without samba
Sumit Bose (11):
3dd4c3eca sysdb: add parent_dom to sysdb_get_direct_parents()
49d3f0a48 sdap: make some nested group related calls public
25699846b LDAP/AD: resolve domain local groups for remote users
c8fe1d922 PAM: add a test for filter_responses()
ce43f710c PAM: add pam_response_filter option
ea11ed3ea IPA/AD: check auth ctx before using it
7e394400e krb5: Use command line arguments instead env vars for krb5_child
f78b2dd73 krb5: fix two memory leaks
167b05b28 krb5: add tests for common functions
50a6d0118 sss_ptr_hash_delete_all: use unsigned long int
0b78b4e32 libwbclient-sssd: wbcLookupSid() allow NULL arguments
Victor Tapia (1):
d4063e9a2 MONITOR: Create pidfile after responders started