SSSD 1.16.3 Release Notes
Highlights
New Features
The
kdcinfo
files that SSSD uses to inform libkrb5 about which KDCs were discovered for a Kerberos realm used to be only generated for the joined domain, not the trusted domains. Starting with this release, thekdcinfo
files are generated automatically also for trusted domains in setups that useid_provider=ad
and IPA masters in a trust relationship with an AD domain.The SSSD Kerberos locator plugin which processes the kdcinfo files and actually tells libkrb5 about the available KDCs can now process multiple address if SSSD generates more than one. At the moment, this feature is only used on IPA clients (see below). Please see the
sssd_krb5_locator_plugin(8)
manual page for more information about the Kerberos locator plugin.On IPA clients, the AD DCs or the AD site which should be used to authenticate users can now be listed in a subdomain section. Please see the feature design page or the section “trusted domains configuration” for more details.
Notable bug fixes
SECURITY: The permissions on
/var/lib/sss/pipes/sudo
were set so that anyone could read anyone else’s sudo rules. This was considered an information leak and assigned CVE-2018-10852 (#3766)IMPORTANT: The 1.16.2 release was storing the cached passwords without a salt prefix string. This bug was fixed in this release, but any password hashes generated by 1.16.2 are incompatible with the hashes generated by 1.16.3. The effect is that upgrade from 1.16.2 to 1.16.3 should be done when the authentication server is reachable so that the first authentication after the upgrade fix the cached password.
The
sss_ssh
proces leaked file descriptors when converting more than one x509 certificate to SSH public key (#3794)SSSD, when configured with
id_provider=ad
was using too expensive LDAP search to find out whether the required POSIX attributes were replicated to the Global Catalog. Instead, SSSD now consults the Partial Attribute Set, which is much more effective (#3755)The PAC responder is now able to process Domain Local in case the PAC uses SID compression. Typicaly this is the case with Windows Server 2012 and newer (#3767)
Some versions of OpenSSH (e.g. the one shipped in RHEL-7.5) would close the pipe towards
sss_ssh_authorizedkeys
when the matching key is found before the rest of the output is read. Thesss_ssh_authorizedkeys
helper was not handling this behaviour well and would exit with SIGPIPE, which also meant the public key authentication failed (#3747)User lookups no longer fail if user’s e-mail address conflicts with another user’s fully qualified name (#3607)
The
override_shell
andoverride_homedir
options are no longer applied to entries from the files domain. (#3758)Several bugs related to the FleetCommander integration were fixed (#3773, #3774)
The grace logins with an expired password when authenticating against certain newer versions of the 389DS/RHDS LDAP server did not work (#3597)
Whitespace around netgroup triple separator is now stripped
The
sss_ssh_knownhostproxy
utility can now print the host key without proxying the connection.Due to an overly restrictive check, the fast in-memory cache was sometimes skipped, which caused a high load on the
sssd_nss
process (#3776).
Packaging Changes
The python2 bindings are not built by default on Fedora 29 or newer
The sssd-secrets responder is now packaged in the sssd-kcm subpackage and might be removed in a future release
Documentation Changes
sss_ssh_knownhostsproxy
has a new option-k/--print
.
Tickets Fixed
#4792 - The IPA selinux provider can return an error if SELinux is completely disabled
#4790 - sssd_ssh leaks file descriptors when more than one certificate is converted into an SSH key
#4789 - The cached password does not store the salt prefix
#4784 - When sssd is running as non-root user, the sudo pipe is created as sssd:sssd but then the private pipe ownership fails
#4783 - If access check for a privileged pipe fails, the responder loops indefinitely
#4782 - Spurious check in the sssd nss memcache can cause the memory cache to be skipped
#4780 - Desktop Profile: The 10th policy is producing a wrong file name
#4779 - SSSD bails out saving desktop profiles in case an invalid profile is found
#4773 - Groups go missing with PAC enabled in sssd
#4772 - CVE-2018-10852: information leak from the sssd-sudo responder
#4764 - override_homedir should not apply to the files provider
#4761 - The search filter for detecting POSIX attributes in global catalog is too broad and can cause a high load on the servers
#4760 - SSSD AD uses LDAP filter to detect POSIX attributes stored in AD GC also for regular AD DC queries
#4754 - sss_ssh_authorizedkeys exits abruptly if SSHD closes its end of the pipe before reading all the SSH keys
#4672 - kdcinfo doesn’t get populated for other domains
#4630 - Handle conflicting e-mail addresses more gracefully
#4620 - sssd doesn’t allow user with expired password to login when PasswordgraceLimit set
#4619 - A combination of the same qualified and unqualified sudoUser causes Error: 17: File exists
#4568 - Get host key without proxying connection
#4501 - Full information regarding priority of lookup of principal in keytab not in man page
#4324 - RFE: sssd in cross realm trust configuration should be use AD KDC from a list or site defined in the config file
Detailed Changelog
$ git shortlog --pretty=format:"%h %s" -w0,4 sssd-1_16_2..sssd-1_16_3
Alexander Bokovoy (2):
0648053a7 ipa provider: always use a special keytab to talk to a trusted DC
14faec9cd ipa provider: expand search base to cover trusted domain objects
Alexey Sheplyakov (1):
4937f2c68 nss: skip incomplete groups instead of bailing out
Amit Kumar (1):
1038473e1 Responder: simplify if-else structure in sss_dp_get_account_msg()
Fabiano Fidêncio (18):
b34fcff0f intg: Do not hardcode nsslibdir
ded46b7b7 files: do not apply override_homedir to files provider
3b19518f1 tests: add override_homedir tests for files provider
241594613 files: do not apply override_shell to files provider
fe48bc32d tests: add override_shell tests for files provider
024c1b3ae util: add is_files_provider() helper
2373df99b files: make use of is_files_provider() helper
f0b4d482e cache_req: keep the files provider as the first domain to be searched
c07469f7e tests: add basic tests for cache_req_domain_new_list_from_domain_resolution_order()
0052abe2c tests: add a test to ensure the output_fqnames is false for files provider
efd6702e5 deskprofile: don't bail if we fail to save one profile
954bf82b6 sdap: respect passwordGracelimit
6d154a07b deskprofile: fix a typo in _get_filename_path()
965e1f4f3 tests: add tests for ipa_deskprofile_get_filename_path()
49bb45204 util: introduce sss_ssh_print_pubkey()
b1141e414 ssh: make use of sss_ssh_print_pubkey()
36f2fe8f6 sss_ssh_knownhostsproxy: add option to only print the pubkey
e8b417e80 nss: remove unused label
Jakub Hrozek (39):
b5b073c26 Bumping the version to track the 1.16.3 development
1575ec97e TESTS: Extend the schema with sshPublicKey attribute
56cda832e TESTS: Allow adding sshPublicKey for users
804c5b538 TESTS: Add a basic SSH responder test
cb138d7d0 SSH: Do not exit abruptly if SSHD closes its end of the pipe before reading all the SSH keys
909c16edb TESTS: Add a helper binary that can trigger the SIGPIPE to authorizedkeys
4cc3c1a1b TESTS: Add a regression test for SIGHUP handling in sss_ssh_authorizedkeys
b0ec3875d Revert "LDAP/IPA: add local email address to aliases"
58f60a094 util: Remove the unused function is_email_from_domain
d057eb2e2 TESTS: Allow storing e-mail address for users
76ce965fc TESTS: Add regression test for looking up users with conflicting e-mail addresses
5e1641b10 AD/LDAP: Do not misuse the ignore_mark_offline to check if a connection needs to be checked for POSIX attribute presence
4c79db69c MAN: Remove outdated notes from the re_expression description
8071976af MAN: Document the re_expression needed to suport @-signs in the groupnames
ed90a20a0 SUDO: Create the socket with stricter permissions
29bbc8e01 AD: expose the helper function to format the site DNS query
6f80bccc6 RESOLV: Add a resolv_hostport_list request
a9a9f3934 KRB5/IPA/AD: Add a utility function to create a krb5_service instance
8971399c8 KRB5: Allow writing multiple addresses to the kdcinfo plugin
1cce549e0 IPA: Add the options that the IPA subdomains code will read for trusted domains on the client
18b7f0a30 IPA: Populate kdcinfo files on trust clients with configured AD servers
014e7d8ab MAN: Document the options available for AD trusted domains
c8d1c1b73 SDAP: Detect schemaNamingContext from the rootDSE
ba96e7b83 AD: Add Global Catalog usability check in subdomain code by looking at the schema
4273ac049 AD: Remove the legacy check from ad_get_account_domain_posix_check request
8d7811981 LDAP/AD: Remove the legacy POSIX check from user, group and enumeration searches
5b2b6493d LDAP: Remove the legacy POSIX check itself
4991e467c sudo testcli: Use hand-crafted JSON for output so that the test CLI is usable in tests
074a9ea7b TESTS: Load the sudo schema in the default OpenLDAP test instance and create ou=sudoers
b14cb238c TESTS: Add API to add sudo rules in tests
5d838e133 TESTS: Add a simple sudo LDAP test
e75601bfe SUDO: Don't save duplicates when saving qualified names
90378d31a crypto: Silence a Coverity warning in OpenSSL version of sss_hmac_sha1()
ad10153f5 crypto: Make one condition more defensive in NSS version of sss_hmac_sha1()
6ced87849 SDAP: Improve a confusing DEBUG message when initgroups search matches multiple entries
26db9658b RESP: Terminate client connection if the permissions check on the priv pipe fails
1e81d040c SELINUX: Also call is_selinux_enabled as a check for selinux child
7225bab5a P11: Don't return int failure from a bool function
61c515aa8 Updating translations for the 1.16.3 release
Josef Cejka (1):
dbb1abae6 Strip whitespaces in netgroup triple.
Lukas Slebodnik (15):
ececbf9cd sss_seed: Remove unused parameter from seed_domain_user_info
4900b8e59 SUDO: Fix running in unprivileged responder
21ea8204a SUDO: Root should be able to read/write sssd-sudo socket
7fbee7903 SPEC: Drop unnecessary check for minor version of el7
08ae90af3 test_ssh_client: Do not ignore failure from read
7326b52db SPEC: Move openssl deps away from unit tests deps
2a3f24955 PYTHON: Avoid warnings with python3.7
7b25811b7 SPEC: Move secrets responder to the package sssd-kcm
950558628 SPEC: Do not build python2 bindings on latest distros
7ddbcd8fa BUILD: Replace also runstatedir in templates
f64e95872 SYSTEMD: Allow to use "/run" in ListenStream
cd28ef7c6 Revert "Revert "CRYPTO: Suppress warning Wstringop-truncation""
f62d2af0c CRYPTO: Save prefix in s3crypt_sha512
8e1576b1c crypto-tests: Add unit test for s3crypt_sha512
a76f96ac1 SSS_CERT: Close file descriptors after executing p11_child
Michal Židek (1):
bb20d5160 Revert "CRYPTO: Suppress warning Wstringop-truncation"
Stanislav Levin (1):
a41367f7b Fix "test-find-uid" and "find_uid-tests" tests
Sumit Bose (14):
efae9509c krb5 locator: add support for multiple addresses
9f6832462 krb5 locator: fix IPv6 support
c1fbc6b64 krb5 locator: make plugin more robust
2124275fe krb5 locator: add unit tests
cc7922755 AD/IPA: Create kdcinfo file for sub-domains
d91661e29 krb5: refactor removal of krb5info files
4759a4827 krb5_common: add callback only once
f28d99571 data provider: run offline callbacks only once
a2cc554f4 utils: add libsss_child dependency to libsss_cert
13c845078 AD: consider resource_groups in PAC as well
72099c320 utils: make create_ipa_preauth_indicator() public as create_preauth_indicator()
d724ea3c2 PAM: create pre-auth indicator file
f1c2d4139 MC: Remove check if record is in the mapped address space
da9e34e36 tests: fix sss_nss_idmap-tests
amitkumar50 (1):
c5ef56b4f MAN: Give information regarding priority of ldap lookup