SSSD 1.16.3 Release Notes

  • The kdcinfo files that SSSD uses to inform libkrb5 about which KDCs were discovered for a Kerberos realm used to be only generated for the joined domain, not the trusted domains. Starting with this release, the kdcinfo files are generated automatically also for trusted domains in setups that use id_provider=ad and IPA masters in a trust relationship with an AD domain.

  • The SSSD Kerberos locator plugin which processes the kdcinfo files and actually tells libkrb5 about the available KDCs can now process multiple address if SSSD generates more than one. At the moment, this feature is only used on IPA clients (see below). Please see the sssd_krb5_locator_plugin(8) manual page for more information about the Kerberos locator plugin.

  • On IPA clients, the AD DCs or the AD site which should be used to authenticate users can now be listed in a subdomain section. Please see the feature design page or the section “trusted domains configuration” for more details.

  • SECURITY: The permissions on /var/lib/sss/pipes/sudo were set so that anyone could read anyone else’s sudo rules. This was considered an information leak and assigned CVE-2018-10852 (#3766)

  • IMPORTANT: The 1.16.2 release was storing the cached passwords without a salt prefix string. This bug was fixed in this release, but any password hashes generated by 1.16.2 are incompatible with the hashes generated by 1.16.3. The effect is that upgrade from 1.16.2 to 1.16.3 should be done when the authentication server is reachable so that the first authentication after the upgrade fix the cached password.

  • The sss_ssh proces leaked file descriptors when converting more than one x509 certificate to SSH public key (#3794)

  • SSSD, when configured with id_provider=ad was using too expensive LDAP search to find out whether the required POSIX attributes were replicated to the Global Catalog. Instead, SSSD now consults the Partial Attribute Set, which is much more effective (#3755)

  • The PAC responder is now able to process Domain Local in case the PAC uses SID compression. Typicaly this is the case with Windows Server 2012 and newer (#3767)

  • Some versions of OpenSSH (e.g. the one shipped in RHEL-7.5) would close the pipe towards sss_ssh_authorizedkeys when the matching key is found before the rest of the output is read. The sss_ssh_authorizedkeys helper was not handling this behaviour well and would exit with SIGPIPE, which also meant the public key authentication failed (#3747)

  • User lookups no longer fail if user’s e-mail address conflicts with another user’s fully qualified name (#3607)

  • The override_shell and override_homedir options are no longer applied to entries from the files domain. (#3758)

  • Several bugs related to the FleetCommander integration were fixed (#3773, #3774)

  • The grace logins with an expired password when authenticating against certain newer versions of the 389DS/RHDS LDAP server did not work (#3597)

  • Whitespace around netgroup triple separator is now stripped

  • The sss_ssh_knownhostproxy utility can now print the host key without proxying the connection.

  • Due to an overly restrictive check, the fast in-memory cache was sometimes skipped, which caused a high load on the sssd_nss process (#3776).

  • The python2 bindings are not built by default on Fedora 29 or newer

  • The sssd-secrets responder is now packaged in the sssd-kcm subpackage and might be removed in a future release

  • sss_ssh_knownhostsproxy has a new option -k/--print.

  • #4792 - The IPA selinux provider can return an error if SELinux is completely disabled

  • #4790 - sssd_ssh leaks file descriptors when more than one certificate is converted into an SSH key

  • #4789 - The cached password does not store the salt prefix

  • #4784 - When sssd is running as non-root user, the sudo pipe is created as sssd:sssd but then the private pipe ownership fails

  • #4783 - If access check for a privileged pipe fails, the responder loops indefinitely

  • #4782 - Spurious check in the sssd nss memcache can cause the memory cache to be skipped

  • #4780 - Desktop Profile: The 10th policy is producing a wrong file name

  • #4779 - SSSD bails out saving desktop profiles in case an invalid profile is found

  • #4773 - Groups go missing with PAC enabled in sssd

  • #4772 - CVE-2018-10852: information leak from the sssd-sudo responder

  • #4764 - override_homedir should not apply to the files provider

  • #4761 - The search filter for detecting POSIX attributes in global catalog is too broad and can cause a high load on the servers

  • #4760 - SSSD AD uses LDAP filter to detect POSIX attributes stored in AD GC also for regular AD DC queries

  • #4754 - sss_ssh_authorizedkeys exits abruptly if SSHD closes its end of the pipe before reading all the SSH keys

  • #4672 - kdcinfo doesn’t get populated for other domains

  • #4630 - Handle conflicting e-mail addresses more gracefully

  • #4620 - sssd doesn’t allow user with expired password to login when PasswordgraceLimit set

  • #4619 - A combination of the same qualified and unqualified sudoUser causes Error: 17: File exists

  • #4568 - Get host key without proxying connection

  • #4501 - Full information regarding priority of lookup of principal in keytab not in man page

  • #4324 - RFE: sssd in cross realm trust configuration should be use AD KDC from a list or site defined in the config file

$ git shortlog --pretty=format:"%h  %s" -w0,4 sssd-1_16_2..sssd-1_16_3

Alexander Bokovoy (2):
    0648053a7  ipa provider: always use a special keytab to talk to a trusted DC
    14faec9cd  ipa provider: expand search base to cover trusted domain objects

Alexey Sheplyakov (1):
    4937f2c68  nss: skip incomplete groups instead of bailing out

Amit Kumar (1):
    1038473e1  Responder: simplify if-else structure in sss_dp_get_account_msg()

Fabiano Fidêncio (18):
    b34fcff0f  intg: Do not hardcode nsslibdir
    ded46b7b7  files: do not apply override_homedir to files provider
    3b19518f1  tests: add override_homedir tests for files provider
    241594613  files: do not apply override_shell to files provider
    fe48bc32d  tests: add override_shell tests for files provider
    024c1b3ae  util: add is_files_provider() helper
    2373df99b  files: make use of is_files_provider() helper
    f0b4d482e  cache_req: keep the files provider as the first domain to be searched
    c07469f7e  tests: add basic tests for cache_req_domain_new_list_from_domain_resolution_order()
    0052abe2c  tests: add a test to ensure the output_fqnames is false for files provider
    efd6702e5  deskprofile: don't bail if we fail to save one profile
    954bf82b6  sdap: respect passwordGracelimit
    6d154a07b  deskprofile: fix a typo in _get_filename_path()
    965e1f4f3  tests: add tests for ipa_deskprofile_get_filename_path()
    49bb45204  util: introduce sss_ssh_print_pubkey()
    b1141e414  ssh: make use of sss_ssh_print_pubkey()
    36f2fe8f6  sss_ssh_knownhostsproxy: add option to only print the pubkey
    e8b417e80  nss: remove unused label

Jakub Hrozek (39):
    b5b073c26  Bumping the version to track the 1.16.3 development
    1575ec97e  TESTS: Extend the schema with sshPublicKey attribute
    56cda832e  TESTS: Allow adding sshPublicKey for users
    804c5b538  TESTS: Add a basic SSH responder test
    cb138d7d0  SSH: Do not exit abruptly if SSHD closes its end of the pipe before reading all the SSH keys
    909c16edb  TESTS: Add a helper binary that can trigger the SIGPIPE to authorizedkeys
    4cc3c1a1b  TESTS: Add a regression test for SIGHUP handling in sss_ssh_authorizedkeys
    b0ec3875d  Revert "LDAP/IPA: add local email address to aliases"
    58f60a094  util: Remove the unused function is_email_from_domain
    d057eb2e2  TESTS: Allow storing e-mail address for users
    76ce965fc  TESTS: Add regression test for looking up users with conflicting e-mail addresses
    5e1641b10  AD/LDAP: Do not misuse the ignore_mark_offline to check if a connection needs to be checked for POSIX attribute presence
    4c79db69c  MAN: Remove outdated notes from the re_expression description
    8071976af  MAN: Document the re_expression needed to suport @-signs in the groupnames
    ed90a20a0  SUDO: Create the socket with stricter permissions
    29bbc8e01  AD: expose the helper function to format the site DNS query
    6f80bccc6  RESOLV: Add a resolv_hostport_list request
    a9a9f3934  KRB5/IPA/AD: Add a utility function to create a krb5_service instance
    8971399c8  KRB5: Allow writing multiple addresses to the kdcinfo plugin
    1cce549e0  IPA: Add the options that the IPA subdomains code will read for trusted domains on the client
    18b7f0a30  IPA: Populate kdcinfo files on trust clients with configured AD servers
    014e7d8ab  MAN: Document the options available for AD trusted domains
    c8d1c1b73  SDAP: Detect schemaNamingContext from the rootDSE
    ba96e7b83  AD: Add Global Catalog usability check in subdomain code by looking at the schema
    4273ac049  AD: Remove the legacy check from ad_get_account_domain_posix_check request
    8d7811981  LDAP/AD: Remove the legacy POSIX check from user, group and enumeration searches
    5b2b6493d  LDAP: Remove the legacy POSIX check itself
    4991e467c  sudo testcli: Use hand-crafted JSON for output so that the test CLI is usable in tests
    074a9ea7b  TESTS: Load the sudo schema in the default OpenLDAP test instance and create ou=sudoers
    b14cb238c  TESTS: Add API to add sudo rules in tests
    5d838e133  TESTS: Add a simple sudo LDAP test
    e75601bfe  SUDO: Don't save duplicates when saving qualified names
    90378d31a  crypto: Silence a Coverity warning in OpenSSL version of sss_hmac_sha1()
    ad10153f5  crypto: Make one condition more defensive in NSS version of sss_hmac_sha1()
    6ced87849  SDAP: Improve a confusing DEBUG message when initgroups search matches multiple entries
    26db9658b  RESP: Terminate client connection if the permissions check on the priv pipe fails
    1e81d040c  SELINUX: Also call is_selinux_enabled as a check for selinux child
    7225bab5a  P11: Don't return int failure from a bool function
    61c515aa8  Updating translations for the 1.16.3 release

Josef Cejka (1):
    dbb1abae6  Strip whitespaces in netgroup triple.

Lukas Slebodnik (15):
    ececbf9cd  sss_seed: Remove unused parameter from seed_domain_user_info
    4900b8e59  SUDO: Fix running in unprivileged responder
    21ea8204a  SUDO: Root should be able to read/write sssd-sudo socket
    7fbee7903  SPEC: Drop unnecessary check for minor version of el7
    08ae90af3  test_ssh_client: Do not ignore failure from read
    7326b52db  SPEC: Move openssl deps away from unit tests deps
    2a3f24955  PYTHON: Avoid warnings with python3.7
    7b25811b7  SPEC: Move secrets responder to the package sssd-kcm
    950558628  SPEC: Do not build python2 bindings on latest distros
    7ddbcd8fa  BUILD: Replace also runstatedir in templates
    f64e95872  SYSTEMD: Allow to use "/run" in ListenStream
    cd28ef7c6  Revert "Revert "CRYPTO: Suppress warning Wstringop-truncation""
    f62d2af0c  CRYPTO: Save prefix in s3crypt_sha512
    8e1576b1c  crypto-tests: Add unit test for s3crypt_sha512
    a76f96ac1  SSS_CERT: Close file descriptors after executing p11_child

Michal Židek (1):
    bb20d5160  Revert "CRYPTO: Suppress warning Wstringop-truncation"

Stanislav Levin (1):
    a41367f7b  Fix "test-find-uid" and "find_uid-tests" tests

Sumit Bose (14):
    efae9509c  krb5 locator: add support for multiple addresses
    9f6832462  krb5 locator: fix IPv6 support
    c1fbc6b64  krb5 locator: make plugin more robust
    2124275fe  krb5 locator: add unit tests
    cc7922755  AD/IPA: Create kdcinfo file for sub-domains
    d91661e29  krb5: refactor removal of krb5info files
    4759a4827  krb5_common: add callback only once
    f28d99571  data provider: run offline callbacks only once
    a2cc554f4  utils: add libsss_child dependency to libsss_cert
    13c845078  AD: consider resource_groups in PAC as well
    72099c320  utils: make create_ipa_preauth_indicator() public as create_preauth_indicator()
    d724ea3c2  PAM: create pre-auth indicator file
    f1c2d4139  MC: Remove check if record is in the mapped address space
    da9e34e36  tests: fix sss_nss_idmap-tests

amitkumar50 (1):
    c5ef56b4f  MAN: Give information regarding priority of ldap lookup