SSSD 1.16.5 Release Notes
Highlights
New Features
New option ad_gpo_ignore_unreadable was added that allows SSSD to ignore unreadable GPO containers in AD.
It is possible to configure auto_private_groups per subdomain or with subdomain_inherit.
Security issues fixed
A flaw was found in sssd Group Policy Objects implementation. When the GPO is not readable by SSSD due to a too strict permission settings on the server side, SSSD will allow all authenticated users to login instead of denying access. (CVE-2018-16838)
Notable bug fixes
Multiple URI specified in ldap_uri did not work properly if they differed only in port number.
Several issues with SUDO rules processing have been fixed.
SSSD sometimes incorrectly started in offline mode. This was fixed.
Issue with missing nested groups after add/remove operation on the sever was fixed.
A use-after-free error causing SSSD service to crash was fixed.
Tickets Fixed
#4933 - cached_auth_timeout not honored for AD users authenticated via trust with FreeIPA
#4947 - Write a list of host names up to a configurable limit to the kdcinfo files
#4857 - [RFE] Need an option in SSSD so that it will skip GPOs that have groupPolicyContainers, unreadable by SSSD
#4938 - [RFE]: Optionally disable generating auto private groups for subdomains of an AD provider
#4931 - sudo: runAsUser/Group does not work with domain_resolution_order
#4832 - KCM: If the default ccache cannot be found, fall back to the first one
#4493 - online detection in case sssd starts before network does appears to be broken
#4937 - Responders:
is_user_local_by_name()
should avoid calling nss API entirely#4948 - Lookahead resolving of host names to provide names for the kdcinfo plugin
#4986 - The server error message is not returned if password change fails
#4902 - Double free error in tev_curl
#4890 - SSSD doesn’t clear cache entries for IDs below min_id.
#3895 - FAIL test-find-uid
#3919 - sssd failover does not work on connecting to non-responsive <ldaps://server
#5018 - nss_cmd_endservent resets the wrong index
#4980 - Removing domain from ad_enabled_domains is not reflected in cache
#5026 - Paging not enabled when fetching external groups, limits the number of external groups to 2000
#3648 - sssd should not always read entire autofs map from ldap
#5033 - IFP: GetUserAttr does not search by UPN
#5044 - Trusted domain user logins succeed after using ipa trustdomain-disable
#5042 - Integration tests use python2 unconditionally
#5077 - autofs: delete possible duplicate of an autofs entry
#3701 - SSSD service is crashing: dbus_watch_handle() is invoked with corrupted ‘watch’ value
#4968 - sudo: do not update last usn when updating expired rules
#4969 - sudo: always use server highest usn for smart refresh
#5014 - sudo: incorrect usn value for openldap
#5049 - support for defaults entry is failing in sssd sudo against Openldap server
#5085 - Impossible to enforce GID on the AD’s “domain users” group in the IPA-AD trust setup
#4489 - TESTS: make intgcheck is not always passing in the internal CI (enumeration tests)
#5092 - Force LDAPS over 636 with AD Provider
#5053 - Watchdog implementation or usage is incorrect
#4657 - nested group missing after updates on provider
#5073 - ldap_uri failover doesn’t work with different ports
#5106 - Expecting appropriate error message when new password length is less than 8 characters when ldap_pwmodify_mode = ldap_modify in sssd.conf
#5123 - SSSD-1-16: sbus_auto_reconnect(): “off-by-one error” in
reconnection_retries
interpretation `
Packaging Changes
None.
Documentation Changes
Added new option ldap_sasl_maxssf
Added new option ad_gpo_ignore_unreadable
Detailed Changelog
$ git shortlog --pretty=format:"%h %s" -w0,4 sssd-1_16_4..sssd-1_16_5
Alexey Tikhonov (13):
33ac11fb7 Util: added facility to load nss lib syms
8ba8b7136 responder/negcache: avoid calling nsswitch NSS API
cc6d16a20 negcache_files: got rid of large array on stack
5bba0d33e TESTS: moved cwrap/test_negcache to cmocka tests
b05f98e34 ci/sssd.supp: getpwuid() leak suppression
37718f82c util/tev_curl: Fix double free error in schedule_fd_processing()
7b3c8e8c5 util/find_uid.c: fixed debug message
fb50da239 util/find_uid.c: fixed race condition bug
e294f7351 providers/ipa/: add_v1_user_data() amended
f845355e3 SBUS: defer deallocation of sbus_watch_ctx
0c620666d util/watchdog: fixed watchdog implementation
c0d64190a TESTS: added sss_ptr_hash unit test
a1bdab36e SBUS: fixed off-by-one error" in sbus_auto_reconnect()
Branen Salmon (1):
7fe2b4465 knownhostsproxy: friendly error msg for NXDOMAIN
Fabiano Fidêncio (1):
bcb79f676 INTG: Increase the sleep() time so the changes are reflected on SSSD
Jakub Hrozek (34):
f2f5539b6 Updating the version for 1.16.5
fedfc4fa5 SYSDB: Inherit cached_auth_timeout from the main domain
6f6b3b1f4 AD: Allow configuring auto_private_groups per subdomain or with subdomain_inherit
eaceb6a21 SDAP: Add sdap_has_deref_support_ex()
2c97edb4b IPA: Use dereference for host groups even if the configuration disables dereference
6c568c912 KCM: Fall back to using the first ccache if the default does not exist
e4dd2843a krb5: Do not use unindexed objectCategory in a search filter
7d8b28ad6 SYSDB: Index the ccacheFile attribute
23fb7ea2f krb5: Silence an error message if no cache entries have ccache stored but renewal is enabled
0a637fff4 PAM: Also cache SSS_PAM_PREAUTH
4ab1b754a LDAP: Return the error message from the extended operation password change also on failure
05b37ac18 TESTS: Add a unit test for UPNs stored by sss_ncache_prepopulate
0ca64be4d IPA: Allow paging when fetching external groups
bca2f94aa SYSDB: Add sysdb_search_with_ts_attr
3ee57e7fa BE: search with sysdb_search_with_ts_attr
6bd021d22 BE: Enable refresh for multiple domains
c56e16525 BE: Make be_refresh_ctx_init set up the periodical task, too
936b423eb BE/LDAP: Call be_refresh_ctx_init() in the provider libraries, not in back end
5c60056ec BE: Pass in attribute to look up with instead of hardcoding SYSDB_NAME
8a8b23441 BE: Change be_refresh_ctx_init to return errno and set be_ctx->refresh_ctx
0ef02c908 BE/LDAP: Split out a helper function from sdap_refresh for later reuse
87cd4ec85 BE: Pass in filter_type when creating the refresh account request
cb118860a BE: Send refresh requests in batches
b7110e05e BE: Extend be_ptask_create() with control when to schedule next run after success
e1830ba30 BE: Schedule the refresh interval from the finish time of the last run
25b66e245 AD: Implement background refresh for AD domains
468ee8bfe IPA: Implement background refresh for IPA domains
159d1afd3 BE/IPA/AD/LDAP: Add inigroups refresh support
c3956d254 BE/IPA/AD/LDAP: Initialize the refresh callback from a list to reduce logic duplication
8f027707e IPA/AD/SDAP/BE: Generate refresh callbacks with a macro
1754e3e08 MAN: Amend the documentation for the background refresh
75b669567 DP/SYSDB: Move the code to set initgrExpireTimestamp to a reusable function
06fed80b6 IPA/AD/LDAP: Increase the initgrExpireTimestamp after finishing refresh request
fd8865e80 sudo: use objectCategory instead of objectClass in ad sudo provider
Lukas Slebodnik (16):
7b9524231 BUILD: Add macro for checking python3 modules
44735f87d BUILD: Fix typo of detecting python module for intgcheck
cf2b5ec3f BUILD: Move checking of python2 modules for intgcheck
f9a4f722c BUILD: Add macro for checking pytest for intgcheck
03ba5e766 BUILD: Change value of variable HAVE_PYTHON2/3_BINDINGS
cd0d38c07 BUILD: Move python checks for intgcheck to macro
958f02dc6 INTG: Do hot hardcode version of python/pytest in intgcheck
ec785153f BUILD: Prefer python3 for intgcheck
3a8ae6dad intg: Install python3 dependencies for intgcheck on new distros
4c2df3aa6 pyhbac: Fix warning Wdiscarded-qualifiers
ed26a1e32 SSSDConfig: Add minimal test for parse method
4f577e2f2 SSSDConfig: Fix SyntaxWarning "is not" with a literal
8557cd9f1 TESTS: Add minimal test for pysss encrypt
8bc81b313 pysss: Fix DeprecationWarning PY_SSIZE_T_CLEAN
0ba6af645 pysss_murmur: Fix DeprecationWarning PY_SSIZE_T_CLEAN
c962c70ef testlib: Fix SyntaxWarning "is" with a literal
Michal Židek (3):
ad058011b GPO: Add option ad_gpo_ignore_unreadable
a4974d1a9 Updated translation files.
c2053e909 translation: Add missing new lines
Pavel Březina (79):
5ad7f5e81 ipa: store sudo runas attribute with internal fqname
3a18e33f9 sudo: format runas attributes to correct output name
23ad178aa ci: enable sssd-ci for 1-16 branch
f988c870b ci: switch to new tooling and remove 'Read trusted files' stage
8003e3249 ci: rebase pull request on the target branch
85dab318c ci: print node on which the test is being run
c9c2b6012 ad: remove subdomain that has been disabled through ad_enabled_domains from sysdb
0e16ec74c sysdb: add sysdb_domain_set_enabled()
800d24dcc ad: set enabled=false attribute for subdomains that no longer exists
b2cd4a74e sysdb: read and interpret domain's enabled attribute
3c6c9d4d9 sysdb: add sysdb_list_subdomains()
5605fa5f8 ad: remove all subdomains if only master domain is enabled
0b6f14408 ad: make ad_enabled_domains case insensitive
795606177 sss_ptr_hash: add sss_ptr_get_value to make it useful in delete callbacks
00926ab45 sss_ptr_hash: keep value pointer when destroying spy
49ad0b9b8 autofs: fix typo in test tool
ccf14f490 sysdb: add expiration time to autofs entries
57e33404e sysdb: add sysdb_get_autofsentry
c36605002 sysdb: add enumerationExpireTimestamp
11ffb775d sysdb: store enumeration expiration time in autofs map
efe44597a sysdb: store original dn in autofs map
49b5baf0e sysdb: add sysdb_del_autofsentry_by_key
466560623 autofs: move data provider functions to responder common code
01b7dc921 cache_req: add autofs map entries plugin
e683556dc cache_req: add autofs map by name plugin
6fe479a21 cache_req: add autofs entry by name plugin
b0043a95f autofs: convert code to cache_req
27d2dcfb7 autofs: use cache_req to obtain single entry in getentrybyname
61a7bf4d2 autofs: use cache_req to obtain map in setent
ca1ee9933 dp: replace autofs handler with enumerate method
0b780a0d5 dp: add additional autofs methods
fb9a42d95 ldap: add base_dn to sdap_search_bases
bd15a135c ldap: rename sdap_autofs_get_map to sdap_autofs_enumerate
fcb6f55c0 ldap: implement autofs get map
2e4525837 ldap: implement autofs get entry
3e04a8127 autofs: allow to run only setent without enumeration in test tool
ac712654f autofs: always refresh auto.master
58f3d5469 sysdb: invalidate also autofs entries
9131b90f0 sss_cache: invalidate also autofs entries
5157fccfd ci: add Debian 10
6b2c9e822 ci: allow distribution specific supression files
c8a4c8e2e ci: suppress Debian valgrind errors
c097e2b91 ifp: let cache_req parse input name so it can fallback to upn search
cc7b9366f ifp: call tevent_req_post in case of error in ifp_user_get_attr_send
b0e56ee31 ci: add Debian suppresion path
900ebdbdb ci: use python2 version of pytest
d7fe86145 ci: pep8 was renamed to pycodestyle in Fedora 31
28668d2f1 ci: remove left overs from previous rebase
50dffac31 pysss: use METH_VARARGS | METH_KEYWORDS instead of just METH_KEYWORDS
fc0be68fc ci: enable on demand runs
1f6fdb98e ci: set build name to pull request or branch name
7374ac4d6 ci: notify that build awaits executor
3a4d13c27 ci: convert to scripted pipeline
04bd7372f autofs: remove unused enum
416064949 autofs: delete possible duplicate of an autofs entry
91f7b6c65 ci: store artifacts in jenkins for on-demand runs
8b75c2118 ci: allow to specify systems where tests should be run for on-demand tests
88f2c6317 ci: add Fedora 31
c2e2f384c ci: install python2 on Fedora 31 and RHEL 8 so python2 bindings can be built
5bdfc48f4 ci: disable python2 bindings on Fedora 32+
638431001 sudo: do not update last usn value on rules refresh
38d00c4b4 sudo: always use server highest known usn for smart refresh
fb2c54b69 man: update sudo smart refresh documentation to reflect new USN behavior
19e8a02b0 sudo: use proper datetime for default modifyTimestamp value
a1be9af74 sudo: get timezone information from previous value when constructing new usn
634c1e0e4 sudo: add ldap_sudorule_object_class_attr
80e6f714f nss: use real primary gid if the value is overriden
d8eec7173 ci: add rhel7
7e6ab55b2 ci: set sssd-ci notification to pending state when job is started
b9d419f84 ci: archive ci-mock-result
ec8f5fd5e tests: fix race condition in enumeration tests
702e5fd29 ci: add CentOS 7
191f3722f sss_sockets: pass pointer instead of integer
9a7c044dc memberof: keep memberOf attribute for nested member
78cf8b132 ci: keep system list outside repository
1066130bf ci: remove old dependency repository
7f46c85dc sss_ptr_hash: pass new hash_entry_t to custom delete callback
4b1d1a099 failover: make sure we switch to another server if only port differs
ddf0a59a6 sdap: provide error message when password change fail in ldap_modify mode
Samuel Cabrero (2):
2173201b5 SUDO: Allow defaults sudoRole without sudoUser attribute
9673ca898 nss: Fix command 'endservent' resetting wrong struct member
Simo Sorce (1):
bad7c631b Add TCP level timeout to LDAP services
Sumit Bose (30):
b927dc7c8 ipa: ipa_getkeytab don't call libnss_sss
ceb4c8e21 pam: introduce prompt_config struct
d453f92e1 authtok: add dedicated type for 2fa with single string
ca65bfdab pam_sss: use configured prompting
c91c6dd4b PAM: add initial prompting configuration
efefac9f4 getsockopt_wrapper: add support for PAM clients
558b54327 intg: add test for password prompt configuration
e6734785f winbind idmap plugin: update struct idmap_domain to latest version
f5d031ba4 SDAP: allow GSS-SPNEGO for LDAP SASL bind as well
373b1136c sdap: inherit SDAP_SASL_MECH if not set explicitly
cb94d00f3 DP: add NULL check to be_ptask_{enable|disable}
9b8c66d53 tests: fix enctypes in test_copy_keytab
3a92a87d4 CI: use python3-pep8 on Fedora 31 and later
8f45a020d BUILD: fix libpython handling in Python3.8
934341e1e negcache: add fq-usernames of know domains to all UPN neg-caches
370dbcc62 ci: add pam wrapper
2ea937af4 utils: extend some find_domain_* calls to search disabled domain
698e27d8b ipa: support disabled domains
cc42fe7da ipa: ignore objects from disabled domains on the client
a9f03f01b sysdb: add sysdb_subdomain_content_delete()
124957a91 ipa: delete content of disabled domains
fbd38903a ipa: use LDAP not extdom to lookup IPA users and groups
a967afdd0 ipa: use the right context for autofs
489706399 ipa: add failover to override lookups
a4dd1eb50 ipa: add failover to access checks
3f370ad8c sdap: update last_usn on reconnect
44e76055d ad: allow booleans for ad_inherit_opts_if_needed()
b2aca1f7d ad: add ad_use_ldaps
07d19249a ldap: add new option ldap_sasl_maxssf
9b875b87f ad: set min and max ssf for ldaps
Tomas Halman (7):
c225ed7ff krb5: Write multiple dnsnames into kdc info file
dab55626c Providers: Delay online check on startup
ec0c31a71 krb5: Lookahead resolving of host names
fb3f1af38 CACHE: SSSD doesn't clear cache entries
442cd6583 LDAP: failover does not work on non-responsive ldaps
5b571efa6 CONFDB: Files domain if activated without .conf
e48cdfb69 TESTS: adapt tests to enabled default files domain