SSSD 2.2.3 Release Notes

Highlights

New features

allow_missing_name now treats empty strings the same as missing names.
‘soft_ocsp’ and ‘soft_crl options have been added to make the checks for revoked certificates more flexible if the system is offline.
Smart card authentication in polkit is now allowed by default.
ssh_use_certificate_matching_rules now allows no_rules and all_rules values (see man page for description).

Notable bug fixes

Fixed several memory management errors that caused SSSD to crash under some circumstances.
Handling of FreeIPA users and groups containing ‘@’ sign now works.
Issue when autofs was unable to mount shares was fixed.
SSSD was unable to hande ldap_uri containing URIs with different port numbers. This was fixed.

Packaging Changes

Added sssd-ldap-attributes man page.

Documentation Changes

Added new sssd-ldap-attributes man page.
Added option monitor_resolv_conf.
Added option ssh_use_certificate_matching_rules
Improved AD GPO options man page.
Improved sssd-systemtap man page.

Tickets Fixed

#3648 - sssd should not always read entire autofs map from ldap
#3701 - SSSD service is crashing: dbus_watch_handle() is invoked with corrupted ‘watch’ value
#3751 - Propagate error about multiple entries found from cache_req to responder
#4111 - use the ERROR and PRINT macros consistently
#4252 - [RFE] Regular expression used in sssd.conf not being able to consume an @-sign in the user/group name.
#4607 - Stop calling umask(0) in selinux_child now that libsemanage has been fixed
#4696 - [RFE] SSSD smart smard card, configure to soft fail when CRL not available
#4854 - sss_ssh_authorizedkeys: no output when attribute value contains trailing whitespace
#4899 - test_pam_responder.py needs improvement
#4918 - sssctl config-check giving the wrong error message when there are only snippet files and no sssd. conf
#4967 - SSSDConfig: some options are unknown
#4995 - Non FIPS140 compliant usage of PRNG
#5000 - sss_obfuscate fails to rewriting comments
#5041 - Let IPA client read IPA objects via LDAP and not via extdom plugin when resolving trusted users and groups
#5044 - Trusted domain user logins succeed after using ipa trustdomain-disable
#5045 - Improve sssd_nss debug messages
#5046 - systemctl status sssd says No such file or directory about “default” when keytab exists but is empty file
#5049 - support for defaults entry is failing in sssd sudo against Openldap server
#5058 - sss_client: usage of srand()/rand() may be disruptive for the user of lib
#5064 - KCM: ccache is created with kdc_offset=INT32_MAX
#5065 - [RFE] pam_sss allow_missing_name should allow whitespace-only string
#5066 - Null dereference in sssctl/sssctl_domains.c:sssctl_domain_status_active_server()
#5072 - automount on RHEL7 gives the message ‘lookup(sss): setautomntent: No such file or directory’
#5073 - ldap_uri failover doesn’t work with different ports
#5075 - sssd failover leads to delayed and failed logins
#5076 - Smart Card authentication in polkit
#5077 - autofs: delete possible duplicate of an autofs entry
#1731 - Split sssd-ldap man page

Detailed Changelog

$ git shortlog --pretty=format:"%h  %s" -w0,4 sssd-2_2_2..sssd-2_2_3

Alex Rodin (7):
    f24e5ab53  Added ERROR and PRINT macros to the tools
    111144cdb  Update sss_ssh.c
    05c078e60  Update __init__.py.in
    258e9a558  Added PRINT macro in the sssctl tool
    c6271470b  Update README.md
    16124d411  Updated test_pam_responder.py
    83fb5c355  Created a new sssd-ldap-attributes.5 man page

Alexey Tikhonov (39):
    39e16cca4  providers/ipa/: add_v1_user_data() amended
    3cc0db2fc  responder/cache_req: added debug helper function
    bf2770fa9  responder/nss: improved debug messages
    6f3607835  responder/nss: DCE
    f69c7d0cd  responder: log cmdline of client pid
    e47f143bc  SSS_CLIENT: got rid of using PRNG
    00c60805a  util/server: amended close_low_fds()
    5086353eb  util/sss_krb5.c: elimination of unreachable code
    8f275460a  util/sss_krb5: find_principal_in_keytab() was amended
    716aebab5  util/sss_krb5: fixed few memory handling issues
    e778fa18a  util/sss_krb5: debug messages fixes
    75b1fe684  sssctl/sssctl_domains.c: null dereference fixed
    f3e89aa02  MMAP_CACHE: use CSPRNG to init hash table seed
    bb8b59dde  Moved unsecure sss_rand() out of crypto lib
    24d9d213c  Reduces code duplication
    0102a253e  sss_ssh_knownhostsproxy: relocated O_NONBLOCK setting
    3c09e9dce  sss_ssh_knownhostsproxy: fixed Coverity issue
    a163f65e3  util/sss_krb5: amended sss_krb5_get_error_message()
    4239a85c7  Amended sss_krb5_get_error_message() usage.
    33c94b682  ldap_child: sanitization of error handling
    f9f6a3df8  KEYTAB_CLEAN_NAME macro was replaced
    337a1adf7  SBUS: defer deallocation of sbus_watch_ctx
    b22e5116c  util/server.c: become_daemon() made static
    c654265b3  server:become_daemon(): got rid of unused codepath
    86dc869a8  server:become_daemon(): handle fail of fork()
    9536a911b  server:become_daemon(): fixed waitpid()-loop
    148eae6a8  server:become_daemon(): fix read of uninitialized value
    848cdbc7b  server:become_daemon(): change handling of chdir() fail
    5655df4e9  server:become_daemon(): handle fail of setsid()
    b72c4fa8a  util/memory: sanitization
    f2245b53b  util/memory: helper(s) to securely erase mem was reworked
    0165ef119  tools/sss_seed: proper zeroization of sensitive data
    be7f73127  util: fixed potential mem leak in s3crypt_gen_salt()
    78127eaee  util/sha512_crypt_r: got rid of redundant mem align
    1f667ea3d  util/sha512_crypt_r: removed misleading comments
    275e062b2  util/sha512_crypt_r: proper zeroization of sensitive data
    ad1ae003e  db/sysdb_ops: proper zeroization of sensitive data
    109c21ef6  util/authtok: set destructor in sss_authtok_new()
    0a6fdec57  LDAP: proper handling of master password

Ariel O. Barria (1):
    c53311ed9  sss_obfuscate: do not fail if sssd.conf contains non-ascii characters

Fabiano Fidêncio (1):
    43aae7e3b  TESTS: Re-add tests for `kdestroy -A`

Jakub Hrozek (3):
    dd781242b  KCM: Fix typo in allocation check
    2c9bdcf57  KCM: Set kdc_offset to zero initially
    a41451d01  sudo: use objectCategory instead of objectClass in ad sudo provider

Jakub Jelen (1):
    3a96bab5f  Allow smart card authentication in polkit

Lukas Slebodnik (1):
    f0f0003ce  IFP: Fix talloc hierarchy for members of struct ifp_list_domains_state

MIZUTA Takeshi (4):
    df010718a  sss_client/idmap/common_ex.c: fix sss_nss_timedlock() to return errno
    3d92b14d0  util/server.c: fix handling when error occurs in waitpid()
    1311f728a  Fix timing to save errno
    9f398c7b0  Add processing to save errno before outputting DEBUG

Michal Židek (8):
    bc35fa2f6  Bumping the version to track the 2.2.3 development
    cb04b1418  SPECFILE: Add 'make' as build dependency
    53d4393e6  memcache: Stop using the word fastcache for memcache
    68bdcebc6  MAN: GPO and built-in groups
    8b31be528  bash_rc: Build with systemtap
    5e768c826  MAN: Missing man pages in src/man/po/po4a.cfg
    9d1258ec7  MAN: Fix errors in Japanese translation
    8607b4822  Update the translations for the 2.2.3 release

Niranjan M.R (4):
    07e2850ce  pytest: Use idm:DL1 module to install 389-ds
    f68bb1bfe  pytest: Update README with instructions to execute tests
    c5359c18c  pytest/testlib: Add python-ldap as dependency
    bd1400027  Makefile.am: Use README.md instead of README

Pavel Březina (49):
    65de0d36c  sss_ptr_hash: keep value pointer when destroying spy
    0d477763d  autofs: fix typo in test tool
    5097684dc  sysdb: add expiration time to autofs entries
    eadfba5c6  sysdb: add sysdb_get_autofsentry
    fb83d8205  sysdb: add enumerationExpireTimestamp
    d01ddb06d  sysdb: store enumeration expiration time in autofs map
    e9fc00999  sysdb: store original dn in autofs map
    4efe83c27  sysdb: add sysdb_del_autofsentry_by_key
    8b2ab4887  cache_req: add autofs map entries plugin
    1fc3e4a14  cache_req: add autofs map by name plugin
    85c86687b  cache_req: add autofs entry by name plugin
    7726093e7  autofs: convert code to cache_req
    e5165199c  autofs: use cache_req to obtain single entry in getentrybyname
    29b1ffd01  autofs: use cache_req to obtain map in setent
    ad8b4c16d  dp: add dp_error_to_ret
    0d56c1aa4  dp: add dp_no_output type to be used in dp_set_method
    0e7298639  dp: add additional autofs methods
    2a0b74a56  dp: replace autofs handler with enumerate method
    d096eeb18  ldap: add base_dn to sdap_search_bases
    f3f223202  ldap: rename sdap_autofs_get_map to sdap_autofs_enumerate
    66e1eda6d  ldap: implement autofs get map
    f3aaaca4b  ldap: implement autofs get entry
    e050872d1  autofs: allow to run only setent without enumeration in test tool
    09781a337  autofs: always refresh auto.master
    e016ada3b  sysdb: invalidate also autofs entries
    399b2a656  sss_cache: invalidate also autofs entries
    b241e0790  ci: allow distribution specific supression files
    4488908f5  ci: suppress Debian valgrind errors
    206d994ed  ci: add Debian 10
    b13409606  ifp: call tevent_req_post in case of error in ifp_user_get_attr_send
    c08ae6cff  sudo: get timezone information from previous value when constructing new usn
    89b256dfe  ci: enable on demand runs
    46754e546  ci: set build name to pull request or branch name
    73bd961c7  ci: notify that build awaits executor
    6baf291ba  ci: convert to scripted pipeline
    50cf3849c  db: fix potential memory leak in sysdb_store_selinux_config
    b32347d35  ldap: do not store empty attribute with ldap_rfc2307_fallback_to_local_users = true
    f95db37aa  sss_ptr_hash: pass new hash_entry_t to custom delete callback
    08f015907  failover: make sure we switch to anoter server if only port differs
    b31f1e26c  autofs: remove unused enum
    14b44e721  autofs: delete possible duplicate of an autofs entry
    f295a028c  ci: store artifacts in jenkins for on-demand runs
    6da8555a0  ci: allow to specify systems where tests should be run for on-demand tests
    f80751eaa  ci: add Fedora 31
    e079a2f8a  ci: install python2 on Fedora 31 and RHEL 8 so python2 bindings can be built
    f084e757e  ci: disable python2 bindings on Fedora 32+
    5d425c10e  man: add missing new line to autofs_attributes.xml
    456e576b8  pam_sss: treat whitespace name as missing name if allow_missing_name is set
    0096d77f2  sudo: add ldap_sudorule_object_class_attr

Paweł Poławski (2):
    fb3a8b3c1  selinux: Keep explicite umask() calls
    f4a500aff  files_ops: Remove unused functions parameter

REIM THOMAS (1):
    274b4f92c  MAN: Provide minimum information on GPO access control

Samuel Cabrero (12):
    f67109c46  SYSDB: Delete linked local user overrides when deleting a user
    4981fe341  SYSDB: Convert cached domain 'enumerated' attribute from bool to uint
    f6ada94ae  SDAP: Add provider name to enumeration and cleanup tasks
    4555b8179  LDAP: Return errno_t for ldap id enumeration task setup functions
    acca871d7  LDAP: Rename enumeration and cleanup functions to contain the provider
    2995a895d  AD: Rename enumeration functions to contain the provider name
    7375083a8  LDAP: Improve ldap_id_setup_enumeration error logic
    d91c1f4ae  LDAP: Remove unnecessary task pointer
    66873cac4  LDAP: Move enum fields to id provider context
    d20a7f9d5  MONITOR: Propagate error when resolv.conf does not exists in polling mode
    9b6323d8e  MONITOR: Add a new option to control resolv.conf monitoring
    d57c67e4e  MONITOR: Resolve symlinks setting the inotify watchers

Sumit Bose (15):
    27b141f38  ipa: use LDAP not extdom to lookup IPA users and groups
    2e1614870  utils: extend some find_domain_* calls to search disabled domain
    3c871a3f7  ipa: support disabled domains
    13297b8aa  ipa: ignore objects from disabled domains on the client
    b12e7a495  sysdb: add sysdb_subdomain_content_delete()
    fa3e53bb9  ipa: delete content of disabled domains
    9ba136ce2  ipa: use the right context for autofs
    02d86b2a7  ssh: add ssh_use_certificate_keys option to config checks
    1a6b6c928  ssh: apply certificate matching rules
    d2da89098  ssh: add option ssh_use_certificate_matching_rules
    30d0ccd49  ssh: enable p11_child logging
    31ebf912d  p11_child: allow verification with no_verification option
    389e2eeb0  p11_child: add 'soft_ocsp' and 'soft_crl options
    b9a53cfca  ipa: add failover to override lookups
    707fdf040  ipa: add failover to access checks

Thorsten Scherf (1):
    6a203ac22  Fix option type for ldap_group_type

Tomas Halman (9):
    44d46cf28  LDAP: Systemtap ldap probes fail without filter
    7fd907cbe  LDAP: extend LDAP systemtap probes of attr list
    88b875f6b  LDAP: Add probes to be able print ldap attributes
    c4568a9a9  MAN: update systemtap man page
    c79097074  TESTS: tests have to be linked with systemtap
    c7c08e12c  MAN: Update SystemTap man page
    469f1acd6  IPA: Utilize new protocol in IPA extdom plugin
    587c8cb9d  INI: sssctl config-check giving the wrong message
    414c11154  TESTS: check "sssctl config-check" output

pedrosam (1):
    16be48f47  cache_req: propagate multiple entries error to the caller