SSSD 2.4.1 Release Notes
Highlights
General information
SYSLOG_IDENTIFIER
was renamed toSSSD_PRG_NAME
in journald output, to avoid issues with PID parsing in rsyslog (BSD-style forwarder) output.
New features
New PAM module
pam_sss_gss
for authentication using GSSAPIcase_sensitive=Preserving
can now be set for trusted domains with AD providercase_sensitive=Preserving
can now be set for trusted domains with IPA provider. However, the option needs to be set toPreserving
on both client and the server for it to take effect.case_sensitive
option can be now inherited by subdomainscase_sensitive
can be now set separately for each subdomain in[domain/parent/subdomain]
sectionkrb5_use_subdomain_realm=True
can now be used when sub-domain user principal names have upnSuffixes which are not known in the parent domain. SSSD will try to send the Kerberos request directly to a KDC of the sub-domain.
Important fixes
krb5_child uses proper umask for DIR type ccaches
Memory leak in the simple access provider
KCM performance has improved dramatically for cases where large amount of credentials are stored in the ccache.
Packaging changes
Added
pam_sss_gss.so
PAM module andpam_sss_gss.8
manual page
Configuration changes
New default value of
debug_level
is 0x0070Added
pam_gssapi_check_upn
to enforce authentication only with principal that can be associated with target user.Added
pam_gssapi_services
to list PAM services that can authenticate using GSSAPI
Tickets Fixed
#3413 - autofs: return a connection failure until maps have been fetched
#3730 - proxy_child hardening
#4590 - syslog mesages for back ends uses invalid ident tag
#4759 - sssd krb5_child using wrong domain to authenticate
#4829 - KCM: Increase the default client idle timeout, consider decreasing the timeout on busy servers
#5121 - timestamp cache entries are not created if missing
#5238 - Unexpected behavior and issue with filter_users/filter_groups option
#5250 - [RFE] RHEL8 sssd: inheritance of the case_sensitive parameter for subdomains.
#5333 - sssd-kcm does not store TGT with ssh login using GSSAPI
#5349 - kcm: poor performance with large number of credentials
#5351 - Do not overwrite LDAP data of local domain when looking up a Global Catalog
#5359 - SSSD can hang being blocked on TCP operation involving socket opened internally by libldap
#5382 - User lookups over the InfoPipe responder fail intermittently
#5384 - sssd syslog/journal logging is now too generic
#5400 - Can’t login with smartcard with multiple certs having same ID value
#5403 - filter_groups option partially filters the group from ‘id’ output of the user because gidNumber still appears in ‘id’ output [RHEL 8]
#5412 - sssd_be segfaults at be_refresh_get_values_ex() due to NULL ptrs in results of sysdb_search_with_ts_attr()
#5425 - SBUS: failures during servers startup
#5436 - krb5_child: “DIR:” ccache directory created with bad mode 0600 due to umask
#5451 - resolv: resolv_gethostbyname_dns_parse() doesn’t properly handle fail of ares_parse_*_reply()
#5456 - Memory leak in the simple access provider
#5466 - SBUS: NULL deref in dp_client_handshake_timeout()
#5469 - sssd unable to lookup certmap rules
#5471 - [RFE] sss_override: Usage limitations clarification in man page
#5475 - Do not add ‘%’ to group names already prefixed with ‘%’ in IPA sudo rules
#5488 - Unexpected (?) side effect of SSSDBG_DEFAULT change
Detailed Changelog
$ git shortlog --pretty=format:"%h %s" -w0,4 sssd-2_4_0..2.4.1
Alexander Bokovoy (1):
cd48ef507 sudo runas: do not add '%' to external groups in IPA
Alexey Tikhonov (65):
f7dba450c SDAP: set common options for sockets open by libldap
833034f53 DEBUG: journal_send() was made static
18233532b DEBUG: fixes program identifier as seen in syslog
ff24d1538 SYSDB: merge_res_sysdb_attrs() fixed to avoid NULL ptr in msgs[]
0e225ff79 KCM: avoid NULL deref
e350d917e SYSDB:autofs: cosmetic updates
df723cb98 SYSDB: wrong debug message corrected
d8af1db84 SYSDB:sudo: changed debug message to be consistent
b4acf71d0 SYSDB:iphosts: severity level of few debug messages adjusted
a73df70ee SYSDB:ipnetworks: severity level of few debug messages adjusted
033c31a2a SYSDB:ops: few debug messages were corrected
744582419 SYSDB:search: few debug messages were corrected
f55c95990 SYSDB:selinux: debug message severity level was adjusted
e731368ed SYSDB:service: severity level of few debug messages adjusted
82dc14b02 SYSDB:upgrade: debug message corrected
daa5454f8 SYSDB:views: few debug message corrections
fe0530ef9 MONITOR: severity level of few debug messages adjusted
85d8adc4d P11_CHILD: severity level of few debug messages adjusted
d6f6f053d AD: few debug message corrections
2f70695a8 DP: few debug message corrections
667b983aa IPA: few debug message corrections
9244820af KRB5: few debug message corrections
ff8f44ce2 LDAP: few debug message corrections
d91409df4 PROXY: few debug message corrections
fb052a4c9 RESOLV: debug message correction
018c08acb AUTOFS: few debug message corrections
01ba32f25 CACHE_REQ: debug message correction
058644f2e RESPONDER: few debug message corrections
f457a1a69 IFP: few debug message corrections
f028253ff NSS: few debug message corrections
3cbd0465b PAM: few debug message corrections
5068655a6 UTIL: few debug message corrections
ac2285900 PAM: reduce log level in may_do_cert_auth()
a7b6413d9 UTIL: sss_ldb_error_to_errno() improved
52dc85540 SYSDB: reduce log level in sysdb_update_members_ex() in case failed attempt to DEL unexisting attribute
99e44d9db LDAP: added missed \n in log message
a419b7e67 SSS_IFACE: corrected misleading return code
1af89925e IPA: corrected confusing message
69aa3e8c4 DP: do not log failure in case provider doesn't support check_online method
90dae38d7 RESPONDER: reduce log level in sss_parse_inp_done() in case of "Unknown domain" since this might be search by UPN
6e3b4d745 SBUS: reduced log level in case of unexpected signal
a7b145b99 LDAP: reduced log level in hosts_get_done()
26fdc3c8f CACHE_REQ: reduced log level in cache_req_object_by_name_well_known() Non fqdn input isn't necessarily an error here.
ed6ec5697 SDAP: reduced log level in case group without members
29f243fd5 AD: reduced log level in case check_if_pac_is_available() can't find user entry. This is typical situation when, for example, INITGROUPS lookup is executed for uncached user.
4fe060abb FILES: reduced debug level in refresh_override_attrs() if case "No overrides, nothing to do"
644453f8d LOGS: default log level changed to <= SSSDBG_OP_FAILURE
0986cf6ce UTIL: fixed bug in server_setup() that prevented setting debug level to 0 explicitly
9215cf4e2 CERTMAP: removed stray debug message
9390af3c2 IPA: reduce log level in apply_subdomain_homedir()
60b17be9e SYSDB: changed log level in sysdb_update_members_ex()
bf873598a IPA: ignore failed group search in certain cases
e86599ba0 IPA: changed logging in ipa_get_subdom_acct_send()
dba7de0db SYSDB: changed logging in sysdb_get_real_name()
00e3ac4a4 LDAP: reduce log level in case of fail to store members of missing group (it might be built-in skipped intentionally)
0db68a1f9 LDAP: sdap_save_grpmem(): log level changed
bd2f38abe UTIL: find_domain_by_object_name_ex() changed log level
d207eaafc RESOLV: handle fail of ares_parse_*_reply() properly
bdf461c75 SBUS: do not try to del non existing sender
c48a4e804 Removed leftovers after PR #5246
66ef363b1 dhash tables are now created with count=0 whenever no useful size hint available
0c6924b8d SBUS: set sbus_name before dp_init_send()
3986deade PROXY: child process security hardening
b6fc7c0e9 Sanitize --domain option to allow safe usage as a part of log file name
ff0f76561 Makefile: add missing '-fno-lto' to some tests
Anuj Borah (1):
39c52817d TESTS:KCM: Increase client idle timeout to 5 minutes
Armin Kuster (1):
b0edc83e3 Provide missing defines which otherwise are available on glibc system headers
Deepak Das (1):
6c9f929ad man: sss_override clarification
Duncan Eastoe (2):
4b0bd8455 nss: Use posix_fallocate() to alloc memcache file
311e22724 nss: remove clear_mc_flag file after clearing caches
Evgeny Sinelnikov (1):
5892c3676 krb5: allow to use subdomain realm during authentication
Justin Stephenson (1):
3fdfb42b5 krb5: Remove secrets text from drop-in KCM file
Madhuri Upadhye (6):
78ef0828d Test: AD: For sssd crash in ad_get_account_domain_search
b5264396b Test: alltests: "enabled" option to domain section
2b00d5071 Update remove command to delete the snippet files
014f416d0 Update the title of test case.
cdad94802 Tests: alltests: "ldap_library_debug_level" option to domain section
536e8b83a alltests: password_policy: Removing the log debug messages
Marco Trevisan (Treviño) (1):
a06ce2107 test_ca: Look for libsofthsm2 in libdir before falling back to hardcoded paths
Pavel Březina (64):
b913ddbd5 Update version in version.m4 to track the next release
47a316c85 kcm: fix typos in debug messages
8edcea8c3 kcm: avoid name confusion in GET_CRED_UUID_LIST handlers
b8f28d9aa kcm: disable encryption
74fdaa64b kcm: avoid multiple debug messages if sss_sec_put fails
908c15af9 secrets: allow to specify secret's data format
ed08ba002 secrets: accept binary data instead of string
b6cc661b9 iobuf: add more iobuf functions
9b1631def kcm: add json suffix to existing searialization functions
e63a15038 kcm: move sec key parser to separate file so it can be shared
15069a647 kcm: avoid suppression of cppcheck warning
f17740d83 kcm: add spaces around operators in kcmsrv_ccache_key.c
194447d35 kcm: use binary format to store ccache instead of json
241ee30da kcm: add per-connection data to be shared between requests
a370553c9 sss_ptr_hash: fix double free for circular dependencies
c3b314db5 kcm: store credentials list in hash table to avoid cache lookups
bf127d4f3 secrets: fix may_payload_size exceeded debug message
9c1b51d05 secrets: default to "plaintext" if "enctype" attr is missing
39277cdad secrets: move attrs names to macros
325de5a5b secrets: remove base64 enctype
3f0ba4c2d cache_req: allow cache_req to return ERR_OFFLINE if all dp request failed
e50258da7 autofs: return ERR_OFFLINE if we fail to get information from backend and cache is empty
9098108a7 autofs: translate ERR_OFFLINE to EHOSTDOWN
34c519a48 autofs: disable fast reply
8a22d4ad4 autofs: correlate errors for different protocol versions
075519bce configure: check for stdatomic.h
18b98836e kcm: decode base64 encoded secret on upgrade path
45f2eb57d sss_format.h: include config.h
3b0e48c33 packet: add sss_packet_set_body
6715b31f2 domain: store hostname and keytab path
a3e2677f9 cache_req: add helper to call user by upn search
dcc42015f pam: fix typo in debug message
d63172f12 pam: add pam_gssapi_services option
fffe3169b pam: add pam_gssapi_check_upn option
d09aa174b pam: add pam_sss_gss module for gssapi authentication
4ea1739d0 pam_sss: fix missing initializer warning
c0ae6d34f pamsrv_gssapi: fix implicit conversion warning
cc173629f gssapi: default pam_gssapi_services to NULL in domain section
111b8b4d6 pam_sss_gssapi: fix coverity issues
2499bd145 cache_req: ignore autofs not configured error
0eb0281c9 man: add auto_private_groups to subdomain_inherit
12eb04b2f subdomains: allow to inherit case_sensitive=Preserving
f26559504 subdomains: allow to set case_sensitive=Preserving in subdomain section
f6bb31af5 subdomains: allow to inherit case_sensitive=Preserving for IPA
944c47e27 man: update case_sensitive documentation to reflect changes for subdomains
78af35c35 po: add pam_sss_gss to translated man pages
6add2ef31 pot: update pot files
d163a120b spec: synchronize with Fedora 34 spec file
3e5ff111c spec: remove unneeded conditionals and unused variables
8b68aa28d spec: keep _strict_symbol_defs_build
eb6a3bacb spec: enable LTO
2b1c3c3dd spec: remove support for NSS
fcbbf1244 spec: remove --without-python2-bindings
2970cd639 spec: re-import changes that were not merged in Fedora
5eb4d5c8e spec: synchronize with RHEL spec file
e56ddbedd spec: use sssd user on RHEL
38d761466 spec: remove conflicts that no longer make sense
bf1482c2f spec: remove unused BuildRequires
6f47eaca4 spec: remove unused Requires
5d02f1e8b spec: sort Requires, BuildRequires and configure for better clarity
482ab2d8f spec: comment some requirements
ea55cd023 spec: fix spelling in package description
3ee3c4c61 spec: use %autosetup instead of %setup
78323d44e configure: libcollection is not required
Paweł Poławski (2):
1e9abd508 data_provider_be: Add random offset default
171b664ec data_provider_be: MAN page update
Samuel Cabrero (2):
4ab47a914 Improve samba version check for ndr_pull_steal_switch_value signature
6617f3d7d winbind idmap plugin: Fix struct idmap_domain definition
Sergio Durigan Junior (1):
a25256fe2 Only start sssd.service if there's a configuration file present
Shridhar Gadekar (1):
fb6edec60 Tests:ad:sudo: support non-posix groups in sudo rules
Steeve Goveas (13):
804ae76d6 Move conftest.py to basic dir
ef4c82bb9 Add alltests code
73f5699bc Add ad test code
3c06709b9 Add ipa test code
6cc11a9a8 Update sssd testlibs
4205accc2 Add empty conftest.py and update path to run basic tests
fe56d5c9e Fix pep8 issues
d2d44e9a3 Include data directory
94a9833b0 Fix errors found during testing
f404cd3e3 Remove trailing whitespaces
1a616b590 tests: modify ipa client install for fedora
f7ccc6799 TEST: Split tier1 tests with new pytest marker
0f2d31e2e tests: netstat command not found for test
Sumit Bose (18):
81e757b7b ifp: fix use-after-free
5f3b9e1d4 AD: do not override LDAP data during GC lookups
0e1bcf77b negcache: make sure domain config does not leak into global
385af99ff utils: add SSS_GND_SUBDOMAINS flag for get_next_domain()
0dc81a52e negcache: make sure short names are added to sub-domains
fa4b46e7d negcache: do not use default_domain_suffix
3b158934c ifp: fix original fix use-after-free
c87b2208b nss: check if groups are filtered during initgroups
1b9b7f5a6 pam_sss: use unique id for gdm choice list
8b6be52e9 authtok: add label to Smartcard token
b8800d3e1 pam_sss: add certificate label to reply to pam_sss
f633f37e7 add tests multiple certs same id
19c2c641e simple: fix memory leak while reloading lists
6ca29942c krb5_child: use proper umask for DIR type ccaches
e7fb88fc6 BUILD: Accept krb5 1.19 for building the PAC plugin
e07eeea7d responders: add callback to schedule_get_domains_task()
cb936e920 pam: refresh certificate maps at the end of initial domains lookup
2d26c95d7 ssh: restore default debug level
Tomas Halman (2):
37761b42f CACHE: Create timestamp if missing
62b2b4972 TESTS: Add test for recreating cache timestamp
Valters Jansons (1):
01cc26749 DEBUG: Drop custom syslog identifier from journald
Weblate (1):
b38701b9e Update the translations for the 2.4.1 release
aborah (1):
b5c5281c5 TESTS:sssd-kcm does not store TGT with ssh login using GSSAPI
peptekmail (3):
568bb1a0f Add rsassapss cert for future checks
92ed415cd Add rsassapss cert for future checks
7f3576ea3 Add rsassapss cert for future checks
tobias-gruenewald (3):
e25f87901 Change LDAP group type from int to string
afa15cb73 Change LDAP group type from int to string
2786071e4 Change LDAP group type from int to string