SSSD 2.9.4 Release Notes
Highlights
Important fixes
Fixes a crash when PAM passkey processing incorrectly handles non-passkey data.
A workaround was implemented to handle gracefully misbehaving applications that destroy internal state of SSSD client librarires. A particular example of such application is described in https://github.com/TigerVNC/tigervnc/issues/1709.
An error when rotating KCM’s logs was fixed. When KCM’s logs were rotated by logrotate, KCM would still use the old file (renamed sssd_kcm.log.1). Only after KCM was restarted (either manually or automatically) the new log file would be used. This problem is now solved and KCM uses the new file immediately.
Fixed group membership handling when members are coming from different forest domains and using ldap token groups is prohibited.
Files provider was erroneously taking into consideration local_auth_policy config option, thus breaking smartcard authentication of local user in setups that didn’t explicitly specify this option. This is now fixed.
Tickets Fixed
#5708 - SSSD incorrectly works with AD GPO during user login
#6790 - gpo_child process terminates with SIGSEGV.
#6986 - The
sss_nss_mc_destroy_ctx()
function will close the TCP socket of the daemon process#7014 - Reduce the amount of memory allocated by KCM and avoid zeroing it when not necessary
#7061 - sssd_pam segfaults during password-based SSH-login
#7072 - sssd_kcm “leaks” around 86MiB of memory per day
#7084 - Invalid handling groups from child domain
#7094 - Incorrect IdM product name in man sssd.conf
Detailed Changelog
$ git shortlog --pretty=format:"%h %s" -w0,4 2.9.3..2.9.4
Alejandro López (9):
469ddcbf6 LOGROTATE: logrotate should also signal sssd_kcm
8c8323451 KCM: Replace a hard-coded constant by a macro
855d04656 KCM: Fixed a wrong check
14e7d7c03 KCM: Remove unused cc_be_type from struct kcm_ccdb
3e740a256 KCM: When freeing the client, check that it is not NULL.
a5c96e290 KCM: sss_iobuf_init_empty() shall not zero memory
78d0a97de KCM: Reduce the amount of memory allocated for the packages
60fde9d55 KCM: Do not zero memory when not need.
46f4161e8 KCM: Fix a memory "leak"
Alexey Tikhonov (9):
f394acee8 SPEC: 'sssd-proxy' requires 'libsss_certmap.so'
4b4564c38 UTIL: use proper specifier for 'DEBUG_CHAIN_ID_FMT_*'
1e2af0d15 Don't provide 'uint64_t' as POPT_ARG_LONG.
6959dc6aa DP: reduce log level in case a responder asks for unknown domain
f6faf1231 LOGS: added missing new line
160738ee8 SSS_CLIENT: MC: in case mem-cache file validation fails,
a186224d6 SSS_CLIENT: check if mem-cache fd was hijacked
abb146e14 SSS_CLIENT: check if reponder socket was hijacked
98d8bedd1 DEBUG: added missing new line
Andre Boscatto (1):
033f3db09 man: fix wrong product name
Dan Lavu (3):
b536e4b3b tests: consolidation, refactoring and organizing, renaming of some tests
cb64d47b2 tests: updating poor assertion in dyndns
1c5a11fc2 tests: adding background refresh tests to the new framework
Iker Pedrosa (4):
ba7b99383 CI: clean configure.sh
31617400e CI: clean distro.sh
52acc3940 CI: clean deps.sh
776f6e198 CI: upload cwrap logs
Jakub Vavra (8):
fd414aae8 Tests: Add a test for bz1900973 kcm delete expired tickets
e44ad3242 Tests: Add a test for kcm log rotation SSSD-5687
1cffe5bca Tests: Fix tokengroups tests.
9f406d427 Tests: Retry realm join as it is flaky on multiarch setups
cbd479d76 Tests: Change path to keytabs to reflect whole domain in them
0ae923834 Tests: Add importance and ticket to multihost
854edfb00 Tests: Revert change of retun type of realm_join
5a2256cba Tests: Add a plugin for a per-test logging
Justin Stephenson (5):
f4908728f passkey: Add krb5 preauthentication prompt support
4d01e11d4 passkey: Skip processing non-passkey mapping data
02c183204 Passkey: Fix coverity memory overrun error
f5e3bb391 Passkey: Fix coverity RESOURCE_LEAK
51f90318b Passkey: Fix valgrind error and missing free
Madhuri Upadhye (2):
a8928a9ad tests: add passkey tests for authentication failures
80d5a34fe Tests: Add passkey test cases for following scenario
Patrik Rosecky (6):
c5d045788 Tests: converted alltests/test_default_debug_level
2bc72a2b7 Tests: alltests/test_autoprivategroup.py converted to system/test_auto_private_groups.py
66bd91d50 Tests: alltests/test_ldap_extra_attrs.py converted to system/tests/test_schema.py
8a78c75ab Tests: multihost/test_sssctl_analyzer.py converted to system/test_sssctl_analyze.py
852b9e0c5 Tests: alltests/test_config_validation converted
bd9cf6f4d Tests: alltests/test_offline.py converted
Pavel Březina (7):
35bcb91b6 ad: do not print backtrace if SSSD domain name is not the same as DNS name
eabeb3a73 ad: do not print backtrace if SOM is missing in GPO
d02874beb tests: adapt to new firewall API
8bf25b6cd scripts: sign tarball with sssd project key
5c224730a scripts: create checksum file for release tarball
eecd41831 pot: update pot files
02d3f214b Release sssd-2.9.4
Sumit Bose (8):
ff520020c ci: make valgrind suppression more relaxed for test_ipa_subdomains_server
e03921e4b nssidmap: fix sss_nss_getgrouplist_timeout() with empty secondary group list
9a6ff9e7b pam: fix Smartcard auth with files provider
be5399c15 sssctl: do not require root for user-checks
936b82816 LDAP: make groups_by_user_send/recv public
09dcc73ed ad: gpo evalute host groups
dda0f2e0b sysdb: remove sysdb_computer.[ch]
f5ce7c1da sdap: add set_non_posix parameter
Tomas Halman (2):
a33931562 Handle child-domain group membership
05de56d0c GPO evaluation of primary group
aborah (1):
c054fc007 Tests: Fix ipa test for gating.