sssd-1.16.3

SSSD 1.16.3

Highlights

New Features

• The kdcinfo files that SSSD uses to inform libkrb5 about which KDCs were discovered for a Kerberos realm used to be only generated for the joined domain, not the trusted domains. Starting with this release, the kdcinfo files are generated automatically also for trusted domains in setups that use id_provider=ad and IPA masters in a trust relationship with an AD domain.
• The SSSD Kerberos locator plugin which processes the kdcinfo files and actually tells libkrb5 about the available KDCs can now process multiple address if SSSD generates more than one. At the moment, this feature is only used on IPA clients (see below). Please see the sssd_krb5_locator_plugin(8) manual page for more information about the Kerberos locator plugin.
• On IPA clients, the AD DCs or the AD site which should be used to authenticate users can now be listed in a subdomain section. Please see the feature design page or the section "trusted domains configuration" for more details.

Notable bug fixes

• SECURITY: The permissions on /var/lib/sss/pipes/sudo were set so that anyone could read anyone else's sudo rules. This was considered an information leak and assigned CVE-2018-10852 (#3766)
• IMPORTANT: The 1.16.2 release was storing the cached passwords without a salt prefix string. This bug was fixed in this release, but any password hashes generated by 1.16.2 are incompatible with the hashes generated by 1.16.3. The effect is that upgrade from 1.16.2 to 1.16.3 should be done when the authentication server is reachable so that the first authentication after the upgrade fix the cached password.
• The sss_ssh proces leaked file descriptors when converting more than one x509 certificate to SSH public key (#3794)
• SSSD, when configured with id_provider=ad was using too expensive LDAP search to find out whether the required POSIX attributes were replicated to the Global Catalog. Instead, SSSD now consults the Partial Attribute Set, which is much more effective (#3755)
• The PAC responder is now able to process Domain Local in case the PAC uses SID compression. Typicaly this is the case with Windows Server 2012 and newer (#3767)
• Some versions of OpenSSH (e.g. the one shipped in RHEL-7.5) would close the pipe towards sss_ssh_authorizedkeys when the matching key is found before the rest of the output is read. The sss_ssh_authorizedkeys helper was not handling this behaviour well and would exit with SIGPIPE, which also meant the public key authentication failed (#3747)
• User lookups no longer fail if user's e-mail address conflicts with another user's fully qualified name (#3607)
• The override_shell and override_homedir options are no longer applied to entries from the files domain. (#3758)
• Several bugs related to the FleetCommander integration were fixed (#3773, #3774)
• The grace logins with an expired password when authenticating against certain newer versions of the 389DS/RHDS LDAP server did not work (#3597)
• Whitespace around netgroup triple separator is now stripped
• The sss_ssh_knownhostproxy utility can now print the host key without proxying the connection.
• Due to an overly restrictive check, the fast in-memory cache was sometimes skipped, which caused a high load on the sssd_nss process (#3776).

Packaging Changes

• The python2 bindings are not built by default on Fedora 29 or newer
• The sssd-secrets responder is now packaged in the sssd-kcm subpackage and might be removed in a future release

Documentation Changes

• sss_ssh_knownhostsproxy has a new option -k/--print.

See full release notes here.

sssd-1.16.2

SSSD 1.16.2

Highlights

New Features

• The smart card authentication, or in more general certificate authentication code now supports OpenSSL in addition to previously supported NSS (#3489). In addition, the SSH responder can now return public SSH keys derived from the public keys stored in a X.509 certificate. Please refer to the ssh_use_certificate_keys option in the man pages.
• The files provider now supports mirroring multiple passwd or group files. This enhancement can be used to use the SSSD files provider instead of the nss_altfiles module

Notable bug fixes

• A memory handling issue in the nss_ex interface was fixed. This bug would manifest in IPA environments with a trusted AD domain as a crash of the ns-slapd process, because a ns-slapd plugin loads the nss_ex interface (#3715)
• Several fixes for the KCM deamon were merged (see #3687, #3671, #3633)
• The ad_site override is now honored in GPO code as well (#3646)
• Several potential crashes in the NSS responder's netgroup code were fixed (#3679, #3731)
• A potential crash in the autofs responder's code was fixed (#3752)
• The LDAP provider now supports group renaming (#2653)
• The GPO access control code no longer returns an error if one of the relevant GPO rules contained no SIDs at all (#3680)
• A memory leak in the IPA provider related to resolving external AD groups was fixed (#3719)
• Setups that used multiple domains where one of the domains had its ID space limited using the min_id/max_id options did not resolve requests by ID properly (#3728)
• Overriding IDs or names did not work correctly when the domain resolution order was set as well (#3595)
• A version mismatch between certain newer Samba versions (e.g. those shipped in RHEL-7.5) and the Winbind interface provided by SSSD was fixed. To further prevent issues like this in the future, the correct interface is now detected at build time (#3741)
• The files provider no longer returns a qualified name in case domain resolution order is used (#3743)
• A race condition between evaluating IPA group memberships and AD group memberships in setups with IPA-AD trusts that would have manifested as randomly losing IPA group memberships assigned to an AD user was fixed (#3744)
• Setting an SELinux login label was broken in setups where the domain resolution order was used (#3740)
• SSSD start up issue on systems that use the libldb library with version 1.4.0 or newer was fixed.

Packaging Changes

• Several new build requirements were added in order to support the OpenSSL certificate authentication

Documentation Changes

• The files provider gained two new configuration options passwd_files and group_files. These can be used to specify the additional files to mirror.
• A new ssh_use_certificate_keys option toggles whether the SSH responder would return public SSH keys derived from X.509 certificates.
• The local_negative_timeout option is now enabled by default. This means that if SSSD fails to find a user in the configured domains, but is then able to find the user with an NSS call such as getpwnam, it would negatively cache the request for the duration of the local_negative_timeout option.

See full release notes here.

sssd-1.16.1

SSSD 1.16.1

Highlights

New Features

• A new option auto_private_groups was added. If this option is enabled, SSSD will automatically create user private groups based on user's UID number. The GID number is ignored in this case. Please see <../../design_pages/auto_private_groups.mdfor more details on the feature.
• The SSSD smart card integration now supports a special type of PAM conversation implemented by GDM which allows the user to select the appropriate smrt card certificate in GDM. Please refer to <../../design_pages/smartcard_multiple_certificates.mdfor more details about this feature.
• A new API for accessing user and group information was added. This API is similar to the tradiional Name Service Switch API, but allows the consumer to talk to SSSD directly as well as to fine-tune the query with e.g. how cache should be evaluated. Please see <../../design_pages/enhanced_nss_api.mdfor more information on the new API.
• The sssctl command line tool gained a new command access-report, which can generate who can access the client machine. Currently only generating the report on an IPA client based on HBAC rules is supported. Please see <../../design_pages/attestation_report.mdfor more information about this new feature.
• The hostid provider was moved from the IPA specific code to the generic LDAP code. This allows SSH host keys to be access by the generic LDAP provider as well. See the ldap_host_* options in the sssd-ldap manual page for more details.
• Setting the memcache_timeout option to 0 disabled creating the memory cache files altogether. This can be useful in cases there is a bug in the memory cache that needs working around.

Performance enhancements

• Several internal changes to how objects are stored in the cache improve SSSD performance in environments with large number of objects of the same type (e.g. many users, many groups). In particular, several useless indexes were removed and the most common object types no longer use the indexed objectClass attribute, but use unindexed objectCategory instead (#3503)
• In setups with id_provider=ad that use POSIX attributes which are replicated to the Global Catalog, SSSD uses the Global Catalog to determine which domain should be contacted for a by-ID lookup instead of iterating over all domains. More details about this feature can be found at <../../design_pages/uid_negative_global_catalog.md>

Notable bug fixes

• A crash in sssd_nss that might have happened if a list of domains was refreshed while a NSS lookup using this request was fixed (#3551)
• A potential crash in sssd_nss during netgroup lookup in case the netgroup object kept in memory was already freed (#3523)
• Fixed a potential crash of sssd_be with two concurrent sudo refreshes in case one of them failed (#3562)
• A memory growth issue in sssd_nss that occured when an entry was removed from the memory cache was fixed (#3588)
• Two potential memory growth issues in the sssd_be process that could have hit configurations with id_provider=ad were fixed (#3639)
• The selinux_child process no longer crashes on a system where SSSD is compiled with SELinux support, but at the same time, the SELinux policy is not even installed on the machine (#3618)
• The memory cache consistency detection logic was fixed. This would prevent printing false positive memory cache corruption messages (#3571)
• SSSD now remembers the last successfuly discovered AD site and use this for DNS search to lookup a site and forest during the next lookup. This prevents time outs in case SSSD was discovering the site using the global list of DCs where some of the global DCs might be unreachable. (#3265)
• SSSD no longer starts the implicit file domain when configured with id_provider=proxy and proxy_lib_name=files. This bug prevented SSSD from being used in setups that combine identities from UNIX files together with authentication against a remote source unless a files domain was explicitly configured (#3590)
• The IPA provider can handle switching between different ID views better (#3579)
• Previously, the IPA provider kept SSH public keys and certificates from an ID view in its cache and returned them even if the public key or certificate was then removed from the override (#3602, #3603)
• FleetCommander profiles coming from IPA are applied even if they are assigned globally (to category: ALL), previously, only profiles assigned to a host or a hostgroup were applied (#3449)
• It is now possible to reset an expired password for users with 2FA authentication enabled (#3585)
• A bug in the AD provider which could have resulted in built-in AD groups being incorrectly cached was fixed (#3610)
• The SSSD watchdog can now cope better with time drifts (#3285)
• The nss_sss NSS module's return codes for invalid cases were fixed
• A bug in the LDAP provider that prevented setups with id_provider=proxy and auth_provider=ldap with LDAP servers that do not allow anonymous binds from working was fixed (#3451)

Packaging Changes

• The FleetCommander desktop profile path now uses stricter permissions, 751 instead of 755 (#3621)
• A new option --logger was added to the sssd(8) binary. This option obsoletes old options such as --debug-to-files, although the old options are kept for backwards compatibility.
• The file /etc/systemd/system/sssd.service.d/journal.conf is not installed anymore In order to change logging to journald, please use the --logger option. The logger is set using the Environment=DEBUG_LOGGER directive in the systemd unit files. The default value is Environment=DEBUG_LOGGER=--logger=files

Documentation Changes

There are no notable documentation changes such as options changing default values etc in this release.

See full release notes here.

sssd-1.16.0

SSSD 1.16.0

Highlights

Security fixes

• This release fixes CVE-2017-12173: Unsanitized input when searching in local cache database. SSSD stores its cached data in an LDAP like local database file using libldb. To lookup cached data LDAP search filters like (objectClass=user)(name=user_name) are used. However, in sysdb_search_user_by_upn_res(), the input was not sanitized and allowed to manipulate the search filter for cache lookups. This would allow a logged in user to discover the password hash of a different user.

New Features

• SSSD now supports session recording configuration through tlog. This feature enables recording of everything specific users see or type during their sessions on a text terminal. For more information, see the sssd-session-recording(5) manual page.
• SSSD can act as a client agent to deliver Fleet Commander policies defined on an IPA server. Fleet Commander provides a configuration management interface that is controlled centrally and that covers desktop, applications and network configuration.
• Several new systemtap probes were added into various locations in SSSD code to assist in troubleshooting and analyzing performance related issues. Please see the sssd-systemtap(5) manual page for more information.
• A new LDAP provide access control mechanism that allows to restrict access based on PAM's rhost data field was added. For more details, please consult the sssd-ldap(5) manual page, in particular the options ldap_user_authorized_rhost and the rhost value of ldap_access_filter.

Performance enhancements

• Several attributes in the SSSD cache that are quite often used during cache searches were not indexed. This release adds the missing indices, which improves SSSD performance in large environments.

Notable bug fixes

• The SSSD libwbclient implementation adjusted its behaviour in order to be compatible with Winbind's return value of wbcAuthenticateUserEx(). This enables the SSSD libwbclient library to work with Samba-4.6 or newer.
• SSSD's plugin for MIT Kerberos to send the PAC to the PAC responder did not protect the communication with the PAC responder with a mutex. This was causing multi-threaded applications that process the Kerberos PAC to miss a reply from SSSD and then were blocked until the default client timeout of 300 seconds passed. This release adds the mutex, which fixes the PAC responder usage in multi-threaded environments.
• Previously, SSSD used to refresh several expired sudo rules by combining them into a long LDAP filter. This was ineffective, because the LDAP server had to process the query, but at that point, the client was quite often querying most or all of the sudo rules anyway. In this version, when the number of sudo rules to be refreshed exceeds the value of a new option sudo_threshold, all sudo rules are fetched instead.
• A bug in the sudo integration that prevented the rules from matching if the user name referenced in that rule was overriden with sss_override or IPA ID views was fixed
• When SSSD is configured with id_provider=ad, then a Kerberos configuration is created that instructs libkrb5 to use TCP for communication with the AD DC by default. This would save switching from UDP to TCP, which happens almost every time with the ad provider due to the PAC attached to the Kerberos ticket.

Packaging Changes

• The sss_debuglevel and sss_cache utilities were superseded by sssctl commands sssctl debug-level and sssctl cache-expire, respectively. While this change is backwards-compatible in the sense that the old commands continue to work, it is recommended to switch to the sssctl command which will in future encompass all SSSD administration tasks.
• Two new manpages, sssd-session-recording(5) and sssd-systemtap(5) were added.
• A new systemtap example script, which is packaged by default at /usr/share/sssd/systemtap/dp_request.stp was added.
• A new directory called deskprofile under the SSSD state directory (typically /var/lib/sss/) was added. SSSD downloads the Fleet Commander profiles into this directory.

Documentation Changes

• The ldap_user_certificate option has changed its default value in the LDAP provider from "not set" to userCertificate;binary.
• The ldap_access_filter option has a new allowed value rhost to support access control based on the PAM rhost value. The attribute that SSSD reads during the rhost access control can be configured using the new option ldap_user_authorized_rhost.
• The thresholds after which the IPA and LDAP sudo providers will refresh all sudo rules instead of only the expired ones can be tuned using the sudo_threshold option.
• A new provider handler, session_provider was added. At the moment, only two handlers, ipa and none are supported. The IPA session handler is used to fetch the Fleet Commander profiles from an IPA server.
• The interval after which the IPA session provider will check for new FleetCommander profiles can be configured using the new ipa_deskprofile_request_interval option.

See full release notes here.

sssd-1.15.3

SSSD 1.15.3

Highlights

New Features

• In a setup where an IPA domain trusts an Active Directory domain, it is now possible to define the domain resolution order. Starting with this version, SSSD is able to read and honor the domain resolution order, providing a way to resolve Active Directory users by just their short name. SSSD also supports a new option domain_resolution_order applicable in the [sssd] section that allows to configure short names for AD users in setup with id_provider=ad or in a setup with an older IPA server that doesn't support the ipa config-mod --domain-resolution-order configuration option. Also, it is now possible to use use_fully_qualified_names=False in a subdomain configuration, but please note that the user and group output from trusted domains will always be qualified to avoid conflicts.
  • Design page - Shortnames in trusted domains
• SSSD ships with a new service called KCM. This service acts as a storage for Kerberos tickets when libkrb5 is configured to use KCM: in krb5.conf. Compared to other Kerberos credential cache types, KCM is better suited for containerized environments and because the credential caches are managed by a stateful daemon, in future releases will also allow to renew tickets acquired outside SSSD (e.g. with kinit) or provide notifications about ticket changes. This feature is optional and can be disabled by selecting --without-kcm when configuring the SSSD build.
  • Design page - KCM server for SSSD
  • `NOTE`: There are several known issues in the KCM responder that will be handled in the next release such as issues with very large tickets or tracking the SELinux label of the peer or even one intermittent crash. There are also some differences between how SSSD's KCM server works compared to Heimdal's KCM server such as visibility of ccaches by root.
• Support for user and group resolution through the D-Bus interface and authentication and/or authorization through the PAM interface even for setups without UIDs or Windows SIDs present on the LDAP directory side. This enhancement allows SSSD to be used together with apache modules to provide identities for applications
  • Design page - Support for non-POSIX users and groups
• SSSD ships a new public library called libsss_certmap that allows a flexible and configurable way of mapping a certificate to a user identity. This is required e.g. in environments where it is not possible to add the certificate to the LDAP user entry, because the certificates are issued externally or the LDAP schema cannot be modified. Additionally, specific matching rules allow a specific certificate on a smart card to be selected for authentication.
  • Design page - Matching and Mapping Certificates
• The Kerberos locator plugin can be disabled using an environment variable SSSD_KRB5_LOCATOR_DISABLE. Please refer to the sssd_krb5_locator_plugin manual page for mode details.
• The sssctl command line tool supports a new command user-checks that enables the administrator to check whether a certain user should be allowed or denied access to a certain PAM service.
• The secrets responder now forwards requests to a proxy Custodia back end over a secure channel.

Notable bug fixes

• The IPA HBAC evaluator no longer relies on originalMemberOf attributes to construct the list of groups the user is a member of. Maintaining the originalMemberOf attribute was unreliable and was causing intermittent HBAC issues.
• A bug where the cleanup operation might erroneously remove cached users during their cache validation in case SSSD was set up with enumerate=True was fixed.
• Several bugs related to configuration of trusted domains were fixed, in particular handling of custom LDAP search bases set for trusted domains.
• Password changes for users from trusted Active Directory domains were fixed

Packaging Changes

• A new KCM responder was added along with a manpage. The upstream reference specfile packages the responder in its own subpackage called sssd-kcm and a krb5.conf snippet that enables the KCM credentials cache simply by installing the subpackage
• The libsss_certmap library was packaged in a separate package. There is also a libsss_certmap-devel subpackage in the upstream packaging.

Documentation Changes

• sssd-kcm and libsss_certmap are documented in their own manual pages.
• A new option domain_resolution_order was added. This option allows to specify the lookup order (especially w.r.t. trusted domains) that sssd will follow. Please see the Shortnames in trusted domains design page. for mode details.
• New options pam_app_services and domain_type were added. These options can be used to only limit certain PAM services to reach certain SSSD domains that should only be exposed to non-OS applications. For more details, refer to the Support for non-POSIX users and groups design page.

• The secrets responder supports several new options related to TLS setup and handling including verify_peer, verify_host, capath, cacert and cert. These options are all described in the sssd-secrets manual page.

See full release notes here.

sssd-1.15.2

SSSD 1.15.2

Highlights

• It is now possible to configure certain parameters of a trusted domain in a configuration file sub-section. In particular, it is now possible to configure which Active Directory DCs the SSSD talks to with a configuration like this:

    [domain/ipa.test]
    # IPA domain configuration. This domain trusts a Windows domain win.test

    [domain/ipa.test/win.test]
    ad_server = dc.win.test

• Several issues related to socket-activating the NSS service, especially if SSSD was configured to use a non-privileged userm were fixed. The NSS service now doesn't change the ownership of its log files to avoid triggering a name-service lookup while the NSS service is not running yet. Additionally, the NSS service is started before any other service to make sure username resolution works and the other service can resolve the SSSD user correctly.
• A new option cache_first allows the administrator to change the way multiple domains are searched. When this option is enabled, SSSD will first try to "pin" the requested name or ID to a domain by searching the entries that are already cached and contact the domain that contains the cached entry first. Previously, SSSD would check the cache and the remote server for each domain. This option brings performance benefit for setups that use multiple domains (even auto-discovered trusted domains), especially for ID lookups that would previously iterate over all domains. Please note that this option must be enabled with care as the administrator must ensure that the ID space of domains does not overlap.
• The SSSD D-Bus interface gained two new methods: FindByNameAndCertificate and ListByCertificate. These methods will be used primarily by IPA and mod_lookup_identity to correctly match multple users who use the same certificate for Smart Card login.
• A bug where SSSD did not properly sanitize a username with a newline character in it was fixed.

Packaging Changes

None in this release

Documentation Changes

• A new option cache_first was added. Please see the Highlights section for more details
• The override_homedir option supports a new template expansion l that expands to the first letter of username

See full release notes here.

sssd-1.15.1

SSSD 1.15.1

Highlights

• Several issues related to starting the SSSD services on-demand via socket activation were fixed. In particular, it is no longer possible to have a service started both by sssd and socket-activated. Another bug which might have caused the responder to start before SSSD started and cause issues especially on system startup was fixed.
• A new files provider was added. This provider mirrors the contents of /etc/passwd and /etc/group into the SSSD database. The purpose of this new provider is to make it possible to use SSSD's interfaces, such as the D-Bus interface for local users and enable leveraging the in-memory fast cache for local users as well, as a replacement for nscd. In future, we intend to extend the D-Bus interface to also provide setting and retrieving additional custom attributes for the files users.
• SSSD now autogenerates a fallback configuration that enables the files domain if no SSSD configuration exists. This allows distributions to enable the sssd service when the SSSD package is installed. Please note that SSSD must be build with the configuration option --enable-files-domain for this functionality to be enabled.
• Support for public-key authentication with Kerberos (PKINIT) was added. This support will enable users who authenticate with a Smart Card to obtain a Kerberos ticket during authentication.

Packaging Changes

• The new files provider comes as a new shared library libsss_files.so and a new manual page
• A new helper binary called sssd_check_socket_activated_responders was added. This binary is used in the ExecStartPre directive to check if the service that corresponds to socket about to be started was also started explicitly and abort the socket startup if it was.

Documentation Changes

• A new PAM module option prompt_always was added. This option is related to fixing <https://github.com/SSSD/sssd/issues/4025which changed the behaviour of the PAM module so that pam_sss always uses an auth token that was on stack. The new prompt_always option makes it possible to restore the previous behaviour.

See full release notes here.

sssd-1.15.0

SSSD 1.15.0

Highlights

• SSSD now allows the responders to be activated by the systemd service manager and exit when idle. This means the services line in sssd.conf is optional and the responders can be started on-demand, simplifying the sssd configuration. Please note that this change is backwards-compatible and the responders listed explicitly in sssd.conf's services line are managed by sssd in the same manner as in previous releases. Please refer to man sssd.conf(5) for more information
• The sudo provider is no longer disabled for configurations that do not explicitly include the sudo responder in the services list. In order to disable the sudo-related back end code that executes the periodic LDAP queries, set the sudo_provider to none explicitly
• The watchdog signal handler no longer uses signal-unsafe functions. This bug was causing a deadlock in case the watchdog was about to kill a stuck process
• A bug that prevented TLS to be set up correctly on systems where libldap links with GnuTLS was fixed
• The functionality to alter SSSD configuration through the D-Bus interface provided by the IFP responder was removed. This functionality was not used to the best of our knowledge, had no tests and prevented the InfoPipe responder from running as a non-privileged user.
• A bug that prevented statically-linked applications from using libnss_sss was fixed by removing dependency on -lpthreads from the libnss_sss library (please see <https://sourceware.org/bugzilla/show_bug.cgi?id=20500for an example on why linking with -lpthread from an NSS modules is problematic)
• Previously, SSSD did not ignore GPOs that were missing the gPCFunctionalityVersion attribute and failed the whole GPO processing. Starting with this version, the GPOs without the gPCFunctionalityVersion are skipped.

Packaging Changes

• The Augeas development libraries are no longer required since the configuration manipulation interface was dropped from the InfoPipe responder
• The libsss_config.so internal library was removed as well due to removal of the InfoPipe config management
• In order to manage socket-activated or bus activated responders, each responder is now represented by a systemd service file (e.g. sssd-nss.service). All responders except InfoPipe, which is bus-activated, are also managed by a socket unit file (e.g. sssd-nss.socket)

Documentation Changes

• The sssd-secrets responder gained a new option max_payload_size that allows the administrator to limit the maximum size of a secret
• A new option responder_idle_timeout was added to support idle termination of socket-activated responders
• The sssd-ad and sssd-ipa man pages now summarize differences between the generic Kerberos/LDAP back end and the specialized IPA/AD back ends

See full release notes here.

sssd-1.14.2

sssd-1_14_2

Tagging the 1.14.2 release

sssd-1.14.1

sssd-1_14_1

Tagging the 1.14.1 release