1.272. sssd

Updated sssd packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are linked to from the security descriptions below.
The System Security Services Daemon (SSSD) provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides an NSS and PAM interface toward the system and a pluggable backend system to connect to multiple different account sources. It is also the basis to provide client auditing and policy services for projects like FreeIPA.

Bug Fixes

A flaw was found in the SSSD PAM responder that could allow a local attacker to crash SSSD via a carefully-crafted packet. With SSSD unresponsive, legitimate users could be denied the ability to log in to the system.

Bug Fixes

The sssd package has been upgraded to upstream version 1.5.1, which provides a number of bug fixes and enhancements over the previous version.
The Red Hat Enterprise Linux 6 Deployment Guide now contains a section on Selecting an LDAP Schema, which covers, among other things, the differences between the rfc2307 and the rfc2307bis LDAP schema.
If SSSD was configured to use a non-anonymous bind (a bind DN (Distinguished Name) was specified and an authentication token, such as a password, was used), SSSD did not properly follow the LDAP referrals and only attempted to bind anonymously to the referred server. With this update, non-anonymous bind on LDAP connections works as expected.
The editing of the RPM configuration file during the installation of the sssd package caused a failure of the rpmverify check of the sssd package. With this update, the sssd package successfully passes the rpmverify check.
Kerberos applications running on a secondary architecture of a multilib platform (for example, i686 on AMD64) were not able to identify the Kerberos server for authentication. With this update, the Kerberos locator plugin is located in the sssd-client package to allow installation of both the 32-bit and 64-bit versions on 64-bit systems.
Users would not always be assigned to all initgroups for which they were a member of in LDAP. This could cause several issues related to group-based permissions. With this update, the initgroups() call always returns all groups for the specified user.
SSSD did not correctly escape LDAP queries (for example, a username with the '\' character). As a result, an error was issued that caused SSSD to treat the LDAP server as unreachable. With this update, escaping of characters in LDAP queries has been fixed and works as expected.
If a data provider died during an NSS (Network Security Services) request, the NSS responder died if the timeout of the open and unhandled requests was reached. This update introduces a reconnect handler which terminates the current request and does not cause the NSS responder to die.
On 32-bit architectures, running the getent passwd command on a username with a very large user or group identifier (that is, UID or GID greater than 2147483647) resulted in an empty output. With this update, the underlying source code has been modified to address this issue, and the getent command now returns the expected output.
The gnome-screensaver application could become unresponsive for more than two minutes when trying to unlock the screen with an incorrect password while SSSD was configured for proxy identification and authentication. This was due to faulty decrementing of in-progress authentication request child processes when they completed successfully. With this update, the process count is accurate, and the gnome-screensaver application no longer becomes unresponsive in the aforementioned case.
SSSD has a cleanup task that removes unreferenced groups from the cache in order to keep the cache size down. However, only direct group memberships were checked by this cleanup task. Users who had a non-direct group as their primary group ID were not checked. As a result, it was possible for SSSD to purge legitimate groups from the cache. This could cause issues with group-based access control permissions such as /etc/security/access.conf and /etc/sudoers. With this update, groups, for which a user has the group as its primary GID, are no longer discarded from the cache.
With this update, handling of expired accounts in the LDAP access provider has been improved. Additionally, the authorizedService LDAP attributes are now supported.
During an upgrade of the sssd package, the package manager restarts the sssd service to ensure the running instance is properly replaced with the newer version. However, prior to this update, a race condition could occur upon the service shutdown, causing the parent process not to wait for its children to terminate. When this happened, these running sub-processes may have prevented sssd from starting again. With this update, the sssd service has been corrected to wait for the children processes to terminate, so that it can be restarted as expected.
Previously, shutting down the sssd service (either by using the service sssd stop command, or with the SIGTERM signal) could cause SSSD to enter a busy-loop and never complete the shut down. This error has been fixed, and sssd no longer fails to shut down.
Prior to this update, initial enumeration (which caches the entire set of available users and groups from the remote source to the local machine) failed after the sssd service was restarted when it was configured for a local domain. This was due to a tevent request that was not being posted properly. With this update, this issue has been fixed and enumeration works as expected.
The -s/--stdin option of the sss_obfuscate command (which obfuscates a plain text password) reads the password to obfuscate from the standard input. However, not specifying the -s/--stdin option resulted in the same behavior. With this update, when no option is specified for the sss_obfuscate command, an interactive dialog for the password is shown.
If TLS/SSL was used for identification, the LDAP provider would be terminated if an obfuscated password could not be decrypted (for example, if the plain text password was entered by accident). This was due to the LDAP provider failing to close the connection with the TLS/SSL server. With this update, an obfuscated password is decrypted at startup before any TLS/SSL operations.
Configuring the system to allow a user to log into the system using SFTP (Secure File Transfer Protocol) only and be restricted to the user's home directory resulted in the SFTP connections being closed when SSSD was running on the system. This was due to improper closing of the file descriptors. This update adds additional checks which assure a correct closing of sockets and prevent the dropped SFTP connections.
Not using enumeration and starting SSSD with a cleared cache caused the simple access provider to not be able to resolve the primary group at the time of authentication and resulted in an authentication failure due to faulty initgroups lookups. With this update, initgroups lookups have been improved and authentication no longer fails in the aforementioned case.
Prior to this update, nested groups were not unrolled during the first enumeration causing authentication of users in the nested group to fail. However, authentication did succeed after the second enumeration. With this update, unrolling of nested groups works as expected; authentication no longer fails.
The configuration API files have been updated to reflect all current configuration options resolving errors where a configuration option specified in the /etc/sssd/sssd.conf file disappeared from the file after running authconfig-tui or authconfig-gtk.
Traceback messages were displayed on the command line when executing the sss_obfuscate command as a non-root user. With this update, a human-readable error is displayed in such a case instead of the traceback messages.
Prior to this update, the sss_obfuscate could fail if it could not establish (by reading the /etc/sssd/sssd.conf file) which domain was the default one. With this update, the sss_obfuscate command now always mandates the use of the -d/--domain option which requires a user to specify a domain to be used on the command line.
Search filters for nested group lookups did not return correct results due to the rfc2307bis_nested_groups_update_sysdb() and save_rfc2307bis_user_memberships() functions calling the sysdb_search_groups() function with a non-sanitized member_dn parameter. With this update, search filters have been fixed and work as expected.
The -p/--password option of the sss_obfuscate command was not properly setting the provided password (specifically, it always used an empty string instead of the provided password). As a result, SSSD was unable to successfully complete an LDAP bind. This update removes the -p/--password option of the sss_obfuscate command as it is not safe to pass a password on the command line.
Prior to this update, when SSSD was configured to require the authorizedService attribute for access control, even though a user's authentication request completed successfully, the following message was logged in the /var/log/secure log file:
Authorized service attribute has no matching rule, access denied
This update fixes this faulty behavior and no error messages are logged on successful authentication requests.
Originally supported time rules in the HBAC (Host-Based Access Control) rules in FreeIPAv2 have been dropped from the final version. However, SSSD expected these rules to be functional and caused unexpected denials if they were not. With this update, time rules have been removed from SSSD and no longer cause denial errors.
Prior to this update, SSSD always attempted to use the START_TLS function when performing LDAP authentication. However, some LDAP servers (especially those configured to work behind SSL accelerators) cannot handle TLS (Transport Layer Security) over LDAPS (Secure LDAP) which prevented authentication from succeeding on those platforms. With this update, SSSD no longer attempts to start TLS if it is connected over LDAPS.
A check for a renewable TGTs (Ticket Granting Ticket) at startup did not work properly because the ccache file was not being checked. With this update, the ccache file is checked for any renewable TGTs at every startup unless indicated otherwise.
SSSD could crash when renewing TGTs because some of the TGTs were not being removed from the renewal list after they already have been successfully renewed. With this update, a TGT is properly removed from the renewal list after being successfully renewed.
Due to SSSD originally having its HBAC support designed around an early preview of FreeIPAv2, SSSD expected that HBAC rules would be stored in the cn=account subtree of FreeIPAv2. However, the final version of FreeIPAv2 stores them in the cn=hbac subtree instead. This resulted in denial errors from SSSD because no rules could be accepted. With this update, denials/permissions are based on the HBAC rules, and SSSD no longer returns denial errors.
Modifying or deleting a user/group account on an LDAP server did not result in an update of the cache on a login attempt. With this update, the cache is always properly updated during the login process. Outside of a login attempt, entries remain as they were cached until the cache timeout expires.
At any PAM (Pluggable Authentication Modules) action occurring online, SSSD is supposed to perform an initgroups() request to the backend to ensure that user and group memberships are accurate for the login. However, a bug has been discovered which causes this lookup to be performed on the first domain in the list of domains only. This update fixes this issue; initgroups() requests are properly processed on all existing domains.
The netgroup search base in SSSD has been updated to match the one specified in FreeIPAv2.
When performing an initgroups() request on a user, the IPA provider did not properly remove group memberships from the local cache when they were removed from the IPA server. With this update, a removed group is no longer present in the local cache.
This update ensures that if the ipa-client-install command (which configures an IPA client) is executed with the --realm option, the specified realm is set in all SSSD configuration files in both the realm and the krb5_realm configuration directives.
Prior to this update, SSSD was not thread safe for certain calls. This update adds additional mutual exclusion algorithms around nss operations and serializes them. pam functions, which only use the provided pam handler, now have protected socket operations. As a result, SSSD is now thread safe.
Prior to this update, SSSD did not properly handle a change of a Kerberos server's IP address.
Specifying a single server name in the ipa_server option in the /etc/sssd/sssd.conf file resulted in a successful dynamic update of the DNS records of the IPA DNS server. However, if two or more servers are specified, the update failed. This update addresses this issue, and specifying multiple servers in the ipa_server works as expected.
If the RFC2307bis schema was used and the server did not have the memberOf attributes defined, SSSD attempted to remove them from the sysdb cache. However, this attribute is exclusively managed by the memberOf plugin. With this update, SSSD no longer attempts to delete the memberOf attribute under any circumstances.
Attempting to stop the IPA services via the ipactl (an IPA server control interface) command as a non-root user resulted in a segmentation fault. With this update, a segmentation fault no longer occurs.
If a requested netgroup does not exist, SSSD adds the name to the negative cache. If the end of the lifetime for the cache entry was reached, the sssd_nss module tried to delete the entry and failed with a segmentation fault. With this update, the aforementioned netgroups are properly handled, and a segmentation fault no longer occurs.
With this update, both SSSD and IPA use the Kerberos realm as the base domain name.
In certain cases, SSSD failed when it encountered a non-POSIX compliant group (contained no GID attribute). With this update, non-POSIX-compliant groups are ignored and no longer cause SSSD to fail.
If SSSD failed to parse a broken netgroup entry from the LDAP server, a new request for the same group timed out and returned only after the client timeout of 5 minutes was exceeded. With this update, the state of a netgroup's hash entry is changed if a netgroup cannot be parsed.
Using LDAP as an identity provider and Kerberos as the authentication provider and setting the Kerberos provider backend offline could result in an improper termination of the connection with LDAP. As a result, SSSD started to consume 100% of the CPU and logged error messages into the SSSD log. With this update, an LDAP connection is properly released and no longer causes the aforementioned issues.
SSSD failed when it encountered nested group memberships with non-POSIX-compliant groups in the middle of the nest. With this update, non-POSIX-compliant groups are ignored and no longer cause SSSD to fail.
The LDAP RFC2307 schema, while not explicitly allowing it, did not forbid the use of a multi-valued attribute for the name of a group. Previously, SSSD returned an error and aborted an initgroups() call if it attempted to process a such a group. With this update, groups with multi-values attributes are skipped when issuing an initgroups() call.
Specifying Kerberos as the access control provider in the /etc/sssd/sssd.conf file (access_provider = krb5) resulted in a traceback error when trying to update all SSSD-related files with the authconfig --enablesssd --enablesssdauth --updateall command. With this update, this issue has been fixed; all SSSD-related files are updated and SSSD starts as expected.
Performing an initgroups() call in the IPA provider caused only the user the call was being issued on to be stored in the cache. This was because the group, the user was a part of, only contained that user in the cache and was not being refreshed with the rest of the users of that group. Thus, a command such as getgrnam would only show the single user of that group. With this update, all users are properly taken into account in the aforementioned case.
A traceback error is no longer returned when terminating the sss_obfuscate command with the CTRL+D shortcut.
Under certain circumstances, if nested groups were not processed successfully due to a misconfiguration on an RFC2307bis LDAP server, a segmentation fault occurred. With this update, an appropriate error message is returned instead of a segmentation fault in the aforementioned case.
Groups which have a zero-length string specified in the memberuid attribute are now properly handled, and no longer cause new lookups to not be cached properly.
SSSD now correctly falls back to the cn attribute for GECOS information (entry in the /etc/passwd file) if the GECOS field is empty, making SSSD fully compliant with section 5.3 of RFC 2307.
For large cache files, if a user was removed from a group in LDAP, memory allocation could grow exponentially while processing the removal from the cache, potentially resulting in an OOM (Out of Memory) situation. With this update, this issue has been fixed, and SSSD no longer allocates unnecessarily large amounts of memory when removing a user from a group in LDAP.
Prior to this update, the SRV records result processing code attempted to filter out duplicate entries, but failed to do so properly. This update removes the detection of duplicates from SRV result processing, resolving this issue.
If there was no rootDSE (the root of the directory data tree on a directory server) data present, the LDAP provider crashed. This update includes various fixes that resolve this issue.
The select() call could only handle file descriptors smaller than 1024. If an sssd, nss, or pam client was called from an application with many open files, the file descriptor used by the client could be larger than 1024, which resulted in undefined and unexpected behavior. With this update, the poll() call is used instead of the select() call, eliminating any possible memory corruption issues in the calling process.


If service discovery is used in a domain back end, the DNS domain used for the search can now be specified by the new dns_discovery_domain option. If not specified, the domain part of the machine's hostname is used (previously, it was the name of the SSSD configuration domain). As a backwards-compatibility measure, the SSSD domain is used in case the domain part cannot be acquired from the machine's hostname.
SSSD now supports automatic Kerberos ticket renewal which provides Kerberos tickets for long-running processes or cron jobs even when a user logs out.
Support for obfuscated (non-plain text) passwords in the SSSD configuration files has been added.
SSSD now provides support for account lockout policies when using Active Directory or IPA. Additionally, SSSD provides support for shadow access control when using LDAP.
Users of SSSD should upgrade to these updated packages, which contain backported patches to correct this issue, fix these bugs, and adds these enhancements.
Updated sssd packages that resolve an issue are now available for Red Hat Enterprise Linux 6.
The System Security Services Daemon (SSSD) provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides an NSS and PAM interface toward the system and a pluggable back-end system to connect to multiple different account sources. It is also the basis to provide client auditing and policy services for projects such as FreeIPA.
Bug Fix
Previously, SSSD did not properly close its PAM sockets after an authentication attempt, which eventually resulted in process resource exhaustion and a denial of service situation. The code has been modified to fix this issue, and file descriptors are now properly released when they are no longer in use.
All users of sssd are advised to upgrade to these updated packages, which resolve this issue.
Updated sssd packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The System Security Services Daemon (SSSD) provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides an NSS (Name Service Switch) and PAM (Pluggable Authentication Modules) interface toward the system and a pluggable back-end system to connect to multiple different account sources. It is also the basis to provide client auditing and policy services for projects such as FreeIPA.
Bug Fixes
Previously, SSSD relied on the inotify kernel subsystem to detect whether a DNS resolver file had been changed. If inotify returned an error (for example due to resource exhaustion), SSSD terminated unexpectedly and network logins no longer worked. With this update, SSSD itself detects the failure in the described scenario and falls back to the five-second polling, fixing this bug.
When SSSD communicated with an OpenLDAP server, which supported server-side password policies but did not list them in the "supportedControl" attribute of the server's rootDSE entry, SSSD terminated unexpectedly with a segmentation fault. This was a regression introduced in version 1.5.1-34.el6 of the sssd package. An upstream patch has been provided to fix this bug.
All users of sssd are advised to upgrade to these updated packages, which fix these bugs.
Updated sssd packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
SSSD provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides NSS (Name Service Switch) and PAM (Pluggable Authentication Modules) interfaces toward the system and a pluggable back end system to connect to multiple different account sources.
Bug Fixes
When the first DNS entry defined in the /etc/resolv.conf file was unreachable, the sssd utility failed to try to connect to any subsequent DNS server to resolve the SRV record. This caused sssd to permanently operate in offline mode. This bug has been fixed and sssd is now able to connect to an alternate server if the primary server is down.
The sssd client terminated when the ldap_default_authtok_type option was not configured. With this update, the ldap_default_authtok_type option now defaults to "password" if it is not specified in the /etc/sssd/sssd.conf file and the bug no longer occurs.
Users of sssd are advised to upgrade to these updated sssd packages, which fix these bugs.