8.226. sssd

Updated sssd packages that fix numerous bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The System Security Services Daemon (SSSD) provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides the Name Service Switch (NSS) and the Pluggable Authentication Modules (PAM) interfaces toward the system and a pluggable back-end system to connect to multiple different account sources.

Upgrade to an upstream version

The sssd has been upgraded to upstream version 1.11, which provides a number of bug fixes and enhancements to the System Security Services Daemon (SSSD) over the previous version. These include improvements to interoperability of Red Hat Enterprise Linux clients with Active Directory, which makes identity management easier in Linux and Windows environments. The most notable enhancements also include resolving users and groups, as well as authenticating users from trusted domains in a single forest, DNS updates, site discovery, and using the NetBIOS name for user and group lookups. (BZ#1051164)

Bug Fixes

Previously, the SSSD Pluggable Authentication Module (PAM) accepted user names containing spaces before or after the name. As a consequence, users in some situations entered incorrect names at the Gnome Display Manager (GDM) login screen. With this update, the SSSD PAM ignores space characters before and after a user name, and entering them no longer complicates logging in by the GDM login screen.
Prior to this update, attempting to save a user group member who does not conform to the configured search bases caused the group to be saved with incomplete membership. Consequently, using the "id" command returned inconsistent results for user group memberships. With this update, a user group can be saved correctly even when it contains members outside of the configured search bases. As a result, "id" now returns consistent results in such a scenario.
SSSD was incorrectly able to access random data if the "ad_matching_rule" option was enabled. As a consequence, if the user configured SSSD to use the "ad_matching_rule" option with no available group members, SSSD accessed random data and terminated unexpectedly with a segmentation fault. This update prevents SSSD from accessing random data, and the described scenario no longer causes SSSD to crash.
Previously, when SSSD was configured with the "id_provider=proxy" and "auth_provider=ldap" options, the Lightweight Directory Access Protocol (LDAP) authentication code used a hard-coded filter when searching for the user. Consequently, if the LDAP server used a customized LDAP pattern for the user name, the SSSD authentication with "id_provider=proxy" and "auth_provider=ldap" failed. With this update, SSSD is able to adjust for custom LDAP user name pattern, and SSSD authentication with the mentioned options succeeds in such a situation.
Because the autofs responder did not correctly ignore the "default_domain_suffix" option, autofs maps could previously not be retrieved when "default_domain_suffix" was enabled in SSSD. With this update, "default_domain_suffix" is properly ignored in the autofs responder and autofs maps can be retrieved when this option is enabled.
Prior to this update, when two different providers, such as id_provider=ipa and sudo_provider=ldap, were configured and enumeration was enabled, SSSD incorrectly started two parallel enumeration tasks. This caused conflicts in the enumeration tasks and produced incomplete enumeration data. With this update, SSSD only starts an enumeration task for the id_provider in the descibed scenario. As a result, enumeration data is now complete even for configurations with two different provider types.
Due to a bug in freeing used memory, running a persistent process that periodically requests a netgroup caused a memory leak. With this update, memory is freed correctly and the memory leak in the mentioned scenario no longer occurs.
Previously, SSSD could not process entries with more than 255 sudo rules. As a consequence, the sssd_sudo process under some circumstances terminated unexpectedly with a segmentation fault, which caused sudo to be unusable with SSSD for some users. This update changes the way sssd_sudo handles sending sudo rules. As a result, SSSD can now process LDAP entries with more than 255 rules and sssd_sudo no longer crashes.
Prior to this update, when using the getservent() call to retrieve information about all services, SSSD wrote the service count into an incorrect part of the output buffer. As a consequence, the "getent" command in some cases returned inaccurate information or became unresponsive. With this update, the sssd_nss code has been fixed to sort the ouput buffer properly, and "getent" now functions reliably.
Due to the asynchronous processing that SSSD uses, an LDAP connection handle was in some cases freed between obtaining the handle and using it. As a consequence, SSSD frequently terminated unexpectedly when the Storage Area Network (SAN) experienced high latency. With this update, additional NULL checks have been added for the LDAP handle and SSSD now aborts the current request instead of crashing when high latency occurs on SAN.
Previously, when using the id_provider=ad provider, the processing of user group membership was in some cases terminated prematurely for users with POSIX attributes and with disabled ID mapping. Consequently, the primary group of the user sometimes did not resolve properly, and the simple access provider sometimes failed. With this update, resolving user groups no longer ends prematurely, and the simple access provider now always obtains the primary group of users.
Prior to this update, SSSD's dynamic DNS update feature did not filter out the multicast and subnet broadcast addresses when the "ipa_dyndns_iface" option was enabled. As a consequence, addresses that were not valid for DNS appeared in the Red Hat Identity Management DNS. With this update, multicast and subnet broadcast addresses are filtered out when performing a DNS update with "ipa_dyndns_iface", and only the appropriate adresses are used.
Previously, SSSD could not handle a zero value of the "ldap_group_nesting_level" option, and nested groups were thus not properly skipped. Consequently, SSSD retured more results than intended when identifying groups that a user is a member of. With this update, when "ldap_group_nesting_level" is set to 0, SSSD now correctly skips processing of nested groups and correct results are returned. In addition, the sssd-ldap(5) manual page has been updated with a detailed description for the behavior of "ldap_group_nesting_level".
When generating an enumeration of services with the "getent services" command, SSSD previously used incorrect pointer arithmetics, which caused its internal buffer to overflow. As a consequence, the sssd_nss process in some cases terminated unexpectedly when the user executed the "getent services" command. This update fixes the pointer arithmetics and "getent services" now works as expected.
Prior to this update, the HostID back end was incorrectly used when its target was not configured. As a consequence, SSSD terminated unexpectedly with a segmentation fault when connecting via SSH. This update adds a check whether the HostID back end is configured properly, and it no longer causes SSSD to crash.
The sss_cache tool previously lacked proper support for expiring user group membership, and did not reset the "syssdb_initgr_expire" attribute when expiring users. This update adds correct support for expiring user group membership to sss_cache and it now resets "syssdb_initgr_expire" when expiring users as expected.
Previously, the SSSD public key validator was excessively strict and could not handle the trailing newline character (\n) in a public key string obtained from LDAP. Consequently, the SSH key containing this character was marked as invalid and the user was not able to use it to connect to other machines. With this update, trailing newline in an SSH public key is ignored by the SSSD public key validator, and SSSD can now use an public key that contains this character.
Because of a redundant "success" or "fail" call of the Bash function daemon, an extra "[OK]" was printed during the restart of the SSSD service. This update removes the redundant call, and "[OK]" is correctly printed only two times when restarting SSSD.
Due to a race condition in the initialization of fast memory cache in SSSD client libraries, multi-threaded applications in some situations received the SIGSEGV or SIGFPE signals, and thus terminated unexpectedly. This update removes the race condition from the initialization, which prevents it from causing multi-threading application to crash.
Previously, SSSD could not handle the Enterprise Principal Names (EPN). As a consequence, certain users could not log in using the Active Directory (AD) provider. This problem has been fixed by the rebase, and SSSD now handles EPN correctly. As a result, users can now log in using the AD provider as expected.
Prior to this update, the proxy provider expected that every user had at least one supplementary group due to a bug in the proxy provider's group handling. Consequently, requesting a user that belonged only to their private group resulted in an error. With this update, the proxy provider has been fixed to handle the described situation correctly. As a result, requesting a user with no supplementary groups now works as expected.
Previously, SSSD failed when the "entryUSN" attribute of sudo rules was empty. As a result, processing of sudo rules failed and the user was denied access when invoking sudo. With this update, SSSD can handle an empty "entryUSN" attribute of sudo rules and no longer causes denied access to sudo operations.
Previously, SSSD incorrectly used the "default_domain_suffix" option also for netgroups, rather than just for users and groups. As a consequence, sudo rules that rely on netgroup lookups did not work when "default_domain_suffix" was enabled. To fix this problem, SSSD has been updated to ignore "default_domain_suffix" for netgroup lookups. As a result, sudo rules now work correctly even when "default_domain_suffix" is enabled.
Prior to this update, when Service (SRV) record lookup status failed, port status was not marked as not working and SSSD did not try to resolve the SRV record again. As a consequence, the failover mechanism did not cycle through all the available servers, and SSSD therefore remained offline. A patch has been applied to fix this problem, and port status is now correctly marked as not working. As a result, failover continues with the next configured server.
Previously, when calling the initgroups() function, SSSD under some circumstances resolved Security Identifiers (SIDs) for groups but did not store the membership status. Consequently, group membership was not resolved correctly, as only the primary groups were acquired. A patch has been applied to fix this problem, and SSSD now updates the user's membership after SIDs are resolved. As a result, group membership is resolved correctly in the described situation.


BZ#1111317, BZ#1127278
The "override_space" option has been introduced to SSSD, which allows users to replace spaces in user names and group names with a specified character string. This makes it easier to use certain shell scripts or other applications that cannot properly handle user names and group names containing spaces. For further information on "override_space", refer to the sssd.conf(5) man page.
SSSD now supports obtaining users and user groups, as well as logging in as a user, not only from the AD domain that the user is currently connected to, but also from AD domains that are "trusted" by the current AD domain.
SSSD is now able to replace the "%H" string in the home directory obtained from the LDAP server with a value specified in the SSSD configuration file. This allows users to migrate Red Hat Enterprise Linux to SSSD while retaining the configuration of their existing environemnt.
A new option that disables the Kerberos locator plug-in has been added to SSSD. Thanks to this option, users can now choose not to inform the libkrb5 library about the Kerberos servers that SSSD uses, and to use only servers specified in the krb5.conf file.
With this update, SSSD now checks for and triggers the deprecated "sudoRunAs" attribute when the "sudoRunAsUser" attribute and the "ldap_sudorule_runasuser" mapping are not defined in the sssd.conf file. This ensures better retroactive compatibility with older SSSD settings.
SSSD is now able to locate the nearest Active Directory (AD) Domain Controller (DC) using the DNS Sites feature of AD. This allows SSSD to connect to DNS Sites more reliably and efficiently.
Users of sssd are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.