Chapter 2. Authentication and Interoperability

SSSD correctly reports supplementary groups for AD users in a nested domain

Resolving supplementary groups sometimes failed for Active Directory (AD) users with the same samAccountName attribute who existed in two AD domains, when:
  • one of the AD domains was nested under the other
  • the users were stored in a non-default organizational unit (OU)
Consequently, the id [user_name] command reported only the primary group for these users.
The underlying SSSD code has been improved to better match the user account with its domain. As a result, SSSD reports also supplementary groups of AD users in the described situation. (BZ#1293168)

Authentication no longer fails when two SRV resolution requests are running at the same time

When multiple service record (SRV) resolution requests were running concurrently, one of them returned a failure indicating that no new servers were found. Consequently, authentication using the ssh utility failed. With this update, SSSD handles two concurrent SRV resolution requests gracefully. As a result, authentication no longer fails in this situation. (BZ#1367435)

Users with expired or locked accounts now cannot log in to IdM clients with their SSH keys

When a trusted Active Directory (AD) user with an expired or locked user account attempted to log in to an Identity Management (IdM) client using a non-password login method, such as SSH keys, the login was successful. With this update, the IdM client checks the AD lockout attribute when verifying whether an AD user is allowed to log in. As a result, AD users with expired or locked accounts are no longer permitted to log in in this situation.
Note that this bug has no security impact: The AD user could not obtain a Kerberos ticket on the IdM client because the user account was expired or locked on the server side. (BZ#1335400)

sssd_be subprocesses no longer unnecessarily consume memory

Previously, when the id_provider option was set to ad in the /etc/sssd/sssd.conf file, a helper process inside the sssd_be process sometimes failed. In consequence, the process was spawning new sssd_be instances, which consumed additional memory.
With this update, SSSD does not fork sssd_be subprocesses if no helper program is available. This reduces the amount of consumed memory. (BZ#1336453)

Attempts to renew the system password in a keytab no longer cause SSSD to stop working

When attempting to renew the system password stored in a keytab, System Security Services Daemon (SSSD) leaked a file descriptor. The leaked file descriptors gradually accumulated, which caused SSSD to stop working.
With this update, SSSD no longer leaks file descriptors in this situation. As a result, SSSD is able to keep updating the system password without the described negative impact on the system. (BZ#1340176)

SSSD now correctly processes GPO files that contain attributes in a format other than key=value

Previously, System Security Services Daemon (SSSD) did not correctly process INI files that contained attribute pairs in a format other than key=value. Consequently, SSSD failed to process group policy object (GPO) files that contained such attributes.
This update ensures that SSSD processes the mentioned files correctly even if they use a different attribute format than key=value. (BZ#1374813)

SSSD now resolves users with externalUser correctly

Support for the externalUser LDAP attribute was removed from the System Security Services Daemon (SSSD) in Red Hat Enterprise Linux 6.8. In consequence, the assignment of sudo rules to local accounts, such as by using the /etc/passwd file, failed. The problem affected only accounts outside of Identity Management (IdM) domains and Active Directory (AD) trusted domains.
This update ensures that SSSD correctly resolves users with the externalUser attribute defined. As a result, assigning sudo rules works as expected in the described situation. (BZ#1321884)

SSSD correctly creates local overrides in an AD environment

Previously, the sss_override utility created case-insensitive distinguished names (DNs) when the id_provider option was set to ad in the /etc/sssd/sssd.conf file. However, the DNs in the SSSD cache are stored as case-sensitive. As a consequence, local overrides were not created for users from the Active Directory (AD) subdomain and for users with mixed-case account names. With this update, SSSD searches the object in the cache and uses the DN from the search result. This fixes the problem in the mentioned situation. (BZ#1327272)

OpenLDAP now correctly sets NSS settings

Previously, the OpenLDAP server used an incorrect handling of network security settings (NSS) code. As a consequence, settings were not applied, which caused certain NSS options, such as olcTLSProtocolMin, not to work correctly. This update addresses the bug and as a result, the affected NSS options now work as expected. (BZ#1249092)

IPA replica installation no longer fails due to malformed HTTP requests

A bug in pki-core previously caused PKI to generate HTTP requests missing a Host header and using incorrect line delimiters during IPA replica installation. At the same time, an update to httpd caused these malformed requests to be rejected, even though they were accepted in previous versions, and as a result, IPA replica installations failed. This update to pki-core fixes the problem in HTTP request generation, and replica installations now work as expected. (BZ#1403943)