4.187. sssd

Updated sssd packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 5.
The sssd packages contain a set of daemons to manage access to remote directories and authentication mechanisms.

Bug Fixes

BZ#680443
Specifying a single server name in the ipa_server option in the /etc/sssd/sssd.conf file resulted in a successful dynamic update of the DNS records of the IPA DNS server. However, if two or more servers are specified, the update failed. This update addresses this issue, and specifying multiple servers in the ipa_server works as expected.
BZ#692455
When saving group memberships, SSSD uses a two-pass approach: save all the groups first, and then save their members. When a group GID is outside a specified range, the group should be skipped completely. Previously, SSSD correctly skipped the groups that were out of range during the save groups step, but then created the groups as a side effect of the save members step. As a result, SSSD did not filter groups which had a GID outside the specified range. With this update, the group save operation was changed so that only members of groups, which were processed successfully, are now saved, thus the bug is fixed.
BZ#694580
Previously, SSSD man pages only documented that some attributes expect lists of values but the man pages did not document how are these values supposed to be separated. With this update, the missing information has been added to the man pages, thus the bug is fixed.
BZ#698724
Previously, SSSD only informed the Kerberos library about the IP address of the password-change server if the password change request was delivered via the pam_sss module. As a result, tools that communicate directly with the password-change servers (for example kpasswd) were unable to operate. With this update, SSSD always passes the IP addresses of password change servers to the Kerberos library, thus the bug is fixed.
BZ#700168
Previously, the simple access provider in SSSD required that the user primary group was available to SSSD. As a result, the simple access provider did not work for users whose primary group was a local group stored in the /etc/group file because SSSD only handles remote groups. With this update, the failure to find the user primary group in the simple access provider is no longer treated as fatal so that users with the local primary group are handled correctly by the simple access provider.
BZ#707975
Previously, SSSD did not correctly escape certain special characters in the user names. As a result, the initgroups and login operations failed for users whose user names contained special characters. With this update, the user names are now escaped, thus the bug is fixed.
BZ#707999
The IPA provider internally constructs an LDAP URI based on what the hostname that is specified by the ipa_server parameter resolves to. Previously, when the hostname resolved to an IPv6 address, the LDAP URI routines returned an error. As a result, the IPA provider was unable to function correctly in an IPv6 environment. With this update, the IPA provider now escapes all IPv6 addresses so that they can be consumed by the LDAP routines correctly, thus the bug is fixed.
BZ#708104
Previously, the Kerberos ticket renewal timer tasks were issued every time a back end detected the online state. This unintended behavior has been fixed in this update so that the ticket renewal tasks are now only issued as per the krb5_renew_interval parameter.
BZ#709352
Previously, the parameters for a domain name and user name were swapped in debug messages. With this update, the parameters have been fixed, thus the debug messages are now correct.
BZ#748818
The NSS responder process of SSSD uses an internal hash table. If the SSSD back end was restarted and the NSS responder reconnected, the hash table was iterated over, but elements in it were not checked for initialization. As a result, the NSS responder could have terminated unexpectedly after it was restarted due to accessing the already freed memory. With this update, all elements from the hash table are copied first and iterated over afterwards, thus the bug is fixed.
BZ#748820
SSSD stores all users and groups retrieved from the remote server in its local cache. When writing to this cache, transactions are used. If the RFC 2307bis schema was used, one transaction was used for each entity stored in the cache. As a result, the initgroups operation performed too many disk writes, thus slowing the operation down. With this update, all entities retrieved from the remote server are first stored in an internal hash table, and then only a single transaction is used to store all the groups and their memberships so that the initgroups operation is now faster, especially for users who are members of a large number of groups.
BZ#748822
Previously, SSSD required that all groups which SSSD worked with had a complete set of UNIX attributes, although the Active Directory groups can be individually set with or without the UNIX attributes. When a group without the UNIX attributes had a member with the UNIX attributes, SSSD did not recurse to the nested UNIX group. As a result, SSSD was unable to traverse the hierarchy correctly and the initgroups() operation did not return all groups correctly. With this update, SSSD has been changed so that it can examine non-UNIX groups for potential UNIX nested member groups. SSSD is now able to return the complete list of groups even if the hierarchy mixes UNIX and non-UNIX groups.
BZ#748833
Previously, SSSD incorrectly assumed that if the ldap_default_authtok option was used, the ldap_default_authtok_type option was set to password even if it was not explicitly specified in the configuration file. With this update, password has been made the default value for the ldap_default_authtok_type option, thus the bug is now fixed.
BZ#748834
Previously, the IPA provider reported an error if the provider did not find any group memberships for a user during the initgroups operation. As a result, the initgroups operation failed. With this update, the IPA provider has been fixed so that the provider now gracefully handles users without group memberships and the initgroups operation succeeds for users who are not members of any group.
BZ#748835
Previously, the internal resolver of SSSD was set to never retry other name servers, which were read from the /etc/resolv.conf file, if the first one failed to resolve a hostname. As a result, SSSD switched to offline mode without asking the other configured name servers. With this update, the bug has been fixed by configuring the resolver to query all name servers so that hostname resolution correctly retries until it either queries all the configured name servers or resolves the hostname.
BZ#748836
When the ldap_uri parameter was incorrectly configured so that the hostname part was missing, SSSD stored NULL in the pointer, in which the hostname was saved, and used it later on for establishing a connection. As a result, SSSD accessed the NULL pointer and terminated unexpectedly. With this update, the URI parsing function has been changed so it aborts when it cannot parse a valid hostname from the specified URI. SSSD reports an error and does not crash when an invalid ldap_uri parameter is used in the configuration file.
BZ#748842
Previously, the SSSD man page did not explicitly list the rules for encoding IPv6 addresses. The man page has been updated and the missing content added, thus the bug is fixed.
BZ#748844
Previously, the sssd daemon package did not explicitly specify that it required the sssd-client package of the same architecture. As a result, it was difficult to specify to install both primary and secondary architecture sssd-client packages on multiarch systems. With this update, the main sssd package now requires the sssd-client package of the same architecture, thus the bug is fixed.
BZ#748846
During the login process, SSSD could have attempted to create a ccache file for the user if the old ccache file had already expired. The SSH daemon used different processes with different UID values for different parts of the login process. As a result, if a user password expired after the user logged in, SSSD was unable to switch to a new ccache. With this update, SSSD forces removal of the old ccache if the Kerberos authentication subprocess returns a special PAM_NEW_AUTHTOK_REQD return code so that SSSD is able to recreate a ccache file instead of an existing (but inactive) ccache file for a user who logs in via SSH with an expired password.
BZ#748847
Previously, SSSD relied on the inotify kernel subsystem to detect whether a Domain Name System (DNS) resolver file was changed. If inotify returned an error (for example due to resource exhaustion), SSSD terminated unexpectedly and network logins no longer worked. With this update, SSSD itself detects the failure in the described scenario and falls back to the five-second polling, fixing this bug.
BZ#748848
When SSSD communicated with an OpenLDAP server which supported server-side password policies but did not list them in the supportedControl attribute of the server rootDSE entry, SSSD terminated unexpectedly with a segmentation fault. With this update, this bug has been fixed.
BZ#748853
Previously, the buffer used for the dynamic DNS update operation was not big enough to contain IPv6 addresses. As a result, only part of the address was written into DNS, which corrupted the records. With this update, a larger buffer that is able to contain all address families is now used, thus the bug is fixed.
BZ#748855
Previously, SSSD did not properly close its Pluggable Authentication Modules (PAM) sockets after an authentication attempt, which eventually resulted in process resource exhaustion and a denial of service situation. With this update, SSSD has been modified to fix this problem, and file descriptors are now properly released when they are no longer in use.
BZ#748856
Previously, SSSD did not keep a copy of the list of supported LDAP controls during the whole LDAP operation. At the same time, it used the list of controls to determine if password expiration controls were available. As a result, password expiration warnings did not function properly because SSSD expected that they were not available. With this update, SSSD always requests the expiration controls so that the password expiration warnings are now displayed, as expected.
BZ#748857
Previously, certain Lightweight Directory Access Protocol (LDAP) deployments contained a group with the option GID=0 set which acted like a "root" group. As a result, the operation that processed members belonging to the group with GID=0 was aborted. With this update, groups with GID=0 are treated as non-POSIX groups (that is groups that are containers only and not reported to clients) so that the groups are handled gracefully.
BZ#748858
After a connection was established to the server, SSSD never refreshed the resolved address and kept the old one until a failure occurred while communicating with the host. As a result, if a DNS record was changed, SSSD was not notified until the original address stopped working. With this update, the internal resolver has been switched to honor the time to live (TTL) values that are read from DNS so that the resolved names are only valid for the period specified by the TTL field in DNS. The resolver refreshes the IP address after the interval passes.
BZ#748860
Previously, the LDAP provider man page incorrectly suggested that if the Generic Security Services Application Program Interface (GSSAPI) authentication is used and the Kerberos realm is not specified, the system default realm is used. With this update, the man page has been fixed so that it now correctly suggests that the realm configured in the /etc/krb5.conf file is used in the case mentioned above.
BZ#748864
Previously, SSSD checked for an incorrect DBus return code. As a result, instead of detecting timeouts properly, the monitor process disconnected from the back-end process, which resulted in failure to be notified about back end going online, and in network performance problems. With this update, SSSD checks for a correct DBus return code and improves handling of timeouts on the DBus connection, thus the mentioned problems are fixed.
BZ#748865
When processing group memberships for a user who was a member of a group that lacked any POSIX attributes, the loop index was incremented even for groups that were expected to be skipped. Instead of being skipped, groups without the POSIX attributes were returned with a random GID. With this update, the loop index is now only incremented for valid POSIX groups so that correct group membership is returned.
BZ#748866
Under certain circumstances, if the Simple Authentication and Security Layer (SASL) was used, libldap could have tried to canonicalize the hostname by doing a reverse lookup. As a result, the LDAP request could have been blocked. Also if the PTR record was wrong, SSSD was not able to authenticate to the server at all. With this update, the bug has been fixed by adding an SSSD configuration directive, which allows turning the canonicalization on or off. The canonicalization is off by default.
BZ#748869
Prior to this update, a generic and thus not understandable error message was displayed if a user password was changed but the password policy constraints were violated. With this update, the bug has been fixed by displaying the error message that clearly states what happened.
BZ#748873
During the password change, password policy attributes are checked in SSSD. If these attributes were incomplete, SSSD reported this password policy error as an internal error. As a result, the log message produced in this case was confusing. With this update, an authentication error is now reported and a proper log message is displayed so that the log messages related to the password policy are no longer confusing.
BZ#748874
SSSD uses an internal cache to store all entities retrieved from the server. Attributes of these entities can have different names in the cache and remote server. Under certain circumstances, SSSD used the attribute names for the remote server instead of the names for the local cache. As a result, if non-default attribute names were used either for the group GID or name, all groups were processed and stored to the cache incorrectly, thus not returned to the NSS client. With this update, the cache attribute names are now correctly used when processing groups that are retrieved from the server, thus the bug is fixed.
BZ#748875
If a user or group entry had multiple names and none of them matched the Relative Distinguished Name (RDN) in LDAP, an error occurred during the processing of the entry in SSSD's back end. As a result, entries with multiple names, with neither of them matching the RDN, were not stored and returned by SSSD. With this update, the entry that matches the RDN is now returned if the RDN attribute is the same as the name attribute, thus the bug is fixed.
BZ#748877
Previously, SSSD did not store alternative names in if the user or group included these alternative names. As a result, members of groups were not returned by SSSD if the member attribute had different value than what was determined as the primary name for that member object. With this update, SSSD stores all user name or group name aliases in the cache. When determining the membership structure, SSSD checks for aliases in addition to the primary name so that the membership structure is correctly determined and returned.
BZ#748878
Previously, SSSD did not store any alternative entry names if the name entry included the alternative entry names. As a result, entries with multiple names stored in the SSSD cache were not returned by SSSD to the NSS client if the entries were stored with different names than what the NSS client asked for. With this update, the bug has been fixed by storing name aliases in the cache in addition to the primary name.
BZ#748879
SSSD displayed a private LDAP error message because there were no special error messages available that were dedicated to error conditions indicated by the server-side password policies. As a result, a very generic, and thus not understandable error messages were printed when this error occurred. With this update, the bug has been fixed so that a clear and understandable error message is now printed when this error occurs.
BZ#748881
When converting string values returned by LDAP, SSSD used conversion with an implicit number base, which led to automatically detecting the base that was expected to be used. As a result, in case the UID or GID value returned from LDAP started with zero, the number was considered octal and after the conversion, a wrong value was used. With this update, explicit 10 base is now used for conversion so that the UID and GID values are not erroneously converted anymore.
BZ#748882
Previously, the example configuration file shipped with the SSSD contained directives, which were inaccurate, outdated, and technically inappropriate. With this update, a new example configuration file is provided, thus the bug is fixed.
BZ#748895
The Name Service Switch (NSS) responder process of SSSD uses an internal hash table. If SSSD back end was restarted and the NSS responder reconnected, the hash table was accessed but not checked for existence. As a result, under certain circumstances, nothing was stored in the hash table before the NSS responder reconnected, and the NSS responder accessed uninitialized memory and terminated unexpectedly. With this update, the hash table is now checked for existence, thus the bug is fixed.
BZ#748896
Previously, if internal communication between the PAM responder and one of SSSD's back ends timed out, a handling routine was invoked. Under certain circumstances, this routine could have caused a race condition which could have resulted in accessing memory that has been freed. As a result, the PAM responder terminated unexpectedly. With this update, timeout handling routine does not free the context until all operations on this context are done, thus the bug is fixed.
BZ#748898
SSSD's components communicate using the DBus protocol. On initializing the DBus server, the DBus library is given a file name that represents a known interface. DBus creates the socket on server startup. When server shuts down, it calls a DBus cleanup function which removes the socket. If one of the components was restarted, a race condition could have caused the socket to be removed by the old component instance after the new instance was already running and connected to it. With this update, path names that contain the server process' PID are passed to DBus and a symbolic link with a known and defined path name is pointed to the path name with PID. Clients connect to the well-known symbolic link paths. When the DBus server exits, the server only removes the path name appended with PID. Clients are still connected to the same path no matter what server is the symbolic link pointed to.
BZ#748899
Prior to this update, the HBAC provider was performing case-sensitive matches on hostnames. However, hostnames, as defined by RFC 952, are case insensitive. This update modifies the hostname matching code to be case insensitive.
BZ#758163
When establishing a connection to an LDAP server, SSSD did not handle all possible error codes it could receive but only the ETIMEDOUT error code. Therefore, if SSSD received an error code different from ETIMEDOUT, it did not perform the expected failover to another LDAP server and switched to off-line mode. With this update, SSSD has been modified to handle all error codes received on connection attempt. SSSD now tries to connect to all specified LDAP servers and goes off-line only when it fails to connect to all of them.
BZ#758168
SSSD responders did not verify whether a username string, which was passed to SSSD by a client application, contained any invalid UTF-8 characters. As a consequence, SSSD terminated unexpectedly when trying to pass such a string to the data provider over the D-Bus protocol, and the validation test performed by the libdbus library failed. To prevent this problem from occurring, UTF-8 validity checks on the string have been added in the underlying SSSD code. SSSD now does not accept username strings that are not compliant with UTF-8 encoding so that SSSD no longer crashes.
BZ#760166
Previously, the host-based access control part of SSSD treated all its attributes as plain strings. As a result, case-insensitive comparisons of attributes (for example host group names) failed if the attributes contained UTF-8 characters. With this update, the SSSD host-based access control provider utilizes libunistring for performing string comparisons where applicable so that SSSD is able to handle UTF-8 strings in the host-based access control rules.

Enhancements

Note

For more information on the most important of the Red Hat Enterprise Linux 5.8 SSSD enhancements, refer to the Red Hat Enterprise Linux 5.8 Release Notes.
BZ#773327
SSSD now logs the full dynamic DNS message into the debug logs. The message contains the following data:
  • hostname of the client,
  • IP addresses of clients' network interface (either the one the client uses to connect to LDAP or one selected in the SSSD configuration file),
  • client DNS zone,
  • Kerberos realm of the client,
  • IPA server hostname.
BZ#748854
With this update, a new option ipa_hbac_treat_deny_as has been added to SSSD. The default value for the option is DENY_ALL, which means that any DENY rule in the whole set of rules will deny access regardless of what is the actual rule. Alternatively, the option can be set to IGNORE to skip the DENY rules.

Important

By ignoring the DENY rules altogether, setting the ipa_hbac_treat_deny_as option to IGNORE may, under certain circumstances, allow access to users who are not intended to be allowed.
BZ#748867
Previously, SSSD did not set a special path for the Kerberos replay cache files. As a result, the files were stored in the /var/tmp/ directory. Because the file names are not standardized, they were not handled by the Security-Enhanced Linux (SELinux) policy correctly. As a result, when using SELinux in Enforcing mode, SSSD did not work with the option krb5_validate set to true. With this update, support to specify the Kerberos replay cache directory, both at compilation time and in the configuration file, has been added into SSSD, also a corresponding SELinux policy update has been made to accommodate the Kerberos replay cache directory, thus the bug is fixed.
All users of SSSD should upgrade to these updated packages, which fix these bugs and add this enhancement.