Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

5.312. sssd

Updated sssd packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
SSSD (System Security Services Daemon) provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides NSS (Name Service Switch) and PAM (Pluggable Authentication Modules) interfaces toward the system and a pluggable back end system to connect to multiple different account sources.


The sssd package has been upgraded to upstream version 1.8.0, which provides a number of bug fixes and enhancements over the previous version. (BZ#735422)

Bug Fixes

User authentication could fail if the user or its group data specified non-standard LDAP attributes due to incorrect handling of such attributes. With this update, such attributes are handled properly and user authentication now works under these circumstances as expected.
Previously, SSSD did not correctly handle LDAP authentication requests failover under a heavy load and the request could fail with a system error. This occurred due to an invalid LDAP URI value if the second authentication request was sent before the first request could be processed by the failover service. With this update, the underlying code has been modified to ensure that the LDAP URI string remains valid until the LDAP authentication request is processed.
The function handling pending requests on reconnect was checking an orphaned global variable that was never used. Consequently, if SSSD never received a response to a request, the request and any subsequent requests for the same information remained unhandled. With this update, the function refers correctly to the respective hash table and identical requests are now processed as expected even if the original request fails.
SSSD uses libdbus for interprocess messaging. Previously, libdbus caused SSSD to terminate unexpectedly when SSSD passed it a username with a non-UTF-8 character. With this udpate, SSSD checks if the input contains non-UTF-8 characters and rejects requests with such characters gracefully.
In the course of speeding up cached lookups for netgroups, SSSD inadvertently disabled the use of the nowait cache lookups. This functionality has now been restored and cache misses are reduced for oft-requested netgroups.
When using IPA as access_provider, SSSD evaluated only HBAC (Host-Based Access Control Rules) rules and failed to evaluate password expiration policies in the PAM_ACCT_MGMT phase. Consequently, users who logged in to a FreeIPA-managed system with an alternative mechanism, such as SSH public-key or GSSAPI, did not have their password-expiration status evaluated and managed to log in even if their accounts were expired or disabled. With this update, SSSD now checks password-expiration policies in the IPA access_provider and users with such accounts can no longer log in to the system in the scenario described.
When looking up cached group entries, the glibc queries SSSD with a fixed buffer. If the group did not fit into the buffer, SSSD returned an error and glibc retried with an enlarged buffer. This caused performance issues when querying large groups as multiple retries involved repeated contacting of SSSD and reading the entries from the cache. The SSSD NSS client now keeps the group entry in memory until a sufficiently large buffer is provided and lookups for cached group entries are now faster.
After an LDAP client-side migration, SSSD used the start TLS operation on a connection that was already encrypted by GSSAPI. Consequently, under certain circumstances, the sssd_be process, which communicated directly with the server, terminated unexpectedly and dumped core. With this update, the migration procedure has been fixed so that it now establishes a new TLS-only connection for the migration and the client-side password migration is more robust.
Prior to this update, the SSSD daemon saved a NULL pointer instead of an empty service or a host group and later dereferenced the pointer if an IPA server contained an HBAC rule with these empty service groups or host groups. As a consequence, the NULL pointer dereference could abort SSSD. This update creates an empty array rather than using a NULL pointer. Now, SSSD handles empty service groups or host groups as expected.
Prior to this update, SSSD performed a single LDAP search operation per every LDAP group member if the RFC2307bis schema was used. As a consequence, group lookups could take a long time especially for environments with large groups. This update leverages a "dereference" feature to allow downloading all the members in a single large search operation. Now, group lookups take significantly less time.
The POSIX standard mandates that user and group names are case sensitive but the user and group names are case insensitive on Windows and on most LDAP servers. Name comparisons that matched in Windows did not match in Red Hat Enterprise Linux. This update introduces a new option, "case_sensitive", that allows to treat names in a case insensitive manner. This option is set to "true" by default, maintaining the POSIX standard setting.
Prior to this update, the SSSD daemon printed a warning message to the /var/log/secure log if a user was passed to SSSD that SSSD could not handle, such as local users while processing logins for SSSD. As a consequence, the /var/log/secure log was filled with redundant error messages. With this update, the module accepts the option "quiet" that suppresses the unknown user messages. Error messages about unknown users no longer appear in /var/log/secure.
Prior to this update, SSSD only read its configuration at startup time and the verbosity of the debug logs could only be set at startup time. As a consequence, users had to leave noisy debug logs enabled for extended periods when trying to track down an intermittent error. A reboot to change the debug level could cover the problem for some time until it reoccurred. With this update, a new command line tool is added to SSSD to change the debug level of live SSSD processes. Users can now change the debug verbosity of the SSSD processes without restarting SSSD.
Prior to this update, configuration options were defined as required even when they were not required. Also the script for configuration parsing did not merge the old tree with the new one when changing certain options but created a new one and deleted the old one instead. As a consequence, the configuration file could change significantly, comments and blank lines disappeared, and also new options were added when updating a configuration file with scripts to parse the configuration. This update reduces the list of required options and modifies the configuration parsing script so it merges the old and the new tree. After being processed with the python scripts, the configuration file is now corresponding to the original.
Prior to this update, the Identity Management provider used keytabs to authenticate against an Identity Management server by constructing the expected principal and then attempting to use this principal. If the constructed principal was not in the keytab, the entire operation failed and the backend was not able to connect to the Identity Management server. This update changes the approach to list all principals in a used keytab and to select the most convenient one. The current implementation uses a more flexible algorithm to find a suitable principal in a keytab.
Prior to this update, the NSS responder used a negative cache to avoid asking repeatedly the provider for non-existent entities. The querying process for netgroups did not work efficiently with the negative cache. An empty netgroup could, under certain circumstances, be returned to the client even for a non-existent group. This update modifies the NSS responder to use a special flag indicating that the group was found in the cache when using a negative cache for netgroup lookups. Netgroup queries no longer return empty netgroups if they do not exist in the cache.
Prior to this update, the SSSD cache storage function for user entities did not check empty strings in loginShell attributes. If the check encountered such an attribute, the storing procedure failed completely. When using a proxy provider and the utilized NSS module returned an empty loginShell, updating user records in the cache failed. This update ensures that the proxy provider does not pass empty strings to the function.
Prior to this update, SSSD expected all users in a POSIX-enabled Active Directory group to be POSIX-enabled users. If some members of a POSIX-enabled group were lacking the POSIX username attribute, SSSD returned an error when looking up that group. This update ignores non-POSIX group members. SSSD now returns all POSIX-enabled group members and silently ignores non-POSIX members.
Prior to this update, a server status in the SSSD server list was reset after 30 seconds to allow retries. If a full cycle over the server list took more than 30 seconds, the cycle started again. SSSD deployments using large server failover lists could loop indefinitely. This update modifies SSSD was to only loop over the fail over list once. If the SSSD tries all the servers in the fail over list without succeeding, the operation always fails.
Prior to this update, SSSD used expand FQDN and DNS SRV to look up DNS SRV records for failover servers. On FreeIPA-enrolled machines, the client hostname could, under certain circumstances, not match the IPA domain name. These clients were unable to discover failover servers. When the id_provider is set to IPA, then the dns_discovery_domain is automatically set to the value of ipa_domain. FreeIPA clients are able to autodetect failover servers even if their hostname is not part of the FreeIPA domain.
Prior to this update, SSSD was limited to using 1024 file descriptors for its sssd_nss and sssd_pam responder processes. On very busy systems with many user lookups and/or authentications, SSSD could run out of descriptors and stop responding to requests until it was restarted. This update increases the SSSD limit to 4096 descriptors. Users should not experience the resource exhaustion described above.
Prior to this update, SSSD logged errors in the Kerberos authentication only into its own debug logs. Errors that occurred during Kerberos authentication are now sent to the syslog in addition to the debug logs.
Prior to this update, the function for storing netgroups in SSSD cache did not check attributes that are contained in sysdb but not in the LDAP response from the server. If a netgroup has been cached by SSSD and it changed on the server in a way that it missed all the triples, this change was not projected in the cache. To avoid this problem, a check for attributes that are missing from the LDAP response when saving a netgroup has been added.
Prior to this update, SSSD used a wrong counter and could access random memory when resolving a complex group structure during an initgroups operation. The random memory access terminated the sssd_be process. SSSD now uses the correct group counter and processes nested group structures correctly.
In case SSSD was operating in the offline mode and a Kerberos password was requested with a configuration that also used the KDC server for changing passwords, SSSD was issuing the password change requests in an infinite loop. Specifically, the "sssd_be" process was looping infinitely and occasionally even terminating unexpectedly. The "sssd_be" process was fixed to not call the password changing request while operating in the offline mode. When a password change operation is requested while SSSD is offline, the operation exits gracefully.
When an LDAP entry changed its attributes and was saved again into the SSSD cache, SSSD might have accessed an undefined variable value. This caused SSSD to crash. With this update, the variable is now initialized to a known default value, and SSSD no longer crashes when updating cached entries.
Due to a programming error, a loop could only be exited when an error occurred. When a connection to a system with "knownhostproxy" enabled was closed, the loop was not exited and caused "sss_ssh_knownhostsproxy" to become unresponsive. This update fixes this bug so that the loop is exited when the connection is closed, and "sss_ssh_knownhostsproxy" no longer hangs.
A bug in the SSSD configuration parser caused the parser library to terminate unexpectedly when an old SSSD configuration domain was removed and a new one was saved. Consequently, applications which used the configuration parser, such as "authconfig", would crash. This update fixes the SSSD configuration parser so that it no longer crashes.
The OpenLDAP client libraries (used by SSSD) did not time out properly if communication with an LDAP server would drop packets instead of rejecting them. As a consequence, SSSD became unresponsive and never responded to requests. This update adds a timer to SSSD to ensure that connections are timed out after a reasonable amount of time; SSSD no longer hangs.
When an SSSD service exited while a check for its presence was still in progress, SSSD might have accessed invalid memory, which resulted in a crash. With this update, any pending checks are canceled when an SSSD service exits, and SSSD no longer crashes.
When a new group was added to the SSSD cache, it was not checked whether there was another group with the same GID already present in the database. With this update, when adding a new group to the cache, any group with the same GID that is already present in the cache is deleted.


The ldap_sasl_minssf option has been added to the configuration of SSSD. This option can be used to specify the minimal level of encryption SSSD (or rather, the LDAP library used by SSSD) should use when communicating with a server.
A new option, ldap_chpass_update_last_change, has been added to SSSD configuration. If this option is enabled, SSSD attempts to change the shadowLastChange LDAP attribute to the current time. Note that this is only related to a case when the LDAP password policy is used (usually taken care of by LDAP server), that is, the LDAP extended operation is used to change the password. Also note that the attribute has to be writable by the user who is changing the password.
The sss_cache tool has been added to the SSSD package. This tool allows you to expire cached objects, which triggers their online renewal as soon as they are requested and it is possible to retrieve them from a server.
SSSD had a single configurable option for setting the cache timeout for users, groups, netgroups and services. However, some deployments have different caching needs for different nsswitch maps. With this update, SSSD provides new options to configure each cache entry type's timeout individually:
Users can now define their cache timeouts on a per-entry basis. For more information about these options, refer to the sssd.conf(5) man page.
SSSD has changed the behavior of the debug_level option in the "/etc/sssd/sssd.conf" file. For more information, refer to the Red Hat Enterprise Linux 6.3 Release Notes.
SSSD now contains a configurable idle timeout, after which it disconnects from the LDAP server until the next request is received. As a result, SSSD is now a less resource-intensive client for LDAP servers.
SSSD relies on some information it can retrieve from the RootDSE in order to determine the capabilities of the server. Some servers do not make the RootDSE available via unencrypted, non-authenticated LDAP bind (in violation of the LDAP standard). On such servers, SSSD operates in a slightly degraded mode, being unable to take advantage of any enhanced features of the LDAP server. With this update, SSSD now makes a second attempt to retrieve the RootDSE after it completes a successful bind attempt. SSSD is now able to take advantage of enhanced features on servers that do not expose the RootDSE to non-authenticated users.
OpenLDAP servers sometimes report that paging control is available even if it is disabled. Consequently, SSSD previously attempted to use the paging control feature and failed to perform lookups relying on this feature, such as lookups of group members. With this update, a new option ldap_disable_paging has been added to SSSD, which allows the user to disable paging control on such servers manually.
The ability to search multiple bases for each entry type has been added to SSSD.
This update adds support for automount map caching as a Technology Preview. Cached automount maps allow a client machine to perform mount operations even though the LDAP server is unreachable. Also, the feature results in faster performance on the client and lower traffic on the LDAP server.
To enable the behavior of pam_check_host_attr, users can now set the ldap_access_order = host and ldap_user_authorized_host options to enable access-control based on the presence of this attribute in LDAP.
Evaluation of srchost HBAC rules can be unreliable and cause significant performance issues on login. With this update, SSSD now ignores srchost rules in HBAC processing by default. To enable the evaluation, set the newly-added ipa_hbac_support_srchost option to true.
SSSD now supports querying the services map of LDAP and the proxy provider and users can have their services map served and cached.
This update adds to SSSD the override_homedir option that allows the user to define a per-client override values for the home directory attribute.
Prior to this update, SSSD debug messages provided precision down to the wallclock second. When debugging performance issues, users required higher precision in the timestamps. With this update, SSSD adds the "debug_microseconds" option to enable microsecond-level precision in debug messages. Users of SSSD now have the option to enable microsecond precision in debug log messages.
A new option krb5_canonicalize has been added to SSSD configuration. When set to true, it sets a flag in krb5 request and the host and user principals are canonicalized and returned to SSSD by server. Note, that this feature requires Kerberos version 1.7 or later.
Users are advised to upgrade to these updated sssd packages, which fix these bugs and add these enhancements.
Updated sssd packages that fix three bugs are now available for Red Hat Enterprise Linux 6.
SSSD (System Security Services Daemon) provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides NSS (Name Service Switch) and PAM (Pluggable Authentication Modules) interfaces toward the system and a pluggable back end system to connect to multiple different account sources.

Bug Fixes

When the ldap_chpass_update_last_change option was enabled, the shadowLastChange attribute contained number of seconds instead of days. Consequently, when shadowLastChange was in use and the user was prompted to update their expiring password, shadowLastChange was not updated. The user then continued to get the error until they were locked out of the system. With this update, number of days is stored in shadowLastChange attribute and users are able to change their expiring passwords as expected.
Kerberos options were loaded separately in the krb5 utility and the IPA provider with different codepaths. The code was fixed in krb5 but not in the IPA provider. Consequently, a Kerberos ticket was not renewed in time when IPA was used as an authentication provider. With this update, Kerberos options are loaded using a common API and Kerberos tickets are renewed as expected in the described scenario.
When SSSD was built without sudo support, the ldap_sudo_search_base value was not set and the namingContexts LDAP attribute contained a zero-length string. Consequently, SSSD tried to set ldap_sudo_search_base with this string and failed. Therefore, SSSD was unable to establish connection with LDAP server and switched to offline mode. With this update, SSSD considers the zero-length namingContexts value the same way as if no value was available, thus preventing this bug.
All users of sssd are advised to upgrade to these updated packages, which fix these bugs.