Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

8.208. sssd

Updated sssd packages that fix a number of bugs and add two enhancements are now available for Red Hat Enterprise Linux 6.
The System Security Services Daemon (SSSD) provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides the Name Service Switch (NSS) and the Pluggable Authentication Modules (PAM) interfaces toward the system and a pluggable back-end system to connect to multiple different account sources.

Bug Fixes

In case a member of a group was outside all configured search bases, the get-group-members request could be marked as done before the caller had a chance to register a callback. As a consequence, resolving a group with members outside the search base could have appeared as stuck. The get-group-members request was fixed to call a special tevent_req_post() function that waits with returning the result until the caller has registered a callback. The request now works correctly even if a member is outside configured search bases.
There was a get_attribute call used in the group processing code base that, when a nonexistent attribute was requested, could allocate an empty attribute instead of reallocating the previous attribute array. The reallocation could have invalidated existing pointers that were previously pointing to the array. In case a group contained no members at all, the array could be reallocated and existing pointers invalidated, causing the SSSD daemon to terminate unexpectedly. To fix this bug, another get_attribute is now used that returns the ENOENT error instead of creating an empty attribute. As a result, SSSD no longer crashes in the described scenario.
The pam_pwd_expiration warning was erroneously set to the 0 value for the Kerberos provider and therefore, the password expiration warning was always displayed when the server had sent one. As a consequence, in certain environments, such as Active Directory (AD) or IPA, the warning was displayed on each login. This update applies a patch to modify this behavior and the warning is now set by default to be displayed only once in seven days.
The code that created the login file for the IPA provider did not handle error conditions correctly and was unable to recover after failure of writing a SELinux label. When no selinux-policy-targeted directory was present on the system, the target directory that the SSSD daemon wrote to was missing. Consequently, writing the login file failed. With this update, the underlying source code has been modified so that SSSD now correctly handles the writing failures as expected.
The possibility to retrieve very large Active Directory (AD) groups instead of skipping them has been added to the previous version of Red Hat Enterprise Linux. However, this behavior could cause performance problems, because the additional resolution took a long time. To fix this bug, a new option, ldap_disable_range_retrieval, has been added allowing the SSSD daemon to skip very large AD groups.
When the memory cache was reset with the sss_cache utility, the SSSD daemon did not close the file descriptor, which caused a file descriptor leak. The underlying source code has been modified so that the file descriptor is now closed correctly in the described scenario.
Netgroups can contain nested netgroups from other sources so that the SSSD daemon resolves only one nesting level at a time and allows the glibc library to query other sources as well. However, previously, there was a full query per nesting level and therefore the nested netgroup processing was very slow. With this update, a new option, refresh_expired_interval, has been introduced. The option controls the task that updates the expired records on the background instead of waiting for the user login. As a result, the nested netgroup processing is now faster.
Previously, simple access control denied access to case-insensitive domains for users that had their user names written in the uppercase characters. This update applies a patch to fix this bug so that all users are now able to log in as expected.
In case the processing of an LDAP request took longer than the client timeout (60 seconds by default), upon completing the request, the PAM client could have accessed memory that was previously freed due to the client timeout being reached. As a consequence, the sssd_pam process terminated unexpectedly with a segmentation fault. With this update, the SSSD daemon ignores an LDAP request result when it detects that the set timeout of this request has been reached. As a result, the sssd_pam process no longer crashes in the aforementioned scenario.
Every time when a user account was saved, the SSSD daemon performed an unnecessary search using an attribute, which was not indexed. As a consequence, saving a large number of user accounts consumed almost 100% of CPU especially during enumeration, because SSSD was searching for a non-indexed attribute. With this update, the search has been disabled and SSSD no longer consumes that amount of CPU when saving enumeration results.
When an attempt to locate servers using Domain Name System (DNS) SerRVice records (SRV) failed, the SSSD daemon did not retry the SRV query, even when the query internal timeout had passed. Consequently, when the server discovery process failed for the first time, especially during boot up, SSSD did not retry its query until it was restarted or the networking status of the client changed reseting the SSSD networking status. This update applies a patch to fix this bug so that the SRV queries always retry after a timeout passed. As a result, SSSD now retries SRV queries correctly in the described scenario.
The grace warning code displays number of logins left before the forced change of a password. Previously, there was an off-by-one comparison bug in that code. As a consequence, when the 389 Directory Server was used as a server, the last grace warning was not displayed. With this update, the comparison has been fixed and all logins during the grace period now produce warnings as expected.


Note that the grace warnings currently work only when 389 Directory Server or Red Hat Directory Servers is a Lightweight Directory Access Protocol (LDAP) server. The grace warnings do not work with an OpenLDAP server; this is a know issue.
When a group whose members were all outside the configured search bases was searched, the search request terminated incorrectly. This caused a use-after-free memory access and therefore the sssd_be process could terminate unexpectedly. The search request has been fixed so that it now terminates correctly, even if all group members are outside the configured search bases. As a result, sssd_be no longer crashes in the described scenario.
The default Domain Name System (DNS) timeout values were set too high preventing the SSSD daemon from failing over to all configured DNS servers. When a faulty DNS server was configured in the /etc/resolv.conf file, the DNS request could be terminated before it was able to perform a failover through all DNS servers configured in the file. The default DNS timeouts have been lowered allowing SSSD to fail over through all configured DNS serves as expected.
The number of the autofs maps returned from the SSSD daemon to the automounter daemon was incorrect under certain circumstances, for example, when the maps were too large. As a consequence, the maps were not returned reliably to automounter. This bug has been fixed with this update and the number of maps is now correct in all cases.
In case the cache contained two entries with the same name, which is an unexpected condition, the search request was not terminated correctly. In fact, the request was terminated twice and therefore the second time the request was terminated, it could access random memory. The error handling during the cache search has been amended so that the request is terminated only once. As a result, the SSSD daemon is now able to handle situations when the cache is corrupted.
Previously, the sudo refresh handler used an incorrect callback. As a consequence, an incorrect memory could be accessed in certain cases and therefore the sssd_sudo process terminated unexpectedly. With this update the handler uses the correct callback so that the process no longer crashes in the described scenario.
Previously, the description of the min_id option in the sssd.conf(5) manual page was misleading. It stated that the option could be set to the 0 value, which was not correct. With this update, the description has been changed so that the manual page now properly describes that the minimum value for the option is 1.
Previously, the IPA provider attempted to store the original value of a member attribute to the cache during the Host-Based Access Control (HBAC) evaluation. The values were processed by the memberof plug-in, which required a lot of processing time when there were very large host groups. As a consequence, the sssd_be process used 99% of CPU, which slowed down the login process significantly. With this update, the member attribute is no longer stored and the HBAC evaluation proceeds faster.
When users attempted to change their password using the passwd utility and wrote the current password incorrectly, the following passwd error was returned:
Authentication token manipulation error
This message appeared to be a system error, which could confuse users. With this update, SSSD sends and additional error message that specifies the problem:
Old password not accepted
Under certain circumstances, records stored in the fast in-memory cache could become corrupt. In such a case, the sssd_nss process terminated unexpectedly. An additional test has been added to check the fast cache before accessing a request. Now, when the records are invalid, they are skipped and requested from the SSSD daemon, thus avoiding the crash of sssd_nss.
Previously, the sss_cache -N command did not invalidate the SSSD in-memory cache of netgroups. Consequently, netgroups that had been recently queried were not refreshed before their expiration time, even if the command was executed. This update applies a patch to fix this bug so that the command now correctly invalidates the netgroups in-memory cache.
The libsss_sudo package did not require the certain version of the sudo utility that was supposed to work with the SSSD daemon. As a consequence, the package could be installed with the sudo version that was not compatible with SSSD. With this update, the package now requires the proper version of sudo as expected.
In case the SSSD daemon could not save a sudo rule to the cache, it returned an error and stopped processing the rest of the sudo rules. Therefore, none of the rules from the related provider were saved because the error with one rule canceled the entire transaction. With this update, when a sudo rule cannot be saved to the cache, a message is appended to the logs and the rule is skipped and processing of the remaining rules continues and works as expected. As a result, all but the defective sudo rule are saved to the cache.
Due to a bug in the underlying source code, a pointer to entries could be overwritten under certain circumstances. Consequently, the sssd_nss process terminated unexpectedly with a segmentation fault. The code has been modified to fix this bug and sssd_nss no longer crashes.
When a large amount of sudo rules with a combined size that exceeded 265 KB was configured on the system, due to the way the sss_packet_grow() function computed the total length of a response packet, the SSSD daemon failed with the following error message:
Unable to create response: Invalid argument
With this update, the sss_package_grow() function code has been fixed to properly compute the response packet length, and SSSD no longer fails in the aforementioned scenario.
When a dynamic Domain Name System (DNS) update operation timed out, certain data related to the operation was freed. Then a child handler attempted to access those data, which caused a segmentation fault in the sssd_be process. This update applies a patch to fix this bug and the handler is now aborted when the operation timed out. As a result, the segmentation fault no longer occurs in the described scenario.
In case that the Lightweight Directory Access Protocol (LDAP) connection was terminated when the search operation on this connection was still in progress, the search callback could access properties of the connection that no longer existed. As a consequence, the sssd_be process terminated unexpectedly. To fix this bug, an additional test has been added to the search callback. The test checks the validity of a connection before accessing its properties. As a result, the SSSD daemon no longer crashes in the described scenario.


This update provides a new SSSD configuration option. When enabled, the option permits LDAP groups to contain local users stored in the /etc/passwd file. The option is disabled by default, to enable it, set ldap_rfc2307_fallback_to_local_users = True.
A new option, which is used to avoid downloading group members, has been introduced. In most cases, the administrator only needs to retrieve group memberships for the user, not to download all group members. Moreover, when the group members are not downloaded and stored to the cache, the SSSD performance increases significantly. With this enhancement, the administrator can now disable downloading group members.
Users of sssd are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.