Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

7.202. sssd

Updated sssd packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The System Security Services Daemon (SSSD) provides a set of daemons to manage access to remote directories and authentication mechanisms.

Note

The sssd packages have been upgraded to upstream version 1.12.4, which provides a number of bug fixes and enhancements over the previous version. (BZ#1168347)

Bug Fixes

BZ#1168363
The "domains=" option for the pam_sss module
BZ#1088402
The UPN (User Principal Name) attribute to identify users and user logins
BZ#1036745
Password expiration warnings for non-password authentication
BZ#1168344
The ID views feature
BZ#1168377
Transferring the user shell attribute from an Active Directory (AD) server to an Identity Management (IdM) client
BZ#1098147
Updating cached entries out-of-band in the background
BZ#1161564
The ad_site option can be used to override the AD site discovered from DNS
BZ#1168357
A new Kerberos plug-in maps Kerberos principals to local SSSD user names
BZ#1168378
Groups for AD trusted users are displayed without logging in
BZ#1171782
The case_sensitive option accepts the "preserve" value.
BZ#1173198
The ldap_access_order option accepts the "ppolicy" value.
BZ#1187642
SSSD can use GPOs on an AD server
BZ#1123291
Applications leveraging identities from SSSD could terminate unexpectedly while invalidating the memory cache using the sss_cache utility. This bug has been fixed, and using sss_cache is safe.
BZ#1134942
SSSD properly recognizes Windows 2012R2 as an AD server and applies the correct AD-specific performance optimizations.
BZ#1139878
SSSD failed to connect to servers that only allowed authenticated connections to read the rootDSE entry, such as IBM Tivoli LDAP servers. SSSD now retries an authenticated connection after a non-authenticated connection fails while reading rootDSE. As a result, SSSD works as expected with these servers.
BZ#1170910
When the simple_allow_groups and simple_allow_users options contained non-existent and existing entries, SSSD denied access to the existing users or groups. Now, SSSD logs and skips the non-existent entries and correctly handles the existing ones.
BZ#1173738, BZ#1194367
This update fixes bugs that caused SSSD to terminate unexpectedly due to memory errors or when trying to access callback data.
BZ#1135838, BZ#1172865
The sssd-ldap(5) and sssd.conf(5) man pages have been modified.
BZ#1201847
SSSD downloaded an unnecessary amount of data when obtaining information about groups from an AD provider when using POSIX attributes on the server. With this update, SSSD downloads only the information about the group object, not the contents of the group.
BZ#1205382
SSSD did not properly handle the "objectGUID" AD LDAP attribute. Now, SSSD considers "objectGUID" a binary value as expected, and the attribute is stored correctly.
BZ#1215765
If a multi-process program requested the initgroups data immediately after SSSD startup, before the SSSD cache was ready, the NSS responder could incorrectly return an empty group list. With this update, the initgroups requests from a multi-process program with an empty cache work correctly, and the described problem no longer occurs.
BZ#1221358
Setups with "subdomains_provider=none" set for AD domains did not sometimes work as expected. Now, the ldap_idmap_default_domain_sid option value is used for the SSSD main domain, thus fixing the bug. Note that ldap_idmap_default_domain_sid must be set for SSSD to function correctly in this situation.

Enhancement

BZ#1171378
SRV queries now honor the time to live (TTL) values from DNS.
Users of sssd are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.