7.202. sssd

Updated sssd packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The System Security Services Daemon (SSSD) provides a set of daemons to manage access to remote directories and authentication mechanisms.


The sssd packages have been upgraded to upstream version 1.12.4, which provides a number of bug fixes and enhancements over the previous version. (BZ#1168347)

Bug Fixes

The "domains=" option for the pam_sss module
The UPN (User Principal Name) attribute to identify users and user logins
Password expiration warnings for non-password authentication
The ID views feature
Transferring the user shell attribute from an Active Directory (AD) server to an Identity Management (IdM) client
Updating cached entries out-of-band in the background
The ad_site option can be used to override the AD site discovered from DNS
A new Kerberos plug-in maps Kerberos principals to local SSSD user names
Groups for AD trusted users are displayed without logging in
The case_sensitive option accepts the "preserve" value.
The ldap_access_order option accepts the "ppolicy" value.
SSSD can use GPOs on an AD server
Applications leveraging identities from SSSD could terminate unexpectedly while invalidating the memory cache using the sss_cache utility. This bug has been fixed, and using sss_cache is safe.
SSSD properly recognizes Windows 2012R2 as an AD server and applies the correct AD-specific performance optimizations.
SSSD failed to connect to servers that only allowed authenticated connections to read the rootDSE entry, such as IBM Tivoli LDAP servers. SSSD now retries an authenticated connection after a non-authenticated connection fails while reading rootDSE. As a result, SSSD works as expected with these servers.
When the simple_allow_groups and simple_allow_users options contained non-existent and existing entries, SSSD denied access to the existing users or groups. Now, SSSD logs and skips the non-existent entries and correctly handles the existing ones.
BZ#1173738, BZ#1194367
This update fixes bugs that caused SSSD to terminate unexpectedly due to memory errors or when trying to access callback data.
BZ#1135838, BZ#1172865
The sssd-ldap(5) and sssd.conf(5) man pages have been modified.
SSSD downloaded an unnecessary amount of data when obtaining information about groups from an AD provider when using POSIX attributes on the server. With this update, SSSD downloads only the information about the group object, not the contents of the group.
SSSD did not properly handle the "objectGUID" AD LDAP attribute. Now, SSSD considers "objectGUID" a binary value as expected, and the attribute is stored correctly.
If a multi-process program requested the initgroups data immediately after SSSD startup, before the SSSD cache was ready, the NSS responder could incorrectly return an empty group list. With this update, the initgroups requests from a multi-process program with an empty cache work correctly, and the described problem no longer occurs.
Setups with "subdomains_provider=none" set for AD domains did not sometimes work as expected. Now, the ldap_idmap_default_domain_sid option value is used for the SSSD main domain, thus fixing the bug. Note that ldap_idmap_default_domain_sid must be set for SSSD to function correctly in this situation.


SRV queries now honor the time to live (TTL) values from DNS.
Users of sssd are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.