SSSD correctly reports supplementary groups for AD users in a nested domain
Resolving supplementary groups sometimes failed for Active Directory (AD) users with the same
samAccountName attribute who existed in two AD domains, when:
id [user_name] command reported only the primary group for these users.
The underlying SSSD code has been improved to better match the user account with its domain. As a result, SSSD reports also supplementary groups of AD users in the described situation. (BZ#1293168)
Authentication no longer fails when two SRV resolution requests are running at the same time
When multiple service record (SRV) resolution requests were running concurrently, one of them returned a failure indicating that no new servers were found. Consequently, authentication using the
ssh utility failed. With this update, SSSD handles two concurrent SRV resolution requests gracefully. As a result, authentication no longer fails in this situation. (BZ#1367435)
Users with expired or locked accounts now cannot log in to IdM clients with their SSH keys
When a trusted Active Directory (AD) user with an expired or locked user account attempted to log in to an Identity Management (IdM) client using a non-password login method, such as SSH keys, the login was successful. With this update, the IdM client checks the AD lockout attribute when verifying whether an AD user is allowed to log in. As a result, AD users with expired or locked accounts are no longer permitted to log in in this situation.
Note that this bug has no security impact: The AD user could not obtain a Kerberos ticket on the IdM client because the user account was expired or locked on the server side. (BZ#1335400
sssd_be subprocesses no longer unnecessarily consume memory
Previously, when the
id_provider option was set to
ad in the
/etc/sssd/sssd.conf file, a helper process inside the
sssd_be process sometimes failed. In consequence, the process was spawning new
sssd_be instances, which consumed additional memory.
With this update, SSSD does not fork
sssd_be subprocesses if no helper program is available. This reduces the amount of consumed memory. (BZ#1336453)
Attempts to renew the system password in a keytab no longer cause SSSD to stop working
When attempting to renew the system password stored in a keytab, System Security Services Daemon (SSSD) leaked a file descriptor. The leaked file descriptors gradually accumulated, which caused SSSD to stop working.
With this update, SSSD no longer leaks file descriptors in this situation. As a result, SSSD is able to keep updating the system password without the described negative impact on the system. (BZ#1340176
SSSD now correctly processes GPO files that contain attributes in a format other than
Previously, System Security Services Daemon (SSSD) did not correctly process INI files that contained attribute pairs in a format other than
key=value. Consequently, SSSD failed to process group policy object (GPO) files that contained such attributes.
This update ensures that SSSD processes the mentioned files correctly even if they use a different attribute format than
SSSD now resolves users with
Support for the
externalUser LDAP attribute was removed from the System Security Services Daemon (SSSD) in Red Hat Enterprise Linux 6.8. In consequence, the assignment of
sudo rules to local accounts, such as by using the
/etc/passwd file, failed. The problem affected only accounts outside of Identity Management (IdM) domains and Active Directory (AD) trusted domains.
This update ensures that SSSD correctly resolves users with the
attribute defined. As a result, assigning
rules works as expected in the described situation. (BZ#1321884
SSSD correctly creates local overrides in an AD environment
utility created case-insensitive distinguished names (DNs) when the
option was set to
file. However, the DNs in the SSSD cache are stored as case-sensitive. As a consequence, local overrides were not created for users from the Active Directory (AD) subdomain and for users with mixed-case account names. With this update, SSSD searches the object in the cache and uses the DN from the search result. This fixes the problem in the mentioned situation. (BZ#1327272
OpenLDAP now correctly sets NSS settings
Previously, the OpenLDAP server used an incorrect handling of network security settings (NSS) code. As a consequence, settings were not applied, which caused certain NSS options, such as
, not to work correctly. This update addresses the bug and as a result, the affected NSS options now work as expected. (BZ#1249092
IPA replica installation no longer fails due to malformed HTTP requests
A bug in pki-core
previously caused PKI to generate HTTP requests missing a
header and using incorrect line delimiters during IPA replica installation. At the same time, an update to
caused these malformed requests to be rejected, even though they were accepted in previous versions, and as a result, IPA replica installations failed. This update to pki-core
fixes the problem in HTTP request generation, and replica installations now work as expected. (BZ#1403943