Red Hat Product Errata RHBA-2012:0164 - Bug Fix Advisory
Issued:
2012-02-20
Updated:
2012-02-20

RHBA-2012:0164 - Bug Fix Advisory

Synopsis

sssd bug fix and enhancement update

Type/Severity

Bug Fix Advisory

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated sssd packages that fix several bugs and add various enhancements are now
available.

Description

The sssd packages contain a set of daemons to manage access to remote
directories and authentication mechanisms.

These updated sssd packages include numerous bug fixes and one enhancement.
Space precludes documenting all of these changes in this advisory. Users are
directed to the Red Hat Enterprise Linux 5.8 Technical Notes for information on
the most significant of these changes:

https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/5.8_Technical_Notes/sssd.html#RHBA-2012-0164

All users of SSSD should upgrade to these updated packages, which fix these bugs
and add these enhancements.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Affected Products

  • Red Hat Enterprise Linux Server 5 x86_64
  • Red Hat Enterprise Linux Server 5 ia64
  • Red Hat Enterprise Linux Server 5 i386
  • Red Hat Enterprise Linux Workstation 5 x86_64
  • Red Hat Enterprise Linux Workstation 5 i386
  • Red Hat Enterprise Linux Desktop 5 x86_64
  • Red Hat Enterprise Linux Desktop 5 i386
  • Red Hat Enterprise Linux for IBM z Systems 5 s390x
  • Red Hat Enterprise Linux for Power, big endian 5 ppc
  • Red Hat Enterprise Linux Server from RHUI 5 x86_64
  • Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

  • BZ - 680443 - Dynamic DNS update fails if multiple servers are given in ipa_server config option
  • BZ - 692455 - rfc2307bis groups are being enumerated even when the gidNumber is out of the range of min_id,max_id.
  • BZ - 694580 - SSSD's man pages are missing information
  • BZ - 698724 - kpasswd fails when using sssd and kadmin server != kdc server
  • BZ - 700168 - Users with a local group as their primary GID are denied access by the simple access provider
  • BZ - 707975 - Unable to authenticate users when username contains "\0"
  • BZ - 707999 - The IPA provider does not work with IPv6
  • BZ - 708104 - "renew_all_tgts" and "renew_handlers" messages are being logged multiple times when the provider comes back online.
  • BZ - 709352 - Typo in negative cache notification for initgroups()
  • BZ - 719107 - Native AD password policy attributes break shadow entries on forced password change, preventing login
  • BZ - 748818 - SSSD not functional after "self" reboot
  • BZ - 748820 - RFC2307bis initgroups calls are slow
  • BZ - 748821 - [RFE] Support overriding attribute value
  • BZ - 748822 - SSSD is not populating nested groups in Active Directory
  • BZ - 748833 - latest sssd fails if ldap_default_authtok_type is not mentioned
  • BZ - 748834 - IPA provider fails initgroups() if user is not a member of any group
  • BZ - 748835 - SSSD's async resolver only tries the first nameserver in /etc/resolv.conf
  • BZ - 748836 - Process /usr/libexec/sssd/sssd_be was killed by signal 11 (SIGSEGV) when ldap_uri is misconfigured.
  • BZ - 748837 - RFE: SSSD should support paged LDAP lookups
  • BZ - 748842 - Include valid "ldap_uri" formats in sssd-ldap man page
  • BZ - 748844 - sssd.$arch should require sssd-client.$arch
  • BZ - 748846 - During the change password operation the ccache is not replaced by a new one if the old one isn't active anymore.
  • BZ - 748847 - sssd shuts down if inotify crashes
  • BZ - 748848 - libsss_ldap segfault at login against OpenLDAP
  • BZ - 748849 - Certificate validation fails with message "Connection error: TLS: hostname does not match CN in peer certificate"
  • BZ - 748853 - IPA dynamic DNS update mangles AAAA records
  • BZ - 748854 - Remove DENY rules from the HBAC access provider
  • BZ - 748855 - sssd_pam leaks file descriptors.
  • BZ - 748856 - sssd doesn't honor ldap supportedControls
  • BZ - 748857 - "groups user" and "finger gecos" fails
  • BZ - 748858 - sssd does not handle kerberos server IP change
  • BZ - 748860 - LDAP+GSSAPI needs explicit Kerberos realm
  • BZ - 748861 - Provide a mechanism for vetoing the use of certain shells
  • BZ - 748864 - SSSD taking 5 minutes to log in
  • BZ - 748865 - When non-posix groups are skipped, initgroups returns random GID
  • BZ - 748866 - Add LDAP provider option to set LDAP_OPT_X_SASL_NOCANON
  • BZ - 748867 - [RFE] Have SSSD cache properly with krb5_validate = True and SElinux enabled
  • BZ - 748869 - "System error" appears in log during change password operation of a user in openldap server with ppolicy enabled.
  • BZ - 748870 - sssd crashes during auth while there exists multiple external hosts along with managed host.
  • BZ - 748872 - Authentication fails when there exists an empty hbacsvcgroup.
  • BZ - 748873 - Improve password policy error message
  • BZ - 748874 - Unable to enumerate rfc2307bis group with non-default attribute names.
  • BZ - 748875 - SSSD should pick a user/group name when there are multi-valued names
  • BZ - 748877 - Group lookups doesn't return it's member for sometime when the member has multi-valued uid.
  • BZ - 748878 - Lookup fails for non-primary usernames with multi-valued uid.
  • BZ - 748879 - "Unknown (private extension) error(21853), (null)" messages are logged during change password operation of a user in openldap server with ppolicy enabled.
  • BZ - 748881 - Use an explicit base 10 when converting uidNumber to integer
  • BZ - 748882 - Rework the example config
  • BZ - 748883 - HBAC rule evaluation does not properly handle host groups
  • BZ - 748893 - SSSD backend gets killed on slow systems
  • BZ - 748895 - Only access sssd_nss internal hash table if it was initialized
  • BZ - 748896 - sssd_pam segfaults on sssd restart
  • BZ - 748897 - HBAC processing is very slow when dealing with FreeIPA deployments with large numbers of hosts.
  • BZ - 748898 - SSSD can crash due to dbus server removing a UNIX socket
  • BZ - 758168 - sssd_nss crashes when passed invalid UTF-8 for the username in getpwnam()
  • BZ - 773327 - The full dyndns update message should be logged into debug logs

CVEs

(none)

Red Hat Enterprise Linux Server 5

SRPM
sssd-1.5.1-49.el5.src.rpm SHA-256: 91bfbfd99861d0546eacda71d2dc14ec160aaabb31e9a320cdf24c3ec4b8d6c3
x86_64
libipa_hbac-1.5.1-49.el5.i386.rpm SHA-256: fe00079f7f7f375fc0ae8d0e193f3d77771a50a06205b53f1f13c9b2f6b8ba68
libipa_hbac-1.5.1-49.el5.x86_64.rpm SHA-256: 119deb2b9bdb385b2cd6cc2eb2da8b303c353053d3ad739e6acaa242b8510c1f
libipa_hbac-devel-1.5.1-49.el5.i386.rpm SHA-256: 82651bf42d3ec0d1e118d2c836e6e024f3cc0c09741e06264c7222ce3aab8cd3
libipa_hbac-devel-1.5.1-49.el5.x86_64.rpm SHA-256: 90b4b20b0e099d39f7448b42156397eddb8ea8f01112d6e90b53035ebe5edd9d
libipa_hbac-python-1.5.1-49.el5.x86_64.rpm SHA-256: bc4677dc2d6cd9cbe9840ec21d71588247273568b8699d862dfabd5867a2a4df
sssd-1.5.1-49.el5.x86_64.rpm SHA-256: 1b0b186f4e3bcef7337dfc0632a6a5de62ede6e7341a9b0d7d004863ee1d0676
sssd-client-1.5.1-49.el5.i386.rpm SHA-256: 452998c3ea8828e5ad66ccf5d949524c0e68d273b812024f171f5af78ec75f14
sssd-client-1.5.1-49.el5.x86_64.rpm SHA-256: c0b0e541adad024705af5e3bf5bfc900166965732c2c4992c3ea727a84e4c068
sssd-tools-1.5.1-49.el5.x86_64.rpm SHA-256: 4c62b40fa0f1937bd4b479beaca0fc3b44a25870fd8ecf7eac90cb8b6b2befea
ia64
libipa_hbac-1.5.1-49.el5.ia64.rpm SHA-256: fafb6c2cc6047b5b37419fe7d78b9f400cef77a711c06bc8ff9c0215376fe08e
libipa_hbac-devel-1.5.1-49.el5.ia64.rpm SHA-256: 3949fd50a541b3445384deaabfe55452e7e315402f99bd770800097e268b72a3
libipa_hbac-python-1.5.1-49.el5.ia64.rpm SHA-256: c2a062c697b8a11111b889e6357a30bf16b6f6d5c17570d968dd1f255a5972bb
sssd-1.5.1-49.el5.ia64.rpm SHA-256: be8f19f9d2322c480b081326ce68f93f91c682d8462cbecc8a4ffd12bbc5cbb2
sssd-client-1.5.1-49.el5.i386.rpm SHA-256: 452998c3ea8828e5ad66ccf5d949524c0e68d273b812024f171f5af78ec75f14
sssd-client-1.5.1-49.el5.ia64.rpm SHA-256: 6e25c9e2dc614c1c1632072e527f829e98ecf16b1f3f943670c2547471d3d0e4
sssd-tools-1.5.1-49.el5.ia64.rpm SHA-256: 14ad8ad092560ffd57d969e43494a4d6a74988e5e42ba2023885136435709857
i386
libipa_hbac-1.5.1-49.el5.i386.rpm SHA-256: fe00079f7f7f375fc0ae8d0e193f3d77771a50a06205b53f1f13c9b2f6b8ba68
libipa_hbac-devel-1.5.1-49.el5.i386.rpm SHA-256: 82651bf42d3ec0d1e118d2c836e6e024f3cc0c09741e06264c7222ce3aab8cd3
libipa_hbac-python-1.5.1-49.el5.i386.rpm SHA-256: 454c3deaf31e9cd02a2a8318dce9611cffa8144cab97235b241a79dbaffdba97
sssd-1.5.1-49.el5.i386.rpm SHA-256: c00e75a8022ee210eea03a379d6995f5426e1b62908c77cabd96db39df824034
sssd-client-1.5.1-49.el5.i386.rpm SHA-256: 452998c3ea8828e5ad66ccf5d949524c0e68d273b812024f171f5af78ec75f14
sssd-tools-1.5.1-49.el5.i386.rpm SHA-256: d56757b0cac04925ddb601bacf796e26b91d041e483a6ddbcdd06c2a6abbd309

Red Hat Enterprise Linux Workstation 5

SRPM
sssd-1.5.1-49.el5.src.rpm SHA-256: 91bfbfd99861d0546eacda71d2dc14ec160aaabb31e9a320cdf24c3ec4b8d6c3
x86_64
libipa_hbac-1.5.1-49.el5.i386.rpm SHA-256: fe00079f7f7f375fc0ae8d0e193f3d77771a50a06205b53f1f13c9b2f6b8ba68
libipa_hbac-1.5.1-49.el5.x86_64.rpm SHA-256: 119deb2b9bdb385b2cd6cc2eb2da8b303c353053d3ad739e6acaa242b8510c1f
libipa_hbac-devel-1.5.1-49.el5.i386.rpm SHA-256: 82651bf42d3ec0d1e118d2c836e6e024f3cc0c09741e06264c7222ce3aab8cd3
libipa_hbac-devel-1.5.1-49.el5.x86_64.rpm SHA-256: 90b4b20b0e099d39f7448b42156397eddb8ea8f01112d6e90b53035ebe5edd9d
libipa_hbac-python-1.5.1-49.el5.x86_64.rpm SHA-256: bc4677dc2d6cd9cbe9840ec21d71588247273568b8699d862dfabd5867a2a4df
sssd-1.5.1-49.el5.x86_64.rpm SHA-256: 1b0b186f4e3bcef7337dfc0632a6a5de62ede6e7341a9b0d7d004863ee1d0676
sssd-client-1.5.1-49.el5.i386.rpm SHA-256: 452998c3ea8828e5ad66ccf5d949524c0e68d273b812024f171f5af78ec75f14
sssd-client-1.5.1-49.el5.x86_64.rpm SHA-256: c0b0e541adad024705af5e3bf5bfc900166965732c2c4992c3ea727a84e4c068
sssd-tools-1.5.1-49.el5.x86_64.rpm SHA-256: 4c62b40fa0f1937bd4b479beaca0fc3b44a25870fd8ecf7eac90cb8b6b2befea
i386
libipa_hbac-1.5.1-49.el5.i386.rpm SHA-256: fe00079f7f7f375fc0ae8d0e193f3d77771a50a06205b53f1f13c9b2f6b8ba68
libipa_hbac-devel-1.5.1-49.el5.i386.rpm SHA-256: 82651bf42d3ec0d1e118d2c836e6e024f3cc0c09741e06264c7222ce3aab8cd3
libipa_hbac-python-1.5.1-49.el5.i386.rpm SHA-256: 454c3deaf31e9cd02a2a8318dce9611cffa8144cab97235b241a79dbaffdba97
sssd-1.5.1-49.el5.i386.rpm SHA-256: c00e75a8022ee210eea03a379d6995f5426e1b62908c77cabd96db39df824034
sssd-client-1.5.1-49.el5.i386.rpm SHA-256: 452998c3ea8828e5ad66ccf5d949524c0e68d273b812024f171f5af78ec75f14
sssd-tools-1.5.1-49.el5.i386.rpm SHA-256: d56757b0cac04925ddb601bacf796e26b91d041e483a6ddbcdd06c2a6abbd309

Red Hat Enterprise Linux Desktop 5

SRPM
sssd-1.5.1-49.el5.src.rpm SHA-256: 91bfbfd99861d0546eacda71d2dc14ec160aaabb31e9a320cdf24c3ec4b8d6c3
x86_64
libipa_hbac-1.5.1-49.el5.i386.rpm SHA-256: fe00079f7f7f375fc0ae8d0e193f3d77771a50a06205b53f1f13c9b2f6b8ba68
libipa_hbac-1.5.1-49.el5.x86_64.rpm SHA-256: 119deb2b9bdb385b2cd6cc2eb2da8b303c353053d3ad739e6acaa242b8510c1f
libipa_hbac-devel-1.5.1-49.el5.i386.rpm SHA-256: 82651bf42d3ec0d1e118d2c836e6e024f3cc0c09741e06264c7222ce3aab8cd3
libipa_hbac-devel-1.5.1-49.el5.x86_64.rpm SHA-256: 90b4b20b0e099d39f7448b42156397eddb8ea8f01112d6e90b53035ebe5edd9d
libipa_hbac-python-1.5.1-49.el5.x86_64.rpm SHA-256: bc4677dc2d6cd9cbe9840ec21d71588247273568b8699d862dfabd5867a2a4df
sssd-1.5.1-49.el5.x86_64.rpm SHA-256: 1b0b186f4e3bcef7337dfc0632a6a5de62ede6e7341a9b0d7d004863ee1d0676
sssd-client-1.5.1-49.el5.i386.rpm SHA-256: 452998c3ea8828e5ad66ccf5d949524c0e68d273b812024f171f5af78ec75f14
sssd-client-1.5.1-49.el5.x86_64.rpm SHA-256: c0b0e541adad024705af5e3bf5bfc900166965732c2c4992c3ea727a84e4c068
sssd-tools-1.5.1-49.el5.x86_64.rpm SHA-256: 4c62b40fa0f1937bd4b479beaca0fc3b44a25870fd8ecf7eac90cb8b6b2befea
i386
libipa_hbac-1.5.1-49.el5.i386.rpm SHA-256: fe00079f7f7f375fc0ae8d0e193f3d77771a50a06205b53f1f13c9b2f6b8ba68
libipa_hbac-devel-1.5.1-49.el5.i386.rpm SHA-256: 82651bf42d3ec0d1e118d2c836e6e024f3cc0c09741e06264c7222ce3aab8cd3
libipa_hbac-python-1.5.1-49.el5.i386.rpm SHA-256: 454c3deaf31e9cd02a2a8318dce9611cffa8144cab97235b241a79dbaffdba97
sssd-1.5.1-49.el5.i386.rpm SHA-256: c00e75a8022ee210eea03a379d6995f5426e1b62908c77cabd96db39df824034
sssd-client-1.5.1-49.el5.i386.rpm SHA-256: 452998c3ea8828e5ad66ccf5d949524c0e68d273b812024f171f5af78ec75f14
sssd-tools-1.5.1-49.el5.i386.rpm SHA-256: d56757b0cac04925ddb601bacf796e26b91d041e483a6ddbcdd06c2a6abbd309

Red Hat Enterprise Linux for IBM z Systems 5

SRPM
sssd-1.5.1-49.el5.src.rpm SHA-256: 91bfbfd99861d0546eacda71d2dc14ec160aaabb31e9a320cdf24c3ec4b8d6c3
s390x
libipa_hbac-1.5.1-49.el5.s390.rpm SHA-256: 67ab146a52d34601ec897e0e94163c2b652478dfa7ec2780e3dd20dce3612b26
libipa_hbac-1.5.1-49.el5.s390x.rpm SHA-256: 4c3c01ba4bbbb1c46998661d4c5a1e1939d97932d65cf2c03c9b20e50f6b5eaa
libipa_hbac-devel-1.5.1-49.el5.s390.rpm SHA-256: f5f7f208559d3b370cea2925714ae0e5ac824095d0db25ffa9d043e0814b7290
libipa_hbac-devel-1.5.1-49.el5.s390x.rpm SHA-256: ad67981be7a49ed159d619118e4cd5e1172da0daef092aa4333eaf39f40dc14f
libipa_hbac-python-1.5.1-49.el5.s390x.rpm SHA-256: 677a223dfa03663f8a69484e16699ebc99972929fb2ce7d7dae0f4ba9ad794f3
sssd-1.5.1-49.el5.s390x.rpm SHA-256: 4d90bae8b885ab2b4a329dd819b301161293dcf077ab4eafc8b292a389ab2685
sssd-client-1.5.1-49.el5.s390.rpm SHA-256: c531933dbcb8d9790b44a0da69338b3fe2f6d25d1d4417c2d3e8cf3063d6cbb1
sssd-client-1.5.1-49.el5.s390x.rpm SHA-256: 4cc94e3876f0ea8ed7b4f50f2ae56a933bb09f78befaba774b37533d606201a7
sssd-tools-1.5.1-49.el5.s390x.rpm SHA-256: 6c1618ce9c8575593de2ddcccf71f4a6b85904dacd0590ff128c524c112b111c

Red Hat Enterprise Linux for Power, big endian 5

SRPM
sssd-1.5.1-49.el5.src.rpm SHA-256: 91bfbfd99861d0546eacda71d2dc14ec160aaabb31e9a320cdf24c3ec4b8d6c3
ppc
libipa_hbac-1.5.1-49.el5.ppc.rpm SHA-256: 91681c8320998fee527ddcccc1e11435359a7c7cce69b6c4101531ec59c438f8
libipa_hbac-1.5.1-49.el5.ppc64.rpm SHA-256: 0316929e060f1f0828d01c90722db584a515c38feee32e7950220100a0c15173
libipa_hbac-devel-1.5.1-49.el5.ppc.rpm SHA-256: 802895df79447516f6d73a70a71d32d042fa3e2acd307f7a5ab98a2faa62b008
libipa_hbac-devel-1.5.1-49.el5.ppc64.rpm SHA-256: fdfa1eac3c2b57783896a01e5fc7eb707223d359e1d00e875462272532efbd62
libipa_hbac-python-1.5.1-49.el5.ppc.rpm SHA-256: cb9c29d8137891478cff3d2f37304dd8558895ef2dab162575e813425c1ae496
sssd-1.5.1-49.el5.ppc.rpm SHA-256: 570aa5bd20ad0eb39987a90a454da1cfa9b029cf058501ea004b61d5db82c386
sssd-client-1.5.1-49.el5.ppc.rpm SHA-256: 4e9da4cd1714757dcdfa2b735aea5bff69899bead043c8fbefd9cdd3611dcb59
sssd-client-1.5.1-49.el5.ppc64.rpm SHA-256: 97ddbdb229cb8087621ca204046e938bf529e52cb5fc668caeacba22fef47f91
sssd-tools-1.5.1-49.el5.ppc.rpm SHA-256: 19f85ebbbd0c57d8b81a990e755f733d8886e3dcc13ae957d909d5962b275a99

Red Hat Enterprise Linux Server from RHUI 5

SRPM
sssd-1.5.1-49.el5.src.rpm SHA-256: 91bfbfd99861d0546eacda71d2dc14ec160aaabb31e9a320cdf24c3ec4b8d6c3
x86_64
libipa_hbac-1.5.1-49.el5.i386.rpm SHA-256: fe00079f7f7f375fc0ae8d0e193f3d77771a50a06205b53f1f13c9b2f6b8ba68
libipa_hbac-1.5.1-49.el5.x86_64.rpm SHA-256: 119deb2b9bdb385b2cd6cc2eb2da8b303c353053d3ad739e6acaa242b8510c1f
libipa_hbac-devel-1.5.1-49.el5.i386.rpm SHA-256: 82651bf42d3ec0d1e118d2c836e6e024f3cc0c09741e06264c7222ce3aab8cd3
libipa_hbac-devel-1.5.1-49.el5.x86_64.rpm SHA-256: 90b4b20b0e099d39f7448b42156397eddb8ea8f01112d6e90b53035ebe5edd9d
libipa_hbac-python-1.5.1-49.el5.x86_64.rpm SHA-256: bc4677dc2d6cd9cbe9840ec21d71588247273568b8699d862dfabd5867a2a4df
sssd-1.5.1-49.el5.x86_64.rpm SHA-256: 1b0b186f4e3bcef7337dfc0632a6a5de62ede6e7341a9b0d7d004863ee1d0676
sssd-client-1.5.1-49.el5.i386.rpm SHA-256: 452998c3ea8828e5ad66ccf5d949524c0e68d273b812024f171f5af78ec75f14
sssd-client-1.5.1-49.el5.x86_64.rpm SHA-256: c0b0e541adad024705af5e3bf5bfc900166965732c2c4992c3ea727a84e4c068
sssd-tools-1.5.1-49.el5.x86_64.rpm SHA-256: 4c62b40fa0f1937bd4b479beaca0fc3b44a25870fd8ecf7eac90cb8b6b2befea
i386
libipa_hbac-1.5.1-49.el5.i386.rpm SHA-256: fe00079f7f7f375fc0ae8d0e193f3d77771a50a06205b53f1f13c9b2f6b8ba68
libipa_hbac-devel-1.5.1-49.el5.i386.rpm SHA-256: 82651bf42d3ec0d1e118d2c836e6e024f3cc0c09741e06264c7222ce3aab8cd3
libipa_hbac-python-1.5.1-49.el5.i386.rpm SHA-256: 454c3deaf31e9cd02a2a8318dce9611cffa8144cab97235b241a79dbaffdba97
sssd-1.5.1-49.el5.i386.rpm SHA-256: c00e75a8022ee210eea03a379d6995f5426e1b62908c77cabd96db39df824034
sssd-client-1.5.1-49.el5.i386.rpm SHA-256: 452998c3ea8828e5ad66ccf5d949524c0e68d273b812024f171f5af78ec75f14
sssd-tools-1.5.1-49.el5.i386.rpm SHA-256: d56757b0cac04925ddb601bacf796e26b91d041e483a6ddbcdd06c2a6abbd309

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.