Skip to content

sssd-1.16.4

Compare
Choose a tag to compare
@pbrezina pbrezina released this 16 Apr 09:01
· 3246 commits to master since this release

SSSD 1.16.4

Highlights

New Features

  • The list of PAM services which are allowed to authenticate using a Smart Card is now configurable using a new option pam_p11_allowed_services. (#2926)
  • A new configuration option ad_gpo_implicit_deny was added. This option (when set to True) can be used to deny access to users even if there is not applicable GPO. Normally users are allowed access in this situation. (#3701)
  • The LDAP authentication provider now allows to use a different method of changing LDAP passwords using a modify operation in addition to the default extended operation. This is meant to support old LDAP servers that do not implement the extended operation. The password change using the modification operation can be selected with ldap_pwmodify_mode = "ldap_modify" (#1314)
  • The auto_private_groups configuration option now takes a new value hybrid. This mode autogenerates private groups for user entries where the UID and GID values have the same value and at the same time the GID value does not correspond to a real group entry in LDAP (#3822)

Security issues fixed

  • CVE-2019-3811: SSSD used to return "/" in case a user entry had no home directory. This was deemed a security issue because this flaw could impact services that restrict the user's filesystem access to within their home directory. An empty home directory field would indicate "no filesystem access", where sssd reporting it as "/" would grant full access (though still confined by unix permissions, SELinux etc).

Notable bug fixes

  • The IPA provider, in a setup with a trusted Active Directory domain, did not remove cached entries that were no longer present on the AD side (#3984)
  • The Active Directory provider now fetches the user information from the LDAP port and switches to using the Global Catalog port, if available for the group membership. This fixes an issue where some attributes which are not available in the Global Catalog, typically the home directory, would be removed from the user entry. (#2474)
  • The IPA SELinux provider now sets the user login context even if it is the same as the system default. This is important in case the user has a non-standard home directory, because then only adding the user to the SELinux database ensures the home directory will be labeled properly. However, this fix causes a performance hit during the first login as the context must be written into the semanage database.
  • The sudo responder did not reflect the case_sensitive domain option (#3820)
  • A memory leak when requesting netgroups repeatedly was fixed (#3870)
  • An issue that caused SSSD to sometimes switch to offline mode in case not all domains in the forest ran the Global Catalog service was fixed (#3902)
  • The SSH responder no longer fails completely if the p11_child times out when deriving SSH keys from a certificate (#3937)
  • The negative cache was not reloaded after new sub domains were discovered which could have lead to a high SSSD load (#3683)
  • The negative cache did not work properly for in case a lookup fell back to trying a UPN instead of a name (#3978)
  • If any of the SSSD responders was too busy, that responder wouldn't have refreshed the trusted domain list (#3967)
  • A potential crash due to a race condition between the fail over code refreshing a SRV lookup and back end using its results (#3976)
  • Sudo's runAsUser and runAsGroup attributes did not match properly when used in setups with domain_resolution_order
  • Processing of the values from the filter_users or filter_groups options could trigger calls to blocking NSS API functions which could in turn prevent the startup of SSSD services in case nsswitch.conf contained other modules than sss or files (#3963)

See full release notes here.