=== SSSD 1.9.4 ===
The SSSD team is proud to announce the release of version 1.9.4 of the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
This is another bug fix only release of the 1.9 series. In addition to fixing functionality, this release also includes two security patches. With the release of 1.9.4, all the known regressions that were introduced during the 1.9 development are fixed. We are still tracking a couple of important bugs, though, mostly in the 1.9.5 milestone.
Our focus for the next couple of months will change from bug fixing only to both bug fixing and new feature development. The new features will be developed in the master branch, which will later become 1.10, and only backported to 1.9 as appropriate.
RPM packages will be made available for Fedora shortly, initially for F-18 and rawhide and later also backported to F-17.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights == * This release focused mainly on fixing regressions compared to the 1.8 series and bugfixes for features introduced in the 1.9 release cycle * A security bug assigned CVE-2013-0219 was fixed - TOCTOU race conditions when creating or removing home directories for users in local domain * A security bug assigned CVE-2013-0220 was fixed - out-of-bounds reads in autofs and ssh responder * A serious memory leak in the NSS responder was fixed * The sssd_pam responder processes pending requests after reconnect * Requests that were processing group entries with DNs pointing out of any configured search bases were not terminated correctly, causing long timeouts * Kerberos tickets are correctly renewed even after SSSD daemon restart * The autofs LDAP provider correctly updates entries that changed mount options on the LDAP server * Secondary groups are now reported correctly for a user coming from a trusted Active Directory server * Kerberos principal selection was fixed to behave correctly when accessing an Active Directory server * Multiple fixes related to SUDO integration, in particular fixing functionality when the sssd back end process was changing its online/offline status * The pwd_exp_warning option was fixed to function as documented in the manual page
== Tickets Fixed == https://fedorahosted.org/sssd/ticket/1564 pam_sss(crond:account): Request to sssd failed. Timer expired https://fedorahosted.org/sssd/ticket/1592 always reread the master map from LDAP https://fedorahosted.org/sssd/ticket/1620 sss_cache: fqdn not accepted https://fedorahosted.org/sssd/ticket/1624 sudoUser group and netgroup specifications don't work https://fedorahosted.org/sssd/ticket/1626 sssd caching not working as expected for selinux usermap contexts https://fedorahosted.org/sssd/ticket/1635 investigate the behaviour of ldap_sasl_authid in 1.9.x https://fedorahosted.org/sssd/ticket/1655 Login fails - sssd_be module polling fd indefinitely and gets killed https://fedorahosted.org/sssd/ticket/1659 sss_userdel doesn't remove entries from in-memory cache https://fedorahosted.org/sssd/ticket/1666 IPA Trust does not show secondary groups for AD Users for commands like id and getent https://fedorahosted.org/sssd/ticket/1672 Error in PAC responder https://fedorahosted.org/sssd/ticket/1677 memberUid required for primary groups to match sudo rule https://fedorahosted.org/sssd/ticket/1679 Primary server status is not always reset after failover to backup server happened https://fedorahosted.org/sssd/ticket/1680 krb5_kpasswd failover doesn't work https://fedorahosted.org/sssd/ticket/1682 Offline sudo denies access with expired entry_cache_timeout https://fedorahosted.org/sssd/ticket/1685 Negative cache timeout is not working for proxy provider https://fedorahosted.org/sssd/ticket/1687 Disallow root SSH public key authentication https://fedorahosted.org/sssd/ticket/1689 sudo: if first full refresh fails, schedule another first full refresh https://fedorahosted.org/sssd/ticket/1690 Option ldap_sudo_include_regexp named incorrectly https://fedorahosted.org/sssd/ticket/1694 Incorrect synchronization in mmap cache https://fedorahosted.org/sssd/ticket/1699 ldap_chpass_uri failover fails on using same hostname https://fedorahosted.org/sssd/ticket/1701 sudo denies access with disabled ldap_sudo_use_host_filter https://fedorahosted.org/sssd/ticket/1702 sssd_nss crashes during enumeration https://fedorahosted.org/sssd/ticket/1703 Wrong variable check in the memberof plugin https://fedorahosted.org/sssd/ticket/1704 Wrong error handler in sss_mc_create_file https://fedorahosted.org/sssd/ticket/1706 segfault in async_resolv.c https://fedorahosted.org/sssd/ticket/1708 sssd components seem to mishandle sighup https://fedorahosted.org/sssd/ticket/1710 man sssd-sudo has wrong title https://fedorahosted.org/sssd/ticket/1714 user id lookup fails for case sensitive users using proxy provider https://fedorahosted.org/sssd/ticket/1716 Make functions manipulating with mmap cache more defensive https://fedorahosted.org/sssd/ticket/1717 Limit requests coalescing in time https://fedorahosted.org/sssd/ticket/1722 crash in memory cache https://fedorahosted.org/sssd/ticket/1724 Explicit null dereferenced https://fedorahosted.org/sssd/ticket/1727 AD provider: getgrgid removes nested group memberships https://fedorahosted.org/sssd/ticket/1728 Failure in memberof can lead to failed database update https://fedorahosted.org/sssd/ticket/1730 MEmory leak in new memcache initgr cleanup function https://fedorahosted.org/sssd/ticket/1731 krb5 ticket renewal does not read the renewable tickets from cache https://fedorahosted.org/sssd/ticket/1732 clarify the disadvantages of enumeration in sssd.conf https://fedorahosted.org/sssd/ticket/1735 Failover to krb5_backup_kpasswd doesn't work https://fedorahosted.org/sssd/ticket/1736 Smart refresh doesn't notice "defaults" addition with OpenLDAP https://fedorahosted.org/sssd/ticket/1740 Incorrect principal searched for in keytab https://fedorahosted.org/sssd/ticket/1754 wrong filter for autofs maps in sss_cache https://fedorahosted.org/sssd/ticket/1757 memory cache is not updated after user is deleted from ldb cache https://fedorahosted.org/sssd/ticket/1758 sssd fails to update to changes on autofs maps https://fedorahosted.org/sssd/ticket/1760 Failover to ldap_chpass_backup_uri doesn't work https://fedorahosted.org/sssd/ticket/1761 sssd_be crashes looking up members with groups outside the nesting limit https://fedorahosted.org/sssd/ticket/1764 Modifications using sss_usermod tool are not reflected in memory cache https://fedorahosted.org/sssd/ticket/1770 ipa-client-automount: autofs failed in s390x and ppc64 platform https://fedorahosted.org/sssd/ticket/1773 SSSD should warn when pam_pwd_expiration_warning value is higher than passwordWarning LDAP attribute. https://fedorahosted.org/sssd/ticket/1775 local provider: All member users are not returned on looking up top level parent group. https://fedorahosted.org/sssd/ticket/1779 Rule mismatch isn't noticed before smart refresh on ppc64 and s390x https://fedorahosted.org/sssd/ticket/1781 sssd: Out-of-bounds read flaws in autofs and ssh services responders https://fedorahosted.org/sssd/ticket/1782 TOCTOU race conditions by copying and removing directory trees https://fedorahosted.org/sssd/ticket/1783 Group lookup fails and takes ~60s to return to shell if member dn is incorrect https://fedorahosted.org/sssd/ticket/1787 reset the release in upstream spec before releasing 1.9.4
== Detailed Changelog == Jakub Hrozek (47): * Updating the version for the 1.9.4 release * SUDO: strdup the input variable * PAC: check the return value of diff_git_lists * SYSDB: Move misplaced assignment * LDAP: remove dead assignment * MEMBEROF: Fix copy-n-paste error * NSS: Fix the error handler in sss_mc_create_file * SYSDB: More debugging during the conversion to ghost users * MAN: Fix the title of sssd-sudo * MEMBEROF: silence compilation warnings * Set cloexec flag for log files * RESOLV: Do not steal the resulting hostent on error * SYSDB: fix copy-n-paste error * SYSDB: Add API to invalidate all map objects * DP: invalidate all cached maps if a request for auto.master comes in * AUTOFS: allow removing entries from hash table * AUTOFS: remove all maps from hash if request for auto.master comes in * RESPONDERS: Create a common file with service names and versions * AUTOFS: Clear enum cache if a request comes in from the sss_cache * Add responder_sbus.h to noinst_HEADERS * Free resources if fileno failed * Search for SHORTNAME$@REALM instead of fqdn$@REALM by default * Potential resource leak in sss_nss_mc_get_record * SYSDB: Remove duplicate selinux defines * SYSDB: Split a function to read all SELinux maps * SELINUX: Process maps even when offline * IPA: Rename IPA_CONFIG_SELINUX_DEFAULT_MAP * AD: replace GID/UID, do not add another one * AD: Add user as a direct member of his primary group * TOOLS: move memcache related functions to tools_mc_utils.c * TOOLS: Split querying nss responder into a separate function * TOOLS: Provide a convenience function to refresh a list of groups * TOOLS: Refresh memcache after changes to local users and groups * LDAP: avoid complex realloc logic in save_rfc2307bis_group_memberships * autofs: Use SAFEALIGN_SET_UINT32 instead of SAFEALIGN_COPY_UINT32 * NSS: invalidate memcache user entry on initgr, too * Invalidate user entry even if there are no groups * LDAP: Compare lists of DNs when saving autofs entries * TOOLS: invalidate parent groups in memory cache, too * Convert the value of pwd_exp_warning to seconds * TOOLS: Use openat/unlinkat when removing the homedir * TOOLS: Use file descriptor to avoid races when creating a home directory * SYSDB: make the sss_ldb_modify_permissive function public * SYSDB: Expire group if adding ghost users fails with EEXIST * MAN: Clarify that saving users after enumerating large domain might be CPU intensive * TOOLS: Compile on old platforms such as RHEL5 * Updating the translations for the 1.9.4 release
Jan Cholasta (2): * SSH: Reject requests for authorized keys of root * Check that strings do not go beyond the end of the packet body in autofs and SSH requests.
Michal Zidek (4): * sssd_nss: Remove entries from memory cache if not found in sysdb * tools: sss_userdel and groupdel remove entries from memory cache * sss_cache: fqdn not accepted * sss_userdel and sss_groupdel with use_fully_qualified_names
Ondrej Kos (4): * PROXY: fix negative cache * PROXY: fix groups caching * LDAP: initialize refresh function handler * SYSDB: Modify ghosts in permissive mode
Pavel Březina (22): * sudo manpage: clarify that sudoHost may contain wildcards and not regular expression * let krb5_kpasswd failover work * sudo: don't get stuck in rules and smart refresh when offline * sysdb_get_sudo_user_info() initialize attrs on declaration * sudo: include primary group in user group list * sudo: support generalized time format * let ldap_chpass_uri failover work when using same hostname * try primary server after retry_timeout + 1 seconds when switching to backup * add sdap_sudo_schedule_refresh() * check dp error in sdap_sudo_full_refresh_done() * sudo: schedule another full refresh in short interval if the first fails * sudo: do full refresh when data provider is back online * let krb5_backup_kpasswd failover work * memcache: add macro that validates record length * explicit null dereferenced in sss_nss_mc_get_record() * memcache: make MC_PTR_TO_SLOT() more readable * sudo smart refresh: do not include usn in filter if no valid usn is known * sudo smart refresh: fix debug message * let ldap_backup_chpass_uri work * fix backend callbacks: remove callback properly from dlist * sudo responder: change num_rules type from size_t to uint32_t * nested groups: fix group lookup hangs if member dn is incorrect
Simo Sorce (12): * Add a macro to copy with barriers * Allow mmap calls to gracefully return absent ctx * sssd_pam: Cleanup requests cache on sbus reconect * responder_dp: Add timeout to side requets * memberof: Prevent unneded failure case * sssd_nss: Plug memory leaks * nss_mc: Add extra checks when dereferencing records * Update free table when records are invalidated. * Carefully check records when forcibly invalidating * mmap cache: invalidate cache on fatal error * Remove unused header * Fix invalidating autofs maps
Sumit Bose (18): * select_principal_from_keytab() look for plain input as well * select_principal_from_keytab() do wildcard lookups after specific ones * Fix a 'shadows a global declaration' warning * Add default section to switch statement * krb5 tgt renewal: fix usage of ldb_dn_get_component_val() * Use struct pac_grp instead of gid_t for groups from PAC * Add find_domain_by_id() * IDMAP: add sss_idmap_smb_sid_to_unix() * Update domain ID for local domain as well * Always get user data from PAC * Save domain and GID for groups from the configured domain * Remote groups do not have an original DN attribute * Read remote groups from PAC * Translate LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS to EEXIST * Use hash table to collect GIDs from PAC to avoid dups * Add tests for get_gids_from_pac() * PAC responder: check if existing user differs * Refactor gid handling in the PAC responder
sssd-users@lists.fedorahosted.org