sssd-2.3.0

SSSD 2.3.0

Highlights

New features

• SSSD can now handle hosts and networks nsswitch databases (see resolve_provider option)
• By default, authentication request only refresh user's initgroups if it is expired or there is not active user's session (see pam_initgroups_scheme option)
• OpenSSL is used as default crypto provider, NSS is deprecated
• Active Directory provider now defaults to GSS-SPNEGO SASL mechanism (see ldap_sasl_mech option)
• Active Directory provider can now be configured to use only ldaps port (see ad_use_ldaps option)
• SSSD now accepts host entries from GPO's security filter
• Format of debug messages has changed to be shorter and better sortable
• New debug level (0x10000) was added for low level ldb messages only (see sssd.conf man page)

Packaging changes

• New configure option --enable-gss-spnego-for-zero-maxssf

Documentation Changes

• Default value of ldap_sasl_mech has changed to GSS-SPNEGO for AD provider
• Return code of pam_sss.so are documented in pam_sss manpage
• Added option ad_update_samba_machine_account_password
• Added option ad_use_ldaps
• Added option ldap_iphost_object_class
• Added option ldap_iphost_name
• Added option ldap_iphost_number
• Added option ldap_ipnetwork_object_class
• Added option ldap_ipnetwork_name
• Added option ldap_ipnetwork_number
• Added option ldap_iphost_search_base
• Added option ldap_ipnetwork_search_base
• Added option ldap_connection_expire_offset
• Added option ldap_sasl_maxssf
• Added option pam_initgroups_scheme
• Added option entry_cache_resolver_timeout
• Added option entry_cache_computer_timeout
• Added option resolver_provider
• Added option proxy_resolver_lib_name
• Minor text improvements

See full release notes here.

sssd-1.16.5

SSSD 1.16.5

Highlights

New Features

• New option ad_gpo_ignore_unreadable was added that allows SSSD to ignore unreadable GPO containers in AD.
• It is possible to configure auto_private_groups per subdomain or with subdomain_inherit.

Security issues fixed

• A flaw was found in sssd Group Policy Objects implementation. When the GPO is not readable by SSSD due to a too strict permission settings on the server side, SSSD will allow all authenticated users to login instead of denying access. (CVE-2018-16838)

Notable bug fixes

• Multiple URI specified in ldap_uri did not work properly if they differed only in port number.
• Several issues with SUDO rules processing have been fixed.
• SSSD sometimes incorrectly started in offline mode. This was fixed.
• Issue with missing nested groups after add/remove operation on the sever was fixed.
• A use-after-free error causing SSSD service to crash was fixed.

See full release notes here.

sssd-2.2.3

SSSD 2.2.3

Highlights

New features

• allow_missing_name now treats empty strings the same as missing names.
• 'soft_ocsp' and 'soft_crl options have been added to make the checks for revoked certificates more flexible if the system is offline.
• Smart card authentication in polkit is now allowed by default.
• ssh_use_certificate_matching_rules now allows no_rules and all_rules values (see man page for description).

Notable bug fixes

• Fixed several memory management errors that caused SSSD to crash under some circumstances.
• Handling of FreeIPA users and groups containing '@' sign now works.
• Issue when autofs was unable to mount shares was fixed.
• SSSD was unable to hande ldap_uri containing URIs with different port numbers. This was fixed.

Packaging Changes

• Added sssd-ldap-attributes man page.

Documentation Changes

• Added new sssd-ldap-attributes man page.
• Added option monitor_resolv_conf.
• Added option ssh_use_certificate_matching_rules
• Improved AD GPO options man page.
• Improved sssd-systemtap man page.

See full release notes here.

sssd-2.2.2

SSSD 2.2.2

Highlights

New features

None

Notable bug fixes

• Removing domain from ad_enabled_domain was not reflected in SSSD's cache. This has been fixed.
• Because of a race condition SSSD could crash during shutdown. The race condition was fixed.
• Fixed a bug that limited number of external groups fetched by SSSD to 2000.
• pam_sss now properly creates gnome keyring during login.
• SSSD with KCM could wrongly pick older ccache instead of the latest one after login. This was fixed.

Packaging Changes

None

Documentation Changes

None

See full release notes here.

sssd-2.2.1

SSSD 2.2.1

Highlights

New features

• New options were added which allow sssd-kcm to handle bigger data. See manual pages for max_ccaches, max_uid_caches and max_ccache_size.
• SSSD can now automatically refresh cached user data from subdomains in IPA/AD trust.

Notable bug fixes

• Fixed issue with SSSD hanging when connecting to non-responsive server with ldaps://
• SSSD is now restarted by systemd after crashes.
• Fixed refression when dyndns_update was set to True and dyndns_refresh_interval was not set or set to 0 then DNS records were not updated at all.
• Fixed issue when default_domain_suffix was used with id_provider = files and caused all results from files domain to be fully qualified.
• Fixed issue with sudo rules not being visible on OpenLDAP servers
• Fixed crash with auth_provider = proxy that prevented logins

Packaging Changes

None

Documentation Changes

A new option dns_resolver_server_timeout was added A new option max_ccaches was added A new option max_uid_ccaches was added A new option max_ccache_size was added A new option ocsp_dgst was added

See full release notes here.

sssd-2.2.0

SSSD 2.2.0

Highlights

New features

• The Kerberos provider (and composite authentication providers based on it, like AD or IPA) can now include more KDC addresses or host names when writing data for the Kerberos locator plugin (see sssd_krb5_locator_plugin(8)). This means that Kerberos client applications, such as kinit would be able to switch between multiple KDC servers discovered by SSSD. Please see description of the option krb5_kdcinfo_lookahead in the sssd-krb5(5) manual page for more information or refer to the design page (#3973, #3974, #3975)
• The 2FA prompting can now be configured. The administrator can set custom prompts for first or second factor or select a single prompt for both factors. This can be configured per-service. Please see the section called "Prompting configuration" in the sssd.conf(5) manual page for more details or refer to the design page (#3264).
• The LDAP authentication provider now allows to use a different method of changing LDAP passwords using a modify operation in addition to the default extended operation. This is meant to support old LDAP servers that do not implement the extended operation. The password change using the modification operation can be selected with ldap_pwmodify_mode = "ldap_modify". More information can also be found in the design page (#1314)
• The auto_private_groups configuration option now takes a new value hybrid. This mode autogenerates private groups for user entries where the UID and GID values have the same value and at the same time the GID value does not correspond to a real group entry in LDAP (#3822)
• A new option ad_gpo_ignore_unreadable was added. This option, which defaults to false, can be used to ignore group policy containers in AD with unreadable or missing attributes. This is for the case when server contains GPOs that have very strict permissions on their attributes in AD but are unrelated to access control (#3867)
• The cached_auth_timeout parameter is now inherited by trusted domains (#3960). The pre-authentication request is now cached as well when this option is in effect (#3960)
• The ldap_sasl_mech option now accepts another mechanism GSS-SPNEGO in addition to GSSAPI. Using SPNEGO might be preferable with newer Active Directory servers especially with hardened configurations. SSSD might switch to using SPNEGO by default in a future release (#4006)
• The sssctl tool has two new commands cert-show and cert-map which can help in troubleshooting Smart-Card and in general user certificate related issues

Notable bug fixes

• A potential race condition between SSSD receiving a notification to try switching to online mode and the network being actually reachable is now handled better. SSSD now tries to go online three times with an increasing delay between online checks up to 4s (#3467).
• A potential deadlock in user resolution when the IPA provider fetches the keytab used to authenticate to a trusted AD domain was fixed (#3992)
• When checking if objects that cannot be looked up exist locally and thus should be added to a negative cache with a longer negative TTL (see local_negative_timeout in sssd.conf(5)), the blocking NSS API is no longer used. The blocking calls which might have caused a timeout especially during SSSD startup (#3963)
• Some cache attributes used by the Kerberos ticket renewal code are now indexed, which speeds up the cache searches which might have otherwise caused SSSD to appear blocked and killed by the internal watchdog (#3968)
• Cached objects from an Active Directory domain trusted by an IPA domain that no longer exist on the server are now properly removed from the cache (#3984)
• The sudoRunAsUser/Group now work correctly with an IPA configuration that also uses the domain_resolution_order, either set locally or centrally (#3957)
• Certificates that are completely missing the Key Usage (KU) certificate extension are now handled gracefully (rhbz#1660899)
• The sudo smart refresh (see man sssd-sudo) now correctly uses the highest USN number, which results in more efficient queries (#3997)
• The pam_sss module now returns PAM_USER_UNKNOWN if the PAM socket is missing completely. This could have been the case if SSSD is running with the files domain only and a user resolved by a completely different PAM module logs in (#3988)
• Netgroups lookups now honor the midpoint refresh interval set by cache_refresh_percent (#3947)
• The list of users or groups from the filter_users/filter_groups lists which will be negatively cached, avoiding lookups of those entries, are now correctly evaluated for domains that are discovered after sssd had started (#3983). These lists can also now include UPNs (#3978)
• The IPA access provider no longer fails if the configuration file completely disables dereference by setting ldap_deref_threshold=0 (#3979)
• The sss_cache tool does not print loud warnings in case the sssd cache cannot be written to, typically this was occuring when /var was mounted read-only during an rpm-ostree update.
• The command line tools such as sssctl can now operate on the implicit files domain (#3769)
• The files and proxy provider no longer crash on receiving a request to go online, which they don't implement (#4014)
• A potential crash in the online check callback was fixed (#3990)
• The winbind ID-mapping plugin now works with recent Samba releases again (#4005)

Packaging Changes

None

Documentation Changes

• A new option ad_gpo_ignore_unreadable was added
• A new option krb5_kdcinfo_lookahead was added
• A new option ldap_pwmodify_mode was added
• The option ldap_sasl_mech now accepts a new value GSS-SPNEGO
• The option auto_private_groups now accepts a new value hybrid
• Multi-factor prompting can now be configured in a separate section called [prompting]

See full release notes here.

sssd-1.16.4

SSSD 1.16.4

Highlights

New Features

• The list of PAM services which are allowed to authenticate using a Smart Card is now configurable using a new option pam_p11_allowed_services. (#2926)
• A new configuration option ad_gpo_implicit_deny was added. This option (when set to True) can be used to deny access to users even if there is not applicable GPO. Normally users are allowed access in this situation. (#3701)
• The LDAP authentication provider now allows to use a different method of changing LDAP passwords using a modify operation in addition to the default extended operation. This is meant to support old LDAP servers that do not implement the extended operation. The password change using the modification operation can be selected with ldap_pwmodify_mode = "ldap_modify" (#1314)
• The auto_private_groups configuration option now takes a new value hybrid. This mode autogenerates private groups for user entries where the UID and GID values have the same value and at the same time the GID value does not correspond to a real group entry in LDAP (#3822)

Security issues fixed

• CVE-2019-3811: SSSD used to return "/" in case a user entry had no home directory. This was deemed a security issue because this flaw could impact services that restrict the user's filesystem access to within their home directory. An empty home directory field would indicate "no filesystem access", where sssd reporting it as "/" would grant full access (though still confined by unix permissions, SELinux etc).

Notable bug fixes

• The IPA provider, in a setup with a trusted Active Directory domain, did not remove cached entries that were no longer present on the AD side (#3984)
• The Active Directory provider now fetches the user information from the LDAP port and switches to using the Global Catalog port, if available for the group membership. This fixes an issue where some attributes which are not available in the Global Catalog, typically the home directory, would be removed from the user entry. (#2474)
• The IPA SELinux provider now sets the user login context even if it is the same as the system default. This is important in case the user has a non-standard home directory, because then only adding the user to the SELinux database ensures the home directory will be labeled properly. However, this fix causes a performance hit during the first login as the context must be written into the semanage database.
• The sudo responder did not reflect the case_sensitive domain option (#3820)
• A memory leak when requesting netgroups repeatedly was fixed (#3870)
• An issue that caused SSSD to sometimes switch to offline mode in case not all domains in the forest ran the Global Catalog service was fixed (#3902)
• The SSH responder no longer fails completely if the p11_child times out when deriving SSH keys from a certificate (#3937)
• The negative cache was not reloaded after new sub domains were discovered which could have lead to a high SSSD load (#3683)
• The negative cache did not work properly for in case a lookup fell back to trying a UPN instead of a name (#3978)
• If any of the SSSD responders was too busy, that responder wouldn't have refreshed the trusted domain list (#3967)
• A potential crash due to a race condition between the fail over code refreshing a SRV lookup and back end using its results (#3976)
• Sudo's runAsUser and runAsGroup attributes did not match properly when used in setups with domain_resolution_order
• Processing of the values from the filter_users or filter_groups options could trigger calls to blocking NSS API functions which could in turn prevent the startup of SSSD services in case nsswitch.conf contained other modules than sss or files (#3963)

See full release notes here.

sssd-2.1.0

SSSD 2.1.0

Highlights

New features

• Any provider can now match and map certificates to user identities. This feature enables to log in with a smart card without having to store the full certificate blob in the directory or in user overrides. Please see The design page for more information (#3500)
• pam_sss can now be configured to only perform Smart Card authentication or return an error if this is not possible.
• pam_sss can also prompt the user to insert a Smart Card if, during an authentication it is not available. SSSD would then wait for the card until it is inserted or until timeout defined by p11_wait_for_card_timeout passes.
• The device or reader used for Smart Card authentication can now be selected or restricted using a PKCS#11 URI (see RFC-7512) specified in the p11_uri option.
• Multiple certificates are now supported for Smart Card authentication even if SSSD is built with OpenSSL
• OCSP checks were added to the OpenSSL version of certificate authentication
• A new option crl_file can be used to select a Certificate Revocation List (CRL) file to be used during verification of a certificate for Smart Card authentication.
• Certificates with Elliptic Curve keys are now supported (#3887)
• It is now possible to refresh the KCM configuration without restarting the whole SSSD deamon, just by modifying the [kcm] section of sssd.conf and running systemctl restart sssd-kcm.service.
• A new configuration option ad_gpo_implicit_deny was added. This option (when set to True) can be used to deny access to users even if there is not applicable GPO. Normally users are allowed access in this situation. (#3701)
• The dynamic DNS update can now batch DNS updates to include all address family updates in a single transaction to reduce replication traffic in complex environments (#3829)
• Configuration file snippets can now be used even when the main sssd.conf file does not exist. This is mostly useful to configure e.g. the KCM responder, the implicit files provider or the session recording with setups that have no explicit domain (#3439)
• The sssctl user-checks tool can now display extra attributes set with the InfoPipe user_attributes configuraton option (#3866)

Security issues fixed

• CVE-2019-3811: SSSD used to return "/" in case a user entry had no home directory. This was deemed a security issue because this flaw could impact services that restrict the user's filesystem access to within their home directory. An empty home directory field would indicate "no filesystem access", where sssd reporting it as "/" would grant full access (though still confined by unix permissions, SELinux etc).

Notable bug fixes

• Many fixes for the internal "sbus" IPC that was rewritten in the 2.0 release including crash on reconnection (#3821), a memory leak (#3810), a proxy provider startup crash (#3812), sudo responder crash (#3854), proxy provider authentication (#3892), accessing the extraAttributes InfoPipe property (#3906) or a potential startup failure (#3924)
• The Active Directory provider now fetches the user information from the LDAP port and switches to using the Global Catalog port, if available for the group membership. This fixes an issue where some attributes which are not available in the Global Catalog, typically the home directory, would be removed from the user entry. (#2474)
• Session recording can now be enabled also for local users when the session recording is configured with scope=some and restricted to certain groups.
• Smart Card authentication did not work with the KCM credentials cache because with KCM root cannot write to arbitrary user's credential caches (#3903)
• A KCM bug that prevented SSH Kerberos credential forwarding from functioning was fixed (#3873)
• The KCM responder did not work with completely empty database (#3815)
• The sudo responder did not reflect the case_sensitive domain option (#3820)
• The SSH responder no longer fails completely if the p11_child times out when deriving SSH keys from a certificate (#3937)t
• An issue that caused SSSD to sometimes switch to offline mode in case not all domains in the forest ran the Global Catalog service was fixed (#3902)
• If any of the SSSD responders was too busy, that responder wouldn't have refreshed the trusted domain list (#3967)
• The IPA SELinux provider now sets the user login context even if it is the same as the system default. This is important in case the user has a non-standard home directory, because then only adding the user to the SELinux database ensures the home directory will be labeled properly. However, this fix causes a performance hit during the first login as the context must be written into the semanage database.
• A memory leak when requesting netgroups repeatedly was fixed (#3870)
• The pysss.getgrouplist() interface that was removed by accident in the 2.0 version was re-added (#3493)
• Crash when requesting users with the FindByNameAndCertificate D-Bus method was fixed (#3863)
• SSSD can again run as the non-privileged sssd user (#3871)
• The cron PAM service name used for GPO access control now defaults to a different service name depending on the OS (Launchpad #1572908)

Packaging Changes

• The sbus code generator no longer relies on existance of the "python" binary, the python2/3 binary is used depending on which bindings are being generated (#3807)
• Very old libini library versions are no longer supported

Documentation Changes

• Two new pam_sss options try_cert_auth and require_cert_auth can restrict authentication to use a Smart Card only or wait for a Smart Card to be inserted.
• A new option p11_wait_for_card_timeout controls how long would SSSD wait for a Smart Card to be inserted before failing with PAM_AUTHINFO_UNAVAIL.
• A new option p11_uri is available to restrict the device or reader used for Smart Card authentication.

See full release notes here.

sssd-2.0.0

SSSD 2.0.0

Highlights

This release removes or deprecates functionality from SSSD, therefore the SSSD team decided it was time to bump the major version number. The sssd-1-16 branch will be still supported (most probably even as a LTM branch) so that users who rely on any of the removed features can either migrate or ask for the features to be readded.

Except for the removed features, this release contains a reworked internal IPC and a new default storage back end for the KCM responder.

Platform support removal

• Starting with SSSD 2.0, upstream no longer supports RHEL-6 and its derivatives. Users of RHEL-6 are encouraged to stick with the sssd-1-16 branch.

Removed features

• The Python API for managing users and groups in local domains (id_provider=local) was removed completely. The interface had been packaged as module called pysss.local
• The LDAP provider had a special-case branch for evaluating group memberships with the RFC2307bis schema when group nesting was explicitly disabled. This codepath was adding needless additional complexity for little performance gain and was rarely used.
• The ldap_groups_use_matching_rule_in_chain and ldap_initgroups_use_matching_rule_in_chain options and the code that evaluated them was removed. Neither of these options provided a significant performance benefit and the code implementing these options was complex and rarely used.

Deprecated features

• The local provider (id_provider=local) and the command line tools to manage users and groups in the local domains, such as sss_useradd is not built by default anymore. There is a configure-time switch --enable-local-domain you can use to re-enable the local domain support. However, upstream would like to remove the local domain completely in a future release.
• The sssd_secrets responder is not packaged by default. The responder was meant to provide a REST API to access user secrets as well as a proxy to Custodia servers, but as Custodia development all but stopped and the local secrets handling so far didn't gain traction, we decided to not enable this code by default. This also means that the default SSSD configuration no longer requires libcurl and http-parser.

Changed default settings

• The ldap_sudo_include_regexp option changed its default value from true to false. This means that wild cards in the sudoHost LDAP attribute are no longer supported by default. The reason we changed the default was that the wildcard was costly to evaluate on the LDAP server side and at the same time rarely used.

New features

• The KCM responder has a new back end to store credential caches in a local database. This new back end is enabled by default and actually uses the same storage as the sssd-secrets responder had used, so the switch from sssd-secrets to this new back end should be completely seamless. The sssd-secrets socket is no longer required for KCM to operate.
• The list of PAM services which are allowed to authenticate using a Smart Card is now configurable using a new option pam_p11_allowed_services.

Packaging Changes

• The sss_useradd, sss_userdel, sss_usermod, sss_groupadd, sss_groupdel, sss_groupshow and sss_groupmod binaries and their manual pages are no longer packaged by default unless --enable-local-provider is selected.
• The sssd_secrets responder is no longer packaged by default unless --enable-secrets-responder is selected.
• The new internal IPC mechanism uses several private libraries that need to be packaged - libsss_sbus.so, libsss_sbus_sync.so, libsss_iface.so, libsss_iface_sync.so, libifp_iface.so and libifp_iface_sync.so
• The new KCM ccache back end relies on a private library libsss_secrets.so that must be packaged in case either the KCM responder or the secrets responder are enabled.

Documentation Changes

• The ldap_groups_use_matching_rule_in_chain and ldap_initgroups_use_matching_rule_in_chain options were removed.
• The ldap_sudo_include_regexp option changed its default value from true to false.

Known issues

• <#4802 The sbus codegen script relies on "python" which might not be available on all distributions

• There is a script that autogenerates code for the internal SSSD IPC. The script happens to call "python" which is not available on all distributions. Patching the sbus_generate.sh file to call e.g. python3 explicitly works around the issue

See full release notes here.

sssd-1.16.3

SSSD 1.16.3

Highlights

New Features

• The kdcinfo files that SSSD uses to inform libkrb5 about which KDCs were discovered for a Kerberos realm used to be only generated for the joined domain, not the trusted domains. Starting with this release, the kdcinfo files are generated automatically also for trusted domains in setups that use id_provider=ad and IPA masters in a trust relationship with an AD domain.
• The SSSD Kerberos locator plugin which processes the kdcinfo files and actually tells libkrb5 about the available KDCs can now process multiple address if SSSD generates more than one. At the moment, this feature is only used on IPA clients (see below). Please see the sssd_krb5_locator_plugin(8) manual page for more information about the Kerberos locator plugin.
• On IPA clients, the AD DCs or the AD site which should be used to authenticate users can now be listed in a subdomain section. Please see the feature design page or the section "trusted domains configuration" for more details.

Notable bug fixes

• SECURITY: The permissions on /var/lib/sss/pipes/sudo were set so that anyone could read anyone else's sudo rules. This was considered an information leak and assigned CVE-2018-10852 (#3766)
• IMPORTANT: The 1.16.2 release was storing the cached passwords without a salt prefix string. This bug was fixed in this release, but any password hashes generated by 1.16.2 are incompatible with the hashes generated by 1.16.3. The effect is that upgrade from 1.16.2 to 1.16.3 should be done when the authentication server is reachable so that the first authentication after the upgrade fix the cached password.
• The sss_ssh proces leaked file descriptors when converting more than one x509 certificate to SSH public key (#3794)
• SSSD, when configured with id_provider=ad was using too expensive LDAP search to find out whether the required POSIX attributes were replicated to the Global Catalog. Instead, SSSD now consults the Partial Attribute Set, which is much more effective (#3755)
• The PAC responder is now able to process Domain Local in case the PAC uses SID compression. Typicaly this is the case with Windows Server 2012 and newer (#3767)
• Some versions of OpenSSH (e.g. the one shipped in RHEL-7.5) would close the pipe towards sss_ssh_authorizedkeys when the matching key is found before the rest of the output is read. The sss_ssh_authorizedkeys helper was not handling this behaviour well and would exit with SIGPIPE, which also meant the public key authentication failed (#3747)
• User lookups no longer fail if user's e-mail address conflicts with another user's fully qualified name (#3607)
• The override_shell and override_homedir options are no longer applied to entries from the files domain. (#3758)
• Several bugs related to the FleetCommander integration were fixed (#3773, #3774)
• The grace logins with an expired password when authenticating against certain newer versions of the 389DS/RHDS LDAP server did not work (#3597)
• Whitespace around netgroup triple separator is now stripped
• The sss_ssh_knownhostproxy utility can now print the host key without proxying the connection.
• Due to an overly restrictive check, the fast in-memory cache was sometimes skipped, which caused a high load on the sssd_nss process (#3776).

Packaging Changes

• The python2 bindings are not built by default on Fedora 29 or newer
• The sssd-secrets responder is now packaged in the sssd-kcm subpackage and might be removed in a future release

Documentation Changes

• sss_ssh_knownhostsproxy has a new option -k/--print.

See full release notes here.