SSSD 2.6.0 Release Notes
Highlights
General information
- Support of legacy json format for ccaches was dropped
- Support of long time deprecated
secrets
responder was dropped. - Support of long time deprecated
local
provider was dropped. - This release drops support of
--with-unicode-lib
configure option.libunistring
will be used unconditionally for Unicode processing. - This release removes pcre1 support. pcre2 is used unconditionally.
- p11_child does not stop at the first empty slot when searching for tokens
- A flaw was found in SSSD, where the sssctl command was vulnerable to shell command injection via the logs-fetch and cache-expire subcommands. This flaw allows an attacker to trick the root user into running a specially crafted sssctl command, such as via sudo, to gain root access. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. This patch fixes a flaw by replacing
system()
withexecvp()
.
New features
- Basic support of user's 'subuid and subgid ranges' for IPA provider and corresponding plugin for shadow-utils were introduced. Limitations: - single subid interval pair (subuid+subgid) per user - idviews aren't supported - only forward lookup (user -> subid ranges) Take a note, this is MVP of experimental feature. Significant changes might be required later, after initial feedback. Corresponding support in shadow-utils was merged upstream, but since there is no upstream release available yet, SSSD feature isn't built by default. Build can be enabled with
--with-subid
configure option. Plugin's install path can be configured with--with-subid-lib-path=
(${libdir}
by default)
Important fixes
- KCM now replace the old credential with new one when storing an updated credential that is however already present in the ccache to avoid unnecessary growth of the ccache.
- Improve mpg search filter to be more reliable with id-overrides and the new auto_private_groups options.
- Even if the forest root is disabled for lookups all required internal data is initialized to be able to refresh the list of trusted domains in the forest from a DC of the forest root.
- ccache files are created with the right ownership during offline Smartcard authentication
- AD ping is now sent over
ldap
ifcldap
support is not available during build. This helps to build SSSD on distributions withoutcldap
support inlibldap
. - CVE-2021-3621
Configuration changes
- New IPA provider's option
ipa_subid_ranges_search_base
allows configuration of search base for user's subid ranges. Default:cn=subids,%basedn