SSSD 1.16.3
Highlights
New Features
- The
kdcinfo
files that SSSD uses to inform libkrb5 about which KDCs were discovered for a Kerberos realm used to be only generated for the joined domain, not the trusted domains. Starting with this release, thekdcinfo
files are generated automatically also for trusted domains in setups that useid_provider=ad
and IPA masters in a trust relationship with an AD domain. - The SSSD Kerberos locator plugin which processes the kdcinfo files and actually tells libkrb5 about the available KDCs can now process multiple address if SSSD generates more than one. At the moment, this feature is only used on IPA clients (see below). Please see the
sssd_krb5_locator_plugin(8)
manual page for more information about the Kerberos locator plugin. - On IPA clients, the AD DCs or the AD site which should be used to authenticate users can now be listed in a subdomain section. Please see the feature design page or the section "trusted domains configuration" for more details.
Notable bug fixes
- SECURITY: The permissions on
/var/lib/sss/pipes/sudo
were set so that anyone could read anyone else's sudo rules. This was considered an information leak and assigned CVE-2018-10852 (#3766) - IMPORTANT: The 1.16.2 release was storing the cached passwords without a salt prefix string. This bug was fixed in this release, but any password hashes generated by 1.16.2 are incompatible with the hashes generated by 1.16.3. The effect is that upgrade from 1.16.2 to 1.16.3 should be done when the authentication server is reachable so that the first authentication after the upgrade fix the cached password.
- The
sss_ssh
proces leaked file descriptors when converting more than one x509 certificate to SSH public key (#3794) - SSSD, when configured with
id_provider=ad
was using too expensive LDAP search to find out whether the required POSIX attributes were replicated to the Global Catalog. Instead, SSSD now consults the Partial Attribute Set, which is much more effective (#3755) - The PAC responder is now able to process Domain Local in case the PAC uses SID compression. Typicaly this is the case with Windows Server 2012 and newer (#3767)
- Some versions of OpenSSH (e.g. the one shipped in RHEL-7.5) would close the pipe towards
sss_ssh_authorizedkeys
when the matching key is found before the rest of the output is read. Thesss_ssh_authorizedkeys
helper was not handling this behaviour well and would exit with SIGPIPE, which also meant the public key authentication failed (#3747) - User lookups no longer fail if user's e-mail address conflicts with another user's fully qualified name (#3607)
- The
override_shell
andoverride_homedir
options are no longer applied to entries from the files domain. (#3758) - Several bugs related to the FleetCommander integration were fixed (#3773, #3774)
- The grace logins with an expired password when authenticating against certain newer versions of the 389DS/RHDS LDAP server did not work (#3597)
- Whitespace around netgroup triple separator is now stripped
- The
sss_ssh_knownhostproxy
utility can now print the host key without proxying the connection. - Due to an overly restrictive check, the fast in-memory cache was sometimes skipped, which caused a high load on the
sssd_nss
process (#3776).
Packaging Changes
- The python2 bindings are not built by default on Fedora 29 or newer
- The sssd-secrets responder is now packaged in the sssd-kcm subpackage and might be removed in a future release
Documentation Changes
sss_ssh_knownhostsproxy
has a new option-k/--print
.