Last modified 3 years ago Last modified on 09/17/14 13:23:55


  • This release focuses on delivering bug fixes and smaller features backported from the 1.12 line
  • Several fixes related to retrieving the correct group memberships in the AD provider configured to use POSIX attributes were fixed.
  • The Active Directory provider now correctly detects Windows Server 2012 R2. Previous versions would fall back to the slower non-AD path with 2012 R2.
  • Groups without full POSIX information can now be used to enroll group membership (fixes CVE-2014-0249)
  • Detection of transition from offline to online state was improved, resulting in fewer timeouts when SSSD is offline.
  • If referrals are disabled with a config option (or by default in the AD provider), any returned referral would be ignored. Previously, the back end would switch to offline mode on encountering a referral.

Documentation Changes

  • A new option override_space was added. When this option is set, a space character in user or group names is replaced by the character specified in this option
  • A small random value is now added to the offline_timeout parameter value to avoid flooding servers with periodical online checks

Tickets Fixed

[RFE] Add option for sssd to replace space with specified character in LDAP group
[RFE] Add fallback to sudoRunAs when sudoRunAsUser is not defined and no ldap_sudorule_runasuser mapping has been defined in SSSD
Expired shadow policy user(shadowLastChange=0) is not prompted for password change
CVE-2014-0249 sssd: incorrect expansion of group membership when encountering a non-POSIX group [fedora-all]
tokengroups do not work with id_provider=ldap
public key validator is too strict and does not allow newlines anywhere in the public key string, not even at the end
Requests queued during transition from offline to online mode
The SSSD dbus service should retry system bus connection if it fails
RFE: Be able to configure sssd to honor openldap account lock to restrict access via ssh key
sudo: invalid sudoHost filter with asterisk
Race condition in the client code
dereferencing control failure against openldap server
ad: group membership is empty when id mapping is off and tokengroups are enabled
Problems with tokengroups and ldap_group_search_base
Failover does not always happen from SRV to hostname resolution(via /etc/hosts)
sssd_be segfaults in ldb_msg_find_element
Auth fails when space in username is replaced with character set by override_default_whitespace
RHEL6.6 sssd not running after upgrade
sssd can't retrieve sudo rules when using the "default_domain_suffix" option
clarify the offline timeout in man page
IFP: FQDN lookups are broken
use-after-free in dyndns code
Saving group membership fails if provider is AD, POSIX attributes are used and primary group contains the user as a member
simple_allow_groups does not lookup groups from other AD domains
On error, libnss_sss can mistakenly close descriptors it doesn't "own"
Race condition between sudo refresh
sssd does not recognize Windows server 2012 R2's LDAP as AD
Dereference code errors out when dereferencing entries protected by ACIs
ipa user private group not found

Detailed Changelog

Ian Lee (1):

  • Add user lookup and session dependencies to systemd service file.

Jakub Hrozek (32):

  • Updating the version for the 1.11.7 release
  • BUILD: dbusintrospectdir is not used anymore
  • IFP: Fix DEBUG messages
  • IFP: Return a specific value on failure connecting to the system bus
  • IFP: Provide a SBUS method to reconnect to sysbus
  • MONITOR: Signal InfoPipe? to reconnect on SIGUSR2
  • TOOLS: New helper tool sss_signal
  • BUILD: Add the DBus service activation
  • IFP: Fix lookups with fully-qualified names
  • RPM: Restart service in %posttrans, not %post
  • NSS: Ignore default_domain for netgroups
  • Only replace space with the specified substitution
  • Make the space override responder-agnostic
  • PAM: Use the override_space option
  • IFP: Use the override_space option
  • SUDO: Use the override_space option
  • IPA: handle searches by SID in apply_subdomain_homedir
  • Revert "IPA: new attribute map for non-posix groups"
  • Revert "IPA: process non-posix nested groups"
  • Revert "IPA: try to resolve nested groups as poxix group"
  • LDAP: Do not shortcut on ret != EOK during password expiry check
  • LDAP: Split out linking primary group members into a separate function
  • LDAP: Don't add a user member twice when adding a primary group
  • LDAP: Use tmp_ctx in ldap_child for temporary data
  • LDAP: Use randomized ccname for storing credentials
  • LDAP: Add Windows Server 2012 R2 functional level
  • LDAP: Fall back to functional level of Windows Server 2003
  • LDAP: Enable tokenGroups with Windows Server 2003
  • LDAP: Ignore returned referrals if referral support is disabled
  • LDAP: Skip dereferenced entries that we are not permitted to read
  • Ignore referrals in deref and ASQ, too
  • Updating the translations for the 1.11.7 release

Jan Cholasta (1):

  • SSH: Allow newline at the end of public key values in LDAP

Lukas Slebodnik (19):

  • Don't use macro _XOPEN_SOURCE for function strptime
  • sss_client: thread safe initialisation of sss_cli_mc_ctx
  • sss_client: Fix memory leak in nss_mc_{group,passwd}
  • LDAP: Remove unused option ldap_netgroup_uuid
  • LDAP: Remove unused option ldap_group_uuid
  • LDAP: Remove unused option ldap_user_uuid
  • test_utils: Use common header file for libsss_util tests.
  • UTIL: Add functions for replacing whitespaces.
  • NSS: Replace spaces with specified string in names.
  • dyndns_test: Use right socket length of for IPv4 address.
  • responder-get-domains-tests: fix checking of leaks
  • test_dyndns: Use different talloc context in wrapped functions.
  • TESTS: leak_check functions shouldn't be called with NULL context
  • dyndns: Fix talloc hierarchy of "struct sss_iface_addr"
  • test_dyndns: sss_iface_addr_list_get can return more values
  • SDAP: free subrequest in sdap_dyndns_update_addrs_done
  • SDAP: Immediately finish request for empty array
  • SDAP: Use different talloc_context for array of names
  • SDAP: Update groups for user just once.

Michal Zidek (6):

  • ptask: Allow adding random_offset to scheduled execution time
  • ptask: Add backoff feature to the ptask api.
  • Exit offline mode only if server is available.
  • MAN: How much time sssd spends offline
  • Add alternative objectClass to group attribute maps
  • Use the alternative objectclass in group maps.

Michal Šrubař (1):

  • LDAP SUDO: sudo provider doesn't fetch 'EntryUSN'

Nalin Dahyabhai (1):

  • sss_client: Fix "struct sss_cli_mc_ctx" reinitialize-on-errors

Nikolai Kondrashov (1):

  • build: Switch back to DISTCHECK_CONFIGURE_FLAGS

Pavel Březina (9):

  • sbus_request: fix potential NULL dereference
  • ad: comment ENOENT when id mapping is disabled
  • ad: update membership after SIDs are resolved
  • sudo: fetch sudoRunAs attribute
  • sudo: use dbus array for rules refresh
  • sudo: replace asterisk with escape sequence in host filter
  • failover: set port status to not working if previous srv lookup failed
  • ad initgroups: continue if resolved SID is still missing
  • sudo: work with correct D-Bus iterator

Pavel Reichl (18):

  • TESTS: sss_ssh - textual public key format
  • LDAP: tokengroups do not work with id_provider=ldap
  • SDAP: Continue resolving SID even if some fail
  • IPA: new attribute map for non-posix groups
  • IPA: process non-posix nested groups
  • IPA: try to resolve nested groups as poxix group
  • SDAP: split sdap_access_filter_get_access_done
  • SDAP: refactor sdap_access_filter_send
  • SDAP: nitpicks in sdap_access_filter_get_access_done
  • SDAP: refactor sdap_access_filter_done
  • SDAP: don't log error on access denied
  • SDAP: refactor AC offline checks
  • SDAP: new option - DN to ppolicy on LDAP
  • SDAP: account lockout to restrict access via ssh key
  • MAN: options 'lockout' and 'ldap_pwdlockout_dn'
  • IPA: process non-posix nested groups
  • AD: process non-posix nested groups w/o tokenGroups
  • AD: process non-posix nested groups using tokenGroups

Sumit Bose (1):

  • Replace space: add some checks