Last modified 3 years ago Last modified on 01/28/13 22:17:31


  • This release focused mainly on fixing regressions compared to the 1.8 series and bugfixes for features introduced in the 1.9 release cycle. The release also includes two security fixes
  • A security bug assigned CVE-2013-0219 was fixed - TOCTOU race conditions when creating or removing home directories for users in local domain
  • A security bug assigned CVE-2013-0220 was fixed - out-of-bounds reads in autofs and ssh responder
  • The sssd_pam responder processes pending requests after reconnect
  • A serious memory leak in the NSS responder was fixed
  • Requests that were processing group entries with DNs pointing out of any configured search bases were not terminated correctly, causing long timeouts
  • Kerberos tickets are correctly renewed even after SSSD daemon restart
  • The autofs LDAP provider correctly updates entries that changed mount options on the LDAP server
  • Secondary groups are now reported correctly for a user coming from a trusted Active Directory server
  • Kerberos principal selection was fixed to behave correctly when accessing an Active Directory server
  • Multiple fixes related to SUDO integration, in particular fixing functionality when the sssd back end process was changing its online/offline status
  • The pwd_exp_warning option was fixed to function as documented in the manual page

Tickets Fixed

pam_sss(crond:account): Request to sssd failed. Timer expired
always reread the master map from LDAP
sss_cache: fqdn not accepted
sudoUser group and netgroup specifications don't work
sssd caching not working as expected for selinux usermap contexts
investigate the behaviour of ldap_sasl_authid in 1.9.x
Login fails - sssd_be module polling fd indefinitely and gets killed
sss_userdel doesn't remove entries from in-memory cache
IPA Trust does not show secondary groups for AD Users for commands like id and getent
Error in PAC responder
memberUid required for primary groups to match sudo rule
Primary server status is not always reset after failover to backup server happened
krb5_kpasswd failover doesn't work
Offline sudo denies access with expired entry_cache_timeout
Negative cache timeout is not working for proxy provider
Disallow root SSH public key authentication
sudo: if first full refresh fails, schedule another first full refresh
Option ldap_sudo_include_regexp named incorrectly
Incorrect synchronization in mmap cache
ldap_chpass_uri failover fails on using same hostname
sudo denies access with disabled ldap_sudo_use_host_filter
sssd_nss crashes during enumeration
Wrong variable check in the memberof plugin
Wrong error handler in sss_mc_create_file
segfault in async_resolv.c
sssd components seem to mishandle sighup
man sssd-sudo has wrong title
user id lookup fails for case sensitive users using proxy provider
Make functions manipulating with mmap cache more defensive
Limit requests coalescing in time
crash in memory cache
Explicit null dereferenced
AD provider: getgrgid removes nested group memberships
Failure in memberof can lead to failed database update
MEmory leak in new memcache initgr cleanup function
krb5 ticket renewal does not read the renewable tickets from cache
clarify the disadvantages of enumeration in sssd.conf
Failover to krb5_backup_kpasswd doesn't work
Smart refresh doesn't notice "defaults" addition with OpenLDAP
Incorrect principal searched for in keytab
wrong filter for autofs maps in sss_cache
memory cache is not updated after user is deleted from ldb cache
sssd fails to update to changes on autofs maps
Failover to ldap_chpass_backup_uri doesn't work
sssd_be crashes looking up members with groups outside the nesting limit
Modifications using sss_usermod tool are not reflected in memory cache
ipa-client-automount: autofs failed in s390x and ppc64 platform
SSSD should warn when pam_pwd_expiration_warning value is higher than passwordWarning LDAP attribute.
local provider: All member users are not returned on looking up top level parent group.
Rule mismatch isn't noticed before smart refresh on ppc64 and s390x
sssd: Out-of-bounds read flaws in autofs and ssh services responders
TOCTOU race conditions by copying and removing directory trees
Group lookup fails and takes ~60s to return to shell if member dn is incorrect
reset the release in upstream spec before releasing 1.9.4

Detailed Changelog

Jakub Hrozek (47):

  • Updating the version for the 1.9.4 release
  • SUDO: strdup the input variable
  • PAC: check the return value of diff_git_lists
  • SYSDB: Move misplaced assignment
  • LDAP: remove dead assignment
  • MEMBEROF: Fix copy-n-paste error
  • NSS: Fix the error handler in sss_mc_create_file
  • SYSDB: More debugging during the conversion to ghost users
  • MAN: Fix the title of sssd-sudo
  • MEMBEROF: silence compilation warnings
  • Set cloexec flag for log files
  • RESOLV: Do not steal the resulting hostent on error
  • SYSDB: fix copy-n-paste error
  • SYSDB: Add API to invalidate all map objects
  • DP: invalidate all cached maps if a request for auto.master comes in
  • AUTOFS: allow removing entries from hash table
  • AUTOFS: remove all maps from hash if request for auto.master comes in
  • RESPONDERS: Create a common file with service names and versions
  • AUTOFS: Clear enum cache if a request comes in from the sss_cache
  • Add responder_sbus.h to noinst_HEADERS
  • Free resources if fileno failed
  • Search for SHORTNAME$@REALM instead of fqdn$@REALM by default
  • Potential resource leak in sss_nss_mc_get_record
  • SYSDB: Remove duplicate selinux defines
  • SYSDB: Split a function to read all SELinux maps
  • SELINUX: Process maps even when offline
  • AD: replace GID/UID, do not add another one
  • AD: Add user as a direct member of his primary group
  • TOOLS: move memcache related functions to tools_mc_utils.c
  • TOOLS: Split querying nss responder into a separate function
  • TOOLS: Provide a convenience function to refresh a list of groups
  • TOOLS: Refresh memcache after changes to local users and groups
  • LDAP: avoid complex realloc logic in save_rfc2307bis_group_memberships
  • autofs: Use SAFEALIGN_SET_UINT32 instead of SAFEALIGN_COPY_UINT32
  • NSS: invalidate memcache user entry on initgr, too
  • Invalidate user entry even if there are no groups
  • LDAP: Compare lists of DNs when saving autofs entries
  • TOOLS: invalidate parent groups in memory cache, too
  • Convert the value of pwd_exp_warning to seconds
  • TOOLS: Use openat/unlinkat when removing the homedir
  • TOOLS: Use file descriptor to avoid races when creating a home directory
  • SYSDB: make the sss_ldb_modify_permissive function public
  • SYSDB: Expire group if adding ghost users fails with EEXIST
  • MAN: Clarify that saving users after enumerating large domain might be CPU intensive
  • TOOLS: Compile on old platforms such as RHEL5
  • Updating the translations for the 1.9.4 release

Jan Cholasta (2):

  • SSH: Reject requests for authorized keys of root
  • Check that strings do not go beyond the end of the packet body in autofs and SSH requests.

Michal Zidek (4):

  • sssd_nss: Remove entries from memory cache if not found in sysdb
  • tools: sss_userdel and groupdel remove entries from memory cache
  • sss_cache: fqdn not accepted
  • sss_userdel and sss_groupdel with use_fully_qualified_names

Ondrej Kos (4):

  • PROXY: fix negative cache
  • PROXY: fix groups caching
  • LDAP: initialize refresh function handler
  • SYSDB: Modify ghosts in permissive mode

Pavel Březina (22):

  • sudo manpage: clarify that sudoHost may contain wildcards and not regular expression
  • let krb5_kpasswd failover work
  • sudo: don't get stuck in rules and smart refresh when offline
  • sysdb_get_sudo_user_info() initialize attrs on declaration
  • sudo: include primary group in user group list
  • sudo: support generalized time format
  • let ldap_chpass_uri failover work when using same hostname
  • try primary server after retry_timeout + 1 seconds when switching to backup
  • add sdap_sudo_schedule_refresh()
  • check dp error in sdap_sudo_full_refresh_done()
  • sudo: schedule another full refresh in short interval if the first fails
  • sudo: do full refresh when data provider is back online
  • let krb5_backup_kpasswd failover work
  • memcache: add macro that validates record length
  • explicit null dereferenced in sss_nss_mc_get_record()
  • memcache: make MC_PTR_TO_SLOT() more readable
  • sudo smart refresh: do not include usn in filter if no valid usn is known
  • sudo smart refresh: fix debug message
  • let ldap_backup_chpass_uri work
  • fix backend callbacks: remove callback properly from dlist
  • sudo responder: change num_rules type from size_t to uint32_t
  • nested groups: fix group lookup hangs if member dn is incorrect

Simo Sorce (12):

  • Add a macro to copy with barriers
  • Allow mmap calls to gracefully return absent ctx
  • sssd_pam: Cleanup requests cache on sbus reconect
  • responder_dp: Add timeout to side requets
  • memberof: Prevent unneded failure case
  • sssd_nss: Plug memory leaks
  • nss_mc: Add extra checks when dereferencing records
  • Update free table when records are invalidated.
  • Carefully check records when forcibly invalidating
  • mmap cache: invalidate cache on fatal error
  • Remove unused header
  • Fix invalidating autofs maps

Sumit Bose (18):

  • select_principal_from_keytab() look for plain input as well
  • select_principal_from_keytab() do wildcard lookups after specific ones
  • Fix a 'shadows a global declaration' warning
  • Add default section to switch statement
  • krb5 tgt renewal: fix usage of ldb_dn_get_component_val()
  • Use struct pac_grp instead of gid_t for groups from PAC
  • Add find_domain_by_id()
  • IDMAP: add sss_idmap_smb_sid_to_unix()
  • Update domain ID for local domain as well
  • Always get user data from PAC
  • Save domain and GID for groups from the configured domain
  • Remote groups do not have an original DN attribute
  • Read remote groups from PAC
  • Use hash table to collect GIDs from PAC to avoid dups
  • Add tests for get_gids_from_pac()
  • PAC responder: check if existing user differs
  • Refactor gid handling in the PAC responder