wiki:Releases/Notes-1.9.4
Last modified 15 months ago Last modified on 01/28/13 22:17:31

Highlights

  • This release focused mainly on fixing regressions compared to the 1.8 series and bugfixes for features introduced in the 1.9 release cycle. The release also includes two security fixes
  • A security bug assigned CVE-2013-0219 was fixed - TOCTOU race conditions when creating or removing home directories for users in local domain
  • A security bug assigned CVE-2013-0220 was fixed - out-of-bounds reads in autofs and ssh responder
  • The sssd_pam responder processes pending requests after reconnect
  • A serious memory leak in the NSS responder was fixed
  • Requests that were processing group entries with DNs pointing out of any configured search bases were not terminated correctly, causing long timeouts
  • Kerberos tickets are correctly renewed even after SSSD daemon restart
  • The autofs LDAP provider correctly updates entries that changed mount options on the LDAP server
  • Secondary groups are now reported correctly for a user coming from a trusted Active Directory server
  • Kerberos principal selection was fixed to behave correctly when accessing an Active Directory server
  • Multiple fixes related to SUDO integration, in particular fixing functionality when the sssd back end process was changing its online/offline status
  • The pwd_exp_warning option was fixed to function as documented in the manual page

Tickets Fixed

#1564
pam_sss(crond:account): Request to sssd failed. Timer expired
#1592
always reread the master map from LDAP
#1620
sss_cache: fqdn not accepted
#1624
sudoUser group and netgroup specifications don't work
#1626
sssd caching not working as expected for selinux usermap contexts
#1635
investigate the behaviour of ldap_sasl_authid in 1.9.x
#1655
Login fails - sssd_be module polling fd indefinitely and gets killed
#1659
sss_userdel doesn't remove entries from in-memory cache
#1666
IPA Trust does not show secondary groups for AD Users for commands like id and getent
#1672
Error in PAC responder
#1677
memberUid required for primary groups to match sudo rule
#1679
Primary server status is not always reset after failover to backup server happened
#1680
krb5_kpasswd failover doesn't work
#1682
Offline sudo denies access with expired entry_cache_timeout
#1685
Negative cache timeout is not working for proxy provider
#1687
Disallow root SSH public key authentication
#1689
sudo: if first full refresh fails, schedule another first full refresh
#1690
Option ldap_sudo_include_regexp named incorrectly
#1694
Incorrect synchronization in mmap cache
#1699
ldap_chpass_uri failover fails on using same hostname
#1701
sudo denies access with disabled ldap_sudo_use_host_filter
#1702
sssd_nss crashes during enumeration
#1703
Wrong variable check in the memberof plugin
#1704
Wrong error handler in sss_mc_create_file
#1706
segfault in async_resolv.c
#1708
sssd components seem to mishandle sighup
#1710
man sssd-sudo has wrong title
#1714
user id lookup fails for case sensitive users using proxy provider
#1716
Make functions manipulating with mmap cache more defensive
#1717
Limit requests coalescing in time
#1722
crash in memory cache
#1724
Explicit null dereferenced
#1727
AD provider: getgrgid removes nested group memberships
#1728
Failure in memberof can lead to failed database update
#1730
MEmory leak in new memcache initgr cleanup function
#1731
krb5 ticket renewal does not read the renewable tickets from cache
#1732
clarify the disadvantages of enumeration in sssd.conf
#1735
Failover to krb5_backup_kpasswd doesn't work
#1736
Smart refresh doesn't notice "defaults" addition with OpenLDAP
#1740
Incorrect principal searched for in keytab
#1754
wrong filter for autofs maps in sss_cache
#1757
memory cache is not updated after user is deleted from ldb cache
#1758
sssd fails to update to changes on autofs maps
#1760
Failover to ldap_chpass_backup_uri doesn't work
#1761
sssd_be crashes looking up members with groups outside the nesting limit
#1764
Modifications using sss_usermod tool are not reflected in memory cache
#1770
ipa-client-automount: autofs failed in s390x and ppc64 platform
#1773
SSSD should warn when pam_pwd_expiration_warning value is higher than passwordWarning LDAP attribute.
#1775
local provider: All member users are not returned on looking up top level parent group.
#1779
Rule mismatch isn't noticed before smart refresh on ppc64 and s390x
#1781
sssd: Out-of-bounds read flaws in autofs and ssh services responders
#1782
TOCTOU race conditions by copying and removing directory trees
#1783
Group lookup fails and takes ~60s to return to shell if member dn is incorrect
#1787
reset the release in upstream spec before releasing 1.9.4

Detailed Changelog

Jakub Hrozek (47):

  • Updating the version for the 1.9.4 release
  • SUDO: strdup the input variable
  • PAC: check the return value of diff_git_lists
  • SYSDB: Move misplaced assignment
  • LDAP: remove dead assignment
  • MEMBEROF: Fix copy-n-paste error
  • NSS: Fix the error handler in sss_mc_create_file
  • SYSDB: More debugging during the conversion to ghost users
  • MAN: Fix the title of sssd-sudo
  • MEMBEROF: silence compilation warnings
  • Set cloexec flag for log files
  • RESOLV: Do not steal the resulting hostent on error
  • SYSDB: fix copy-n-paste error
  • SYSDB: Add API to invalidate all map objects
  • DP: invalidate all cached maps if a request for auto.master comes in
  • AUTOFS: allow removing entries from hash table
  • AUTOFS: remove all maps from hash if request for auto.master comes in
  • RESPONDERS: Create a common file with service names and versions
  • AUTOFS: Clear enum cache if a request comes in from the sss_cache
  • Add responder_sbus.h to noinst_HEADERS
  • Free resources if fileno failed
  • Search for SHORTNAME$@REALM instead of fqdn$@REALM by default
  • Potential resource leak in sss_nss_mc_get_record
  • SYSDB: Remove duplicate selinux defines
  • SYSDB: Split a function to read all SELinux maps
  • SELINUX: Process maps even when offline
  • IPA: Rename IPA_CONFIG_SELINUX_DEFAULT_MAP
  • AD: replace GID/UID, do not add another one
  • AD: Add user as a direct member of his primary group
  • TOOLS: move memcache related functions to tools_mc_utils.c
  • TOOLS: Split querying nss responder into a separate function
  • TOOLS: Provide a convenience function to refresh a list of groups
  • TOOLS: Refresh memcache after changes to local users and groups
  • LDAP: avoid complex realloc logic in save_rfc2307bis_group_memberships
  • autofs: Use SAFEALIGN_SET_UINT32 instead of SAFEALIGN_COPY_UINT32
  • NSS: invalidate memcache user entry on initgr, too
  • Invalidate user entry even if there are no groups
  • LDAP: Compare lists of DNs when saving autofs entries
  • TOOLS: invalidate parent groups in memory cache, too
  • Convert the value of pwd_exp_warning to seconds
  • TOOLS: Use openat/unlinkat when removing the homedir
  • TOOLS: Use file descriptor to avoid races when creating a home directory
  • SYSDB: make the sss_ldb_modify_permissive function public
  • SYSDB: Expire group if adding ghost users fails with EEXIST
  • MAN: Clarify that saving users after enumerating large domain might be CPU intensive
  • TOOLS: Compile on old platforms such as RHEL5
  • Updating the translations for the 1.9.4 release

Jan Cholasta (2):

  • SSH: Reject requests for authorized keys of root
  • Check that strings do not go beyond the end of the packet body in autofs and SSH requests.

Michal Zidek (4):

  • sssd_nss: Remove entries from memory cache if not found in sysdb
  • tools: sss_userdel and groupdel remove entries from memory cache
  • sss_cache: fqdn not accepted
  • sss_userdel and sss_groupdel with use_fully_qualified_names

Ondrej Kos (4):

  • PROXY: fix negative cache
  • PROXY: fix groups caching
  • LDAP: initialize refresh function handler
  • SYSDB: Modify ghosts in permissive mode

Pavel Březina (22):

  • sudo manpage: clarify that sudoHost may contain wildcards and not regular expression
  • let krb5_kpasswd failover work
  • sudo: don't get stuck in rules and smart refresh when offline
  • sysdb_get_sudo_user_info() initialize attrs on declaration
  • sudo: include primary group in user group list
  • sudo: support generalized time format
  • let ldap_chpass_uri failover work when using same hostname
  • try primary server after retry_timeout + 1 seconds when switching to backup
  • add sdap_sudo_schedule_refresh()
  • check dp error in sdap_sudo_full_refresh_done()
  • sudo: schedule another full refresh in short interval if the first fails
  • sudo: do full refresh when data provider is back online
  • let krb5_backup_kpasswd failover work
  • memcache: add macro that validates record length
  • explicit null dereferenced in sss_nss_mc_get_record()
  • memcache: make MC_PTR_TO_SLOT() more readable
  • sudo smart refresh: do not include usn in filter if no valid usn is known
  • sudo smart refresh: fix debug message
  • let ldap_backup_chpass_uri work
  • fix backend callbacks: remove callback properly from dlist
  • sudo responder: change num_rules type from size_t to uint32_t
  • nested groups: fix group lookup hangs if member dn is incorrect

Simo Sorce (12):

  • Add a macro to copy with barriers
  • Allow mmap calls to gracefully return absent ctx
  • sssd_pam: Cleanup requests cache on sbus reconect
  • responder_dp: Add timeout to side requets
  • memberof: Prevent unneded failure case
  • sssd_nss: Plug memory leaks
  • nss_mc: Add extra checks when dereferencing records
  • Update free table when records are invalidated.
  • Carefully check records when forcibly invalidating
  • mmap cache: invalidate cache on fatal error
  • Remove unused header
  • Fix invalidating autofs maps

Sumit Bose (18):

  • select_principal_from_keytab() look for plain input as well
  • select_principal_from_keytab() do wildcard lookups after specific ones
  • Fix a 'shadows a global declaration' warning
  • Add default section to switch statement
  • krb5 tgt renewal: fix usage of ldb_dn_get_component_val()
  • Use struct pac_grp instead of gid_t for groups from PAC
  • Add find_domain_by_id()
  • IDMAP: add sss_idmap_smb_sid_to_unix()
  • Update domain ID for local domain as well
  • Always get user data from PAC
  • Save domain and GID for groups from the configured domain
  • Remote groups do not have an original DN attribute
  • Read remote groups from PAC
  • Translate LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS to EEXIST
  • Use hash table to collect GIDs from PAC to avoid dups
  • Add tests for get_gids_from_pac()
  • PAC responder: check if existing user differs
  • Refactor gid handling in the PAC responder