There was a logic bug in sysdb_search_selinux_usermap_by_username that
resulted in returning the value the variable "ret" had after the last call
to sysdb_attrs_get_uint32_t, which in cases the last rule processed did
not have the requested attributes led to using the default user context.
I think this would fix the strange bug Rob was seeing yesterday, but I
still need to verify that.
If override_shell is specified in the [nss] section, all users
managed by SSSD will have their shell set to this value. If it is
specified in the [domain/DOMAINNAME] section, it will apply to
only that domain (and override the [nss] value, if any).
This is the first half of the work necessary to resolve
This patch largely rewrites the Kerberos locator plugin so that it can
parse kdcinfo files containing multiple servers (one per line, with
optional port). These patches are testable by manually
(or /var/lib/sss/pubconf/kpasswdinfo.REALM, as appropriate). They are
also fully backwards-compatible.
I will be working on and sending the KRB5 provider side of things after
this, but since these are ready, manually testable and
backwards-compatible, it seemed prudent to send them for review in
Patch 0001: Convert memory allocation functions to use talloc. There's
no reason to avoid this dependency, and it will make subsequent patches
Patch 0002: Create a structure for holding address and port information
(with linked-list semantics)
Patch 0003: Rewrite the kdcinfo parser so that it supports multiple
entries, one per line. It ignores blank lines.
Patch 0004: Modify the sssd_krb5_locator_lookup() function to send
repeated calls to the cbfunc() callback, providing all of the
kdcinfo-specified servers as values. Clients using libkrb5 will
transparently try all of the provided servers until finding one that
The SSSD team is proud to announce the fifth of six preview releases of
version 1.9 of the System Security Services Daemon.
Beta 6 will be released on July 31st and will contain a new tool for
"seeding" accounts with a temporary password for sending machines to
remotees as well as introducing a concept of primary vs. secondary
After Beta 6, no new features will be added to SSSD 1.9.0 and we will
focus on stability and our backlog of bugfixes until the final release
around September 1st. We will most likely issue a series of release
candidate builds prior to that, but these have not yet been scheduled.
As always, you can download the latest sources at
== Highlights ==
* Many fixes for the support for setting default SELinux user context
from FreeIPA, most notably fixed the specificity evaluation
* Fixed an incorrect default in the krb5_canonicalize option of the AD
provider which was preventing password change operation
* The shadowLastChange attribute value is now correctly updated with the
number of days since the Epoch, not seconds
== Tickets Fixed ==
format of file for pam_selinux is incorrect
Possible use of uninitialized values
SELinux rule matching ignores specificity requirement
Several unowned directories
sssd incorrectly sets shadowLastChange in seconds not days
selinux rules are never deleted from sysdb
When ldap_sasl_minssf is assigned large values, appropriate error message should be logged sssd_DOMAIN log
== Detailed Changelog ==
Jakub Hrozek (9):
* Bumping version to 1.9.0 beta 5
* Add newline to DEBUG messages
* RPM: Own several directories
* Add missing "%" to specfile
* IPA: Download defaults even if there are no SELinux mappings
* SYSDB: Delete SELinux mappings
* IPA: Return and save all SELinux rules in the provider
* PAM: Fix off-by-one-error in the SELinux session code
* Update translations for 1.9.0 beta 5 release
Jan Vcelak (1):
* LDAP: Properly cast type for MINSSF value
Jan Zeleny (3):
* Fixed wrong number in shadowLastChange
* Add function sysdb_attrs_copy_values()
* Modify priority evaluation in SELinux user maps
Michal Zidek (2):
* Fixed: Unchecked return value from dp_opt_set_int.
* Fixed: Uninitialized value in krb5_child-test if ccname was specified.
Nick Guay (1):
* Fix uninitialized values
Pavel Březina (2):
* resolv_gethostbyname_send: strdup hostname to work properly when hostname is allocated on stack
* sudo test client: avoid SIGSEGV when run without arguments
Stephen Gallagher (2):
* AD: Add missing DP option terminator
* AD: Fix defaults for krb5_canonicalize
Yuri Chornoivan (1):
* Fix typo: exhasution->exhaustion.
The AD provider cannot function with canonicalization because of
a bug in Active Directory rendering it unable to complete a
password-change while canonicalization is enabled.
I had set the default properly in the LDAP options, but forgot to set it
the same in the Kerberos options, resulting in unpredictable (and bad)
This changes both versions to specify BOOL_FALSE for the default. The
last option on the dp_options structure is ignored for booleans, but I
changed it to BOOL_FALSE as well, just for consistency.