one of the issues reported in
https://bugzilla.redhat.com/show_bug.cgi?id=975001 is a core dump in the
PAC responder. I thought that I can find missing results by checking for
ENOENT which is wrong in this case. This patch properly checks the
number of results.
I solved ticket #1929 and then I immediately hit another one #1947 (BZ967004)
It seems that reporter from second ticket was lucky and did not hit the first
Use meta server if there isn't another server after meta.
The same behaviour is in "done" section, if return code is not OK
Patch is attached.
While working on one issue, I created clean minimal fedora virtual
machine and while installing dependencies for building SSSD (from
BUILD.txt), I noticed it misses the *samba-devel* package. Simple patch
adding this to build info is attached.
Associate Software Engineer
Identity Management - SSSD
Red Hat Czech
community member John Hodrien reported two serious issues in nested groups, one of which was created by my previous patch. Both involves dereference.
1) See commit message. This one was introduced in my previous patch.
2) When dereferenced member attribute contains group that is present and valid in the cache, we corrupt the heap by writing behind allocated memory. I believe this is the original source of the bug reported in .
John confirmed that the issue is gone. Thank you.
=== SSSD 1.10 Beta 2 ===
The SSSD team is proud to announce the second beta release of version 1.10
of the System Security Services Daemon.
This beta release includes the rest of the new features planned for 1.10. The
features are mostly targeted at better integration with Microsoft Active
As always, the source is available from https://fedorahosted.org/sssd.
RPM packages will be made available for Fedora 19 and rawhide shortly.
With this release, the 1.10 version is considered feature complete and
the strings are frozen. We will release the final 1.10.0 version once we
fix all the known crashes and regressions. The 1.10.0 release is
tentatively scheduled for the end of this week. Because the short period
between this beta and the final release would not allow the translators
to provide updated translations, the strings will remain frozen even for
the 1.10.1 release.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
== Highlights ==
* The Active Directory provider now includes support for retrieving
identity information and authentication as users from trusted domains
in the same forest. The SSSD looks up the information using the Global
Catalog. Currently this feature is only supported when the SSSD is
connected to the forest root.
* The group memberships for Active Directory users are read from the PAC
during login. If the PAC is not available (such as when group membership
is requested for a user who has never logged in), the SSSD falls back to
* The Active Directory provider is able to autodiscover the NetBIOS
(flat) name of the domain it connects to. The NetBIOS name is discovered
automatically on startup.
* The full_name_format option now accepts a new parameter that expands
to the NetBIOS name of the domain
* The new krb5_use_kdcinfo option allows the administrator to disable the
Kerberos locator plugin and rely on information read from the krb5.conf
* A new option ldap_disable_range_retrieval was added. Switching this
option to True skips large Active Directory groups that might otherwise
take a long time to download and process.
* A new option refresh_expired_interval was added. This option allows to
configure a background task that would automatically refresh entries that
are nearing their expiration time. In this release, only refreshing
netgroups is implemented.
== Packaging Changes ==
* The Makefile has been amended so that it no longer uses overlinking
which is disabled by default on some distributions (such as Debian and
* The upstream RPM specfile now packages each provider separately. The SSSD
deamon and the responders are now included in the sssd-common package,
while the sssd package has become a "meta package" that Requires all the
existing providers for backwards compatibility.
* The libsss_sudo and libsss_autofs libraries are now part of the
== Tickets Fixed ==
Split providers into their own subpackages
Use hardened flags for building RPMs
Copy-n-paste error in AD provider
Add a new option to disable the Kerberos locator plugin completely
[RFE] Add a task to the SSSD to periodically refresh cached entries
unite periodic refresh API
ldap_access_order improvements (man page fix)
Dereference after a NULL check in tests/common_dom.c
Dereference before NULL check in nscd.c
Non-fatal errors looking up trusted domains with IPA back end
move libsss_sudo and libsss_autofs back into the main sssd package
[RFE] Recognize trusted domains in AD provider
[RFE] Use the Global Catalog in SSSD for the AD provider
[RFE] Use MS-PAC to retrieve user's group list
NetBIOS domain name should be read at startup
Junk character in sssd_domain.log for domain string when sssd tries to go online from offline mode
Libtool fails to find dependent libraries
segfault while processing ASQ request
MAN: Make it clear which address is used to update DNS records
Fully qualified account names form should be able to use flatname in the fq format
Crash with negative values in ldap_idmap_range_size
getgrnam / getgrgid for large user groups is too slow due to range retrieval functionality
Provide a script to create a SRPM without having to run configure
NSCD warning is irritating
sssd crashes if junk is present in sssd.conf
Rename or alias the SAFEALIGN macros
Clarify the AD site discovery in sssd-ad man page
Login failure: Enterprise Principal enabled by default for AD Provider
pysss_nss_idmap: Support also Unicode strings and return them by default
sssd_be crashes when looking up users in the LDAP provider with ID mapping
Clarify that AD DNS updates are performed using GSS-TSIG
Turn on dyndns updates by default in the AD provider
SUDO is not working for users from trusted AD domain
[RFE] AD: Should be able to log in as long or short domains
== Detailed Changelog ==
Jakub Hrozek (45):
* Update the version for the 1.10 beta2 release
* Actually use the index parameter in resolv_get_sockaddr_address_index
* Fix a typo in sssd-ad man page
* tests: Do not set cwd twice
* Enable the AD dynamic DNS updates by default
* man: Clarify that AD dyndns updates are secured using GSS-TSIG
* LDAP: Always initialize idmap object
* Re-add a useful DEBUG message
* man: Clarify the AD site discovery documentation
* man: Note that IPA updates are secured with GSS-TSIG
* Remove unneeded parameter of setup_child and namespace it
* Fix dyndns timer initialization
* IPA: Check for ENOMEM
* Remove unneeded comment
* FO: Fix setting status of duplicates
* AD dyndns: extract the host name from URI
* Add utility functions for formatting fully-qualified names
* Check the validity of FQname format prior to using it
* Allow flat name in the FQname format
* Remove branching to improve readability
* tests: Link fqnames_tests with libsss_test_common.la
* Do not obfuscate calls with booleans
* LDAP: sdap_id_ctx might contain several connections
* LDAP: Refactor account info handler into a tevent request
* LDAP: Pass in a connection to ID functions
* LDAP: new SDAP domain structure
* LDAP: return sdap search return code to ID
* Move domain_to_basedn outside IPA subtree
* New utility function sss_get_domain_name
* LDAP: split a function to create search bases
* LDAP: store FQDNs for trusted users and groups
* Split generating primary GID for ID mapped users into a separate function
* LDAP: Do not store separate GID for subdomain users
* AD: Add additional service to support Global Catalog lookups
* AD ID lookups - choose GC or LDAP as appropriate
* AD: Store trusted AD domains as subdomains
* rpm: Fold libsss_sudo and libsss_autofs back into the main SSSD package
* dyndns: Fix NULL check
* man: document the need to set ldap_access_order
* A new option krb5_use_kdcinfo
* Fix allocation check in the AD provider
* rpm: Use hardened flags for RPM build
* rpm: Split providers into separate subpackages
* Update transifex URL to transifex.com
* Updating translations for the 1.10 beta2 release
Jan Cholasta (4):
* UTIL: Add function sss_names_init_from_args
* SSH: Fix parsing of names from client requests
* SSH: Use separate field for domain name in client requests
* SSH: Do not skip domains with use_fully_qualified_names in host key requests
Lukas Slebodnik (13):
* Fixes compilation without selinux.
* Fix broken build with selinux.
* Fix segfault in AD Subdomains Module
* Fixing critical format string issues.
* Adding script to create a SRPM
* Removing unused functions.
* Adding option to disable retrieving large AD groups.
* Making order in tests.
* Remove empty directories after tests run.
* Prevent segfault while processing ASQ request
* Fix compilation with disabled link_all_deplibs.
* Use deep copy for dns_domain and discovery_domain
* Fix dereference after a NULL check in tests.
Michal Zidek (1):
* Rename SAFEALIGN macros.
Ondrej Kos (8):
* Fix segfault in DYNDNS
* DB: Fix segfault when configuration file cannot be parsed
* Move nscd.c from tools to util
* Check NSCD configuration file
* Fail with misconfigured id-mapping ranges
* MAN: state default dyndns interface
* DB: Don't add invalid ranges
* Don't test for NULL in nscd config check
Pavel Březina (5):
* sudo responder: search rules for subdomains in parent domain subtree
* back end: periodic task API
* back end: periodical refresh of expired records API
* back end: add refresh expired records periodic task
* providers: refresh expired netgroups
Stef Walter (1):
* Add a domain config attribute for realmd
Stephen Gallagher (2):
* Remove old hash support from example spec
* Add 'description' attribute to SSSDConfig API
Sumit Bose (21):
* AD: read flat name and SID of the AD domain
* Add missing \n to debug string
* Fix missing initialization in Python bindings for libsss_nss_idmap
* Add support for tuples and unicode pysss_nss_idmap.so
* Always update cached upn if enterprise principals are used
* Fix return code for AD subdomain request
* pysss_nss_idmap: do not treat strings as sequences
* IPA: Always initialize ID mapping
* Handle SID strings in sdap_attrs_get_sid_str() as well
* IPA: read user and group SID
* Add SID related requests to the LDAP provider
* Set canonicalize flag if enterprise principals are used
* Lookup domains at startup
* Add be request queue
* Use queue for get_subdomains
* Read SIDs of groups with sysdb_initgroups() as well
* Enhance PAC responder for AD users
* Intermittent fix for get_user_and_group_users_done
* Always send the PAC to the PAC responder
* Implicitly activate the PAC responder for AD provider
* Fix some doxygen warnings
Yuri Chornoivan (1):
* Fix minor typos
group-1 -> group-2 -> enough groups that it triggers AD range retrieval
getent group group-1
I used 3000 groups and 1500 users.
There is only one member in group-1 so it is processed with single step.
AD will return maximum 1500 values per attribute by default, so we
allocate space for 1500 groups. Then ASQ is called and returns 4500
members so we end up writing after allocated space.
Normally, we split the members to users, groups and unknown objects and
allocate space for groups + unknown. But I don't think it is necessary
to do the split here again. We allocate potentially more space than
required and then shrink it to the correct size.