URL: https://github.com/SSSD/sssd/pull/624
Author: stanislavlevin
Title: #624: Fix "test-find-uid" and "find_uid-tests" tests
Action: opened
PR body:
"""
Handle a "hidepid=1" mount option for procfs. One of the affects - this
option makes impermissible non own pid subdirectories on /proc.
Resolves:
https://pagure.io/SSSD/sssd/issue/3789
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/624/head:pr624
git checkout pr624
SSSD 1.16.3
===========
The SSSD team is proud to announce the release of version 1.16.3 of the System Security Services Daemon.
The tarball can be downloaded from https://releases.pagure.org/SSSD/sssd/
RPM packages will be made available for Fedora shortly.
Feedback
————
Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-develhttps://lists.fedorahosted.org/mailman/listinfo/sssd-users
Highlights
----------
New Features
^^^^^^^^^^^^
* The ``kdcinfo`` files that SSSD uses to inform libkrb5 about which KDCs
were discovered for a Kerberos realm used to be only generated for the
joined domain, not the trusted domains. Starting with this release, the
``kdcinfo`` files are generated automatically also for trusted domains in
setups that use ``id_provider=ad`` and IPA masters in a trust relationship
with an AD domain.
* The SSSD Kerberos locator plugin which processes the kdcinfo files and
actually tells libkrb5 about the available KDCs can now process multiple
address if SSSD generates more than one. At the moment, this feature
is only used on IPA clients (see below). Please see the
``sssd_krb5_locator_plugin(8)`` manual page for more information about
the Kerberos locator plugin.
* On IPA clients, the AD DCs or the AD site which should be used to
authenticate users can now be listed in a subdomain section. Please
see `the feature design page <https://docs.pagure.org/SSSD.sssd/design_pages/kdcinfo_improvements.html>`_
or the section "trusted domains configuration" for more details.
Notable bug fixes
^^^^^^^^^^^^^^^^^
* SECURITY: The permissions on ``/var/lib/sss/pipes/sudo`` were set
so that anyone could read anyone else's sudo rules. This was considered
an information leak and assigned CVE-2018-10852 (#3766)
* IMPORTANT: The 1.16.2 release was storing the cached passwords without
a salt prefix string. This bug was fixed in this release, but any
password hashes generated by 1.16.2 are incompatible with the hashes
generated by 1.16.3. The effect is that upgrade from 1.16.2 to 1.16.3
should be done when the authentication server is reachable so that the
first authentication after the upgrade fix the cached password.
* The ``sss_ssh`` proces leaked file descriptors when converting more than
one x509 certificate to SSH public key (#3794)
* SSSD, when configured with ``id_provider=ad`` was using too expensive
LDAP search to find out whether the required POSIX attributes
were replicated to the Global Catalog. Instead, SSSD now consults
the Partial Attribute Set, which is much more effective (#3755)
* The PAC responder is now able to process Domain Local in case the
PAC uses SID compression. Typicaly this is the case with Windows Server
2012 and newer (#3767)
* Some versions of OpenSSH (e.g. the one shipped in RHEL-7.5) would
close the pipe towards ``sss_ssh_authorizedkeys`` when the matching
key is found before the rest of the output is read. The
``sss_ssh_authorizedkeys`` helper was not handling this behaviour
well and would exit with SIGPIPE, which also meant the public key
authentication failed (#3747)
* User lookups no longer fail if user's e-mail address conflicts with
another user's fully qualified name (#3607)
* The ``override_shell`` and ``override_homedir`` options are no longer
applied to entries from the files domain. (#3758)
* Several bugs related to the FleetCommander integration were fixed (#3773,
#3774)
* The grace logins with an expired password when authenticating against
certain newer versions of the 389DS/RHDS LDAP server did not work (#3597)
* Whitespace around netgroup triple separator is now stripped
* The ``sss_ssh_knownhostproxy`` utility can now print the host key without
proxying the connection.
* Due to an overly restrictive check, the fast in-memory cache was sometimes
skipped, which caused a high load on the ``sssd_nss`` process (#3776).
Packaging Changes
-----------------
* The python2 bindings are not built by default on Fedora 29 or newer
* The sssd-secrets responder is now packaged in the sssd-kcm subpackage
and might be removed in a future release
Documentation Changes
---------------------
* ``sss_ssh_knownhostsproxy`` has a new option `-k/--print`.
Tickets Fixed
-------------
* `3796 <https://pagure.io/SSSD/sssd/issue/3796>`_ - The IPA selinux provider can return an error if SELinux is completely disabled
* `3794 <https://pagure.io/SSSD/sssd/issue/3794>`_ - sssd_ssh leaks file descriptors when more than one certificate is converted into an SSH key
* `3791 <https://pagure.io/SSSD/sssd/issue/3791>`_ - The cached password does not store the salt prefix
* `3778 <https://pagure.io/SSSD/sssd/issue/3778>`_ - When sssd is running as non-root user, the sudo pipe is created as sssd:sssd but then the private pipe ownership fails
* `3777 <https://pagure.io/SSSD/sssd/issue/3777>`_ - If access check for a privileged pipe fails, the responder loops indefinitely
* `3776 <https://pagure.io/SSSD/sssd/issue/3776>`_ - Spurious check in the sssd nss memcache can cause the memory cache to be skipped
* `3774 <https://pagure.io/SSSD/sssd/issue/3774>`_ - Desktop Profile: The 10th policy is producing a wrong file name
* `3773 <https://pagure.io/SSSD/sssd/issue/3773>`_ - SSSD bails out saving desktop profiles in case an invalid profile is found
* `3767 <https://pagure.io/SSSD/sssd/issue/3767>`_ - Groups go missing with PAC enabled in sssd
* `3766 <https://pagure.io/SSSD/sssd/issue/3766>`_ - CVE-2018-10852: information leak from the sssd-sudo responder
* `3758 <https://pagure.io/SSSD/sssd/issue/3758>`_ - override_homedir should not apply to the files provider
* `3755 <https://pagure.io/SSSD/sssd/issue/3755>`_ - The search filter for detecting POSIX attributes in global catalog is too broad and can cause a high load on the servers
* `3754 <https://pagure.io/SSSD/sssd/issue/3754>`_ - SSSD AD uses LDAP filter to detect POSIX attributes stored in AD GC also for regular AD DC queries
* `3747 <https://pagure.io/SSSD/sssd/issue/3747>`_ - sss_ssh_authorizedkeys exits abruptly if SSHD closes its end of the pipe before reading all the SSH keys
* `3652 <https://pagure.io/SSSD/sssd/issue/3652>`_ - kdcinfo doesn't get populated for other domains
* `3607 <https://pagure.io/SSSD/sssd/issue/3607>`_ - Handle conflicting e-mail addresses more gracefully
* `3597 <https://pagure.io/SSSD/sssd/issue/3597>`_ - sssd doesn't allow user with expired password to login when PasswordgraceLimit set
* `3596 <https://pagure.io/SSSD/sssd/issue/3596>`_ - A combination of the same qualified and unqualified sudoUser causes Error: 17: File exists
* `3542 <https://pagure.io/SSSD/sssd/issue/3542>`_ - Get host key without proxying connection
* `3475 <https://pagure.io/SSSD/sssd/issue/3475>`_ - Full information regarding priority of lookup of principal in keytab not in man page
* `3291 <https://pagure.io/SSSD/sssd/issue/3291>`_ - RFE: sssd in cross realm trust configuration should be use AD KDC from a list or site defined in the config file
Detailed Changelog
------------------
* Alexander Bokovoy (2):
* ipa provider: always use a special keytab to talk to a trusted DC
* ipa provider: expand search base to cover trusted domain objects
* Alexey Sheplyakov (1):
* nss: skip incomplete groups instead of bailing out
* Amit Kumar (1):
* Responder: simplify if-else structure in sss_dp_get_account_msg()
* Fabiano Fidêncio (18):
* intg: Do not hardcode nsslibdir
* files: do not apply override_homedir to files provider
* tests: add override_homedir tests for files provider
* files: do not apply override_shell to files provider
* tests: add override_shell tests for files provider
* util: add is_files_provider() helper
* files: make use of is_files_provider() helper
* cache_req: keep the files provider as the first domain to be searched
* tests: add basic tests for cache_req_domain_new_list_from_domain_resolution_order()
* tests: add a test to ensure the output_fqnames is false for files provider
* deskprofile: don't bail if we fail to save one profile
* sdap: respect passwordGracelimit
* deskprofile: fix a typo in _get_filename_path()
* tests: add tests for ipa_deskprofile_get_filename_path()
* util: introduce sss_ssh_print_pubkey()
* ssh: make use of sss_ssh_print_pubkey()
* sss_ssh_knownhostsproxy: add option to only print the pubkey
* nss: remove unused label
* Jakub Hrozek (38):
* Bumping the version to track the 1.16.3 development
* TESTS: Extend the schema with sshPublicKey attribute
* TESTS: Allow adding sshPublicKey for users
* TESTS: Add a basic SSH responder test
* SSH: Do not exit abruptly if SSHD closes its end of the pipe before reading all the SSH keys
* TESTS: Add a helper binary that can trigger the SIGPIPE to authorizedkeys
* TESTS: Add a regression test for SIGHUP handling in sss_ssh_authorizedkeys
* Revert "LDAP/IPA: add local email address to aliases"
* util: Remove the unused function is_email_from_domain
* TESTS: Allow storing e-mail address for users
* TESTS: Add regression test for looking up users with conflicting e-mail addresses
* AD/LDAP: Do not misuse the ignore_mark_offline to check if a connection needs to be checked for POSIX attribute presence
* MAN: Remove outdated notes from the re_expression description
* MAN: Document the re_expression needed to suport @-signs in the groupnames
* SUDO: Create the socket with stricter permissions
* AD: expose the helper function to format the site DNS query
* RESOLV: Add a resolv_hostport_list request
* KRB5/IPA/AD: Add a utility function to create a krb5_service instance
* KRB5: Allow writing multiple addresses to the kdcinfo plugin
* IPA: Add the options that the IPA subdomains code will read for trusted domains on the client
* IPA: Populate kdcinfo files on trust clients with configured AD servers
* MAN: Document the options available for AD trusted domains
* SDAP: Detect schemaNamingContext from the rootDSE
* AD: Add Global Catalog usability check in subdomain code by looking at the schema
* AD: Remove the legacy check from ad_get_account_domain_posix_check request
* LDAP/AD: Remove the legacy POSIX check from user, group and enumeration searches
* LDAP: Remove the legacy POSIX check itself
* sudo testcli: Use hand-crafted JSON for output so that the test CLI is usable in tests
* TESTS: Load the sudo schema in the default OpenLDAP test instance and create ou=sudoers
* TESTS: Add API to add sudo rules in tests
* TESTS: Add a simple sudo LDAP test
* SUDO: Don't save duplicates when saving qualified names
* crypto: Silence a Coverity warning in OpenSSL version of sss_hmac_sha1()
* crypto: Make one condition more defensive in NSS version of sss_hmac_sha1()
* SDAP: Improve a confusing DEBUG message when initgroups search matches multiple entries
* RESP: Terminate client connection if the permissions check on the priv pipe fails
* SELINUX: Also call is_selinux_enabled as a check for selinux child
* P11: Don't return int failure from a bool function
* Josef Cejka (1):
* Strip whitespaces in netgroup triple.
* Lukas Slebodnik (15):
* sss_seed: Remove unused parameter from seed_domain_user_info
* SUDO: Fix running in unprivileged responder
* SUDO: Root should be able to read/write sssd-sudo socket
* SPEC: Drop unnecessary check for minor version of el7
* test_ssh_client: Do not ignore failure from read
* SPEC: Move openssl deps away from unit tests deps
* PYTHON: Avoid warnings with python3.7
* SPEC: Move secrets responder to the package sssd-kcm
* SPEC: Do not build python2 bindings on latest distros
* BUILD: Replace also runstatedir in templates
* SYSTEMD: Allow to use "/run" in ListenStream
* Revert "Revert "CRYPTO: Suppress warning Wstringop-truncation""
* CRYPTO: Save prefix in s3crypt_sha512
* crypto-tests: Add unit test for s3crypt_sha512
* SSS_CERT: Close file descriptors after executing p11_child
* Michal Židek (1):
* Revert "CRYPTO: Suppress warning Wstringop-truncation"
* Stanislav Levin (1):
* Fix "test-find-uid" and "find_uid-tests" tests
* Sumit Bose (14):
* krb5 locator: add support for multiple addresses
* krb5 locator: fix IPv6 support
* krb5 locator: make plugin more robust
* krb5 locator: add unit tests
* AD/IPA: Create kdcinfo file for sub-domains
* krb5: refactor removal of krb5info files
* krb5_common: add callback only once
* data provider: run offline callbacks only once
* utils: add libsss_child dependency to libsss_cert
* AD: consider resource_groups in PAC as well
* utils: make create_ipa_preauth_indicator() public as create_preauth_indicator()
* PAM: create pre-auth indicator file
* MC: Remove check if record is in the mapped address space
* tests: fix sss_nss_idmap-tests
* amitkumar50 (1):
* MAN: Give information regarding priority of ldap lookup
URL: https://github.com/SSSD/sssd/pull/630
Title: #630: KCM/SECRETS: Use a library to access the secrets storage instead of the secrets responder, deprecate secrets responder
Label: +postponed until sssd 2.0
URL: https://github.com/SSSD/sssd/pull/630
Title: #630: KCM/SECRETS: Use a library to access the secrets storage instead of the secrets responder, deprecate secrets responder
jhrozek commented:
"""
Thank you, I merged your patch. I also changed the patch that fixes to libsecrets by default, this is the diff:
```
diff --git a/src/man/sssd-kcm.8.xml b/src/man/sssd-kcm.8.xml
index 78d3551d4..ec27aa57b 100644
--- a/src/man/sssd-kcm.8.xml
+++ b/src/man/sssd-kcm.8.xml
@@ -121,17 +121,9 @@ systemctl enable sssd-kcm.socket
<refsect1 id='storage'>
<title>THE CREDENTIAL CACHE STORAGE</title>
<para>
- The credential caches are stored in the SSSD secrets service (see
- <citerefentry>
- <refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</manvolnum>
- </citerefentry>
- for more details). Therefore it is important that also the sssd-secrets
- service is enabled and its socket is started:
- <programlisting>
-systemctl start sssd-secrets.socket
-systemctl enable sssd-secrets.socket
- </programlisting>
- Your distribution should already set the dependencies between the services.
+ The credential caches are stored in a database, much like SSSD
+ caches user or group entries. The database is typically
+ located at <quote>/var/lib/sss/secrets</quote>.
</para>
</refsect1>
```
"""
See the full comment at https://github.com/SSSD/sssd/pull/630#issuecomment-412364601
URL: https://github.com/SSSD/sssd/pull/631
Author: fidencio
Title: #631: nss: remove unused label
Action: opened
PR body:
"""
After 4937f2c6, Sumit noticed the following warning/breakage:
make[2]: Leaving directory '/home/sbose/sssd/master_build/src/man'
Making check in .
make[2]: Entering directory '/home/sbose/sssd/master_build'
CC src/responder/nss/nss_protocol_grent.o
../src/responder/nss/nss_protocol_grent.c: In function 'nss_protocol_fill_initgr':
../src/responder/nss/nss_protocol_grent.c:409:1: error: label 'done' defined but not used [-Werror=unused-label]
done:
^~~~
cc1: all warnings being treated as errors
Makefile:17808: recipe for target 'src/responder/nss/nss_protocol_grent.o' failed
make[2]: *** [src/responder/nss/nss_protocol_grent.o] Error 1
make[2]: Leaving directory '/home/sbose/sssd/master_build'
Signed-off-by: Fabiano Fidêncio <fidencio(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/631/head:pr631
git checkout pr631
URL: https://github.com/SSSD/sssd/pull/634
Author: jhrozek
Title: #634: P11: Don't return int failure from a bool function
Action: opened
PR body:
"""
The functions return bool as per their prototype, but returning EINVAL on
failure meant that EINVAL (typically 22) was converted to 'true', so a
certificate that was not processable was considered valid.
Luckily this code only converts certificates into SSH public keys, so there
are no security implications.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/634/head:pr634
git checkout pr634
URL: https://github.com/SSSD/sssd/pull/632
Author: sumit-bose
Title: #632: tests: fix sss_nss_idmap-tests
Action: opened
PR body:
"""
If sss_nss_idmap-tests is complied with -Wl,-Bsymbolic-functions it
fails because sss_nss_make_request_timeout() is not properly wrapped but
the tests expects that the replacement call it provides is picked by the
linker and not the original function.
This patch wraps the call in the corresponding test library. As a
consequence a small helper function had to be added to make dlopen-tests
pass for the test library as well.
Resolves https://pagure.io/SSSD/sssd/issue/3801
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/632/head:pr632
git checkout pr632
URL: https://github.com/SSSD/sssd/pull/633
Author: pbrezina
Title: #633: nss_protocol_fill_initgr: fix label ‘done’ defined but not used
Action: opened
PR body:
"""
CC src/responder/nss/nss_protocol_netgr.o
/home/pbrezina/workspace/sssd/src/responder/nss/nss_protocol_grent.c: In function ‘nss_protocol_fill_initgr’:
/home/pbrezina/workspace/sssd/src/responder/nss/nss_protocol_grent.c:409:1: error: label ‘done’ defined but not used [-Werror=unused-label]
done:
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/633/head:pr633
git checkout pr633