Hi,
below are the 1.16.0 release notes in the RST format. Please feel free to
provide feedback.
SSSD 1.16.0
===========
Highlights
----------
Security fixes
^^^^^^^^^^^^^^
* This release fixes CVE-2017-12173: Unsanitized input when searching in
local cache database. SSSD stores its cached data in an LDAP like local
database file using ``libldb.`` To lookup cached data LDAP search filters
like ``(objectClass=user)(name=user_name)`` are used. However, in
``sysdb_search_user_by_upn_res()``, the input was not sanitized and
allowed to manipulate the search filter for cache lookups. This would
allow a logged in user to discover the password hash of a different user.
New Features
^^^^^^^^^^^^
* SSSD now supports session recording configuration through ``tlog``. This feature
enables recording of everything specific users see or type during their sessions on
a text terminal. For more information, see the ``sssd-session-recording(5)``
manual page.
* SSSD can act as a client agent to deliver
`Fleet Commander <
https://wiki.gnome.org/Projects/FleetCommander>`_
policies defined on an IPA server. Fleet Commander provides a
configuration management interface that is controlled centrally and
that covers desktop, applications and network configuration.
* Several new `systemtap <
https://sourceware.org/systemtap/>`_ probes
were added into various locations in SSSD code to assist in
troubleshooting and analyzing performance related issues. Please see the
``sssd-systemtap(5)`` manual page for more information.
* A new LDAP provide access control mechanism that allows to restrict
access based on PAM's rhost data field was added. For more details,
please consult the ``sssd-ldap(5)`` manual page, in particular the
options ``ldap_user_authorized_rhost`` and the ``rhost`` value of
``ldap_access_filter``.
Performance enhancements
^^^^^^^^^^^^^^^^^^^^^^^^
* Several attributes in the SSSD cache that are quite often used during
cache searches were not indexed. This release adds the missing indices,
which improves SSSD performance in large environments.
Notable bug fixes
^^^^^^^^^^^^^^^^^
* The SSSD libwbclient implementation adjusted its behaviour in order to
be compatible with Winbind's return value of wbcAuthenticateUserEx().
This enables the SSSD libwbclient library to work with Samba-4.6 or newer.
* SSSD's plugin for MIT Kerberos to send the PAC to the PAC responder
did not protect the communication with the PAC responder with a mutex.
This was causing multi-threaded applications that process the Kerberos
PAC to miss a reply from SSSD and then were blocked until the default
client timeout of 300 seconds passed. This release adds the mutex,
which fixes the PAC responder usage in multi-threaded environments.
* Previously, SSSD used to refresh several expired sudo rules by combining
them into a long LDAP filter. This was ineffective, because the LDAP server
had to process the query, but at that point, the client was quite often
querying most or all of the sudo rules anyway. In this version, when
the number of sudo rules to be refreshed exceeds the value of a new option
``sudo_threshold``, all sudo rules are fetched instead.
* A bug in the sudo integration that prevented the rules from matching if the
user name referenced in that rule was overriden with ``sss_override`` or
IPA ID views was fixed
* When SSSD is configured with ``id_provider=ad``, then a Kerberos
configuration is created that instructs libkrb5 to use TCP for communication
with the AD DC by default. This would save switching from UDP to TCP, which
happens almost every time with the ``ad`` provider due to the PAC attached to
the Kerberos ticket.
Packaging Changes
-----------------
* The ``sss_debuglevel`` and ``sss_cache`` utilities were superseded by
``sssctl`` commands ``sssctl debug-level`` and ``sssctl cache-expire``,
respectively. While this change is backwards-compatible in the sense
that the old commands continue to work, it is recommended to switch
to the ``sssctl`` command which will in future encompass all SSSD
administration tasks.
* Two new manpages, ``sssd-session-recording(5)`` and ``sssd-systemtap(5)``
were added.
* A new systemtap example script, which is packaged by default at
``/usr/share/sssd/systemtap/dp_request.stp`` was added.
* A new directory called ``deskprofile`` under the SSSD state directory
(typically ``/var/lib/sss/``) was added. SSSD downloads the Fleet
Commander profiles into this directory.
Documentation Changes
---------------------
* The ``ldap_user_certificate`` option has changed its default value
in the LDAP provider from "not set" to ``userCertificate;binary``.
* The ``ldap_access_filter`` option has a new allowed value ``rhost``
to support access control based on the PAM rhost value. The attribute
that SSSD reads during the rhost access control can be configured using
the new option ``ldap_user_authorized_rhost``.
* The thresholds after which the IPA and LDAP sudo providers will refresh
all sudo rules instead of only the expired ones can be tuned using the
``sudo_threshold`` option.
* A new provider handler, ``session_provider`` was added. At the moment,
only two handlers, ``ipa`` and ``none`` are supported. The IPA session
handler is used to fetch the Fleet Commander profiles from an IPA
server.
* The interval after which the IPA session provider will check for new
FleetCommander profiles can be configured using the new
``ipa_deskprofile_request_interval`` option.
Tickets Fixed
-------------
* `#3549 <
https://pagure.io/SSSD/sssd/issue/3549>`_ - CVE-2017-12173: Unsanitized
input when searching in local cache database
* `#3531 <
https://pagure.io/SSSD/sssd/issue/3531>`_ - dbus-1.11.18 caused hangs in
cwrap integration tests
* `#3518 <
https://pagure.io/SSSD/sssd/issue/3518>`_ - sssd_client: add mutex
protected call to the PAC responder
* `#3511 <
https://pagure.io/SSSD/sssd/issue/3511>`_ - sssd incorrectly checks
'try_inotify' thinking it is the wrong section
* `#3508 <
https://pagure.io/SSSD/sssd/issue/3508>`_ - Issues with certificate
mapping rules
* `#3501 <
https://pagure.io/SSSD/sssd/issue/3501>`_ - Accessing IdM kerberos ticket
fails while id mapping is applied
* `#3491 <
https://pagure.io/SSSD/sssd/issue/3491>`_ - pysss_nss_idmap: py3
constants defined as strings or bytes
* `#3485 <
https://pagure.io/SSSD/sssd/issue/3485>`_ - getsidbyid does not work with
1.15.3
* `#3481 <
https://pagure.io/SSSD/sssd/issue/3481>`_ - ERROR at setup of
test_kcm_sec_init_list_destroy
* `#3459 <
https://pagure.io/SSSD/sssd/issue/3459>`_ - Allow fallback from
krb5_aname_to_localname to other krb5 plugins
* `#3461 <
https://pagure.io/SSSD/sssd/issue/3461>`_ - unable to access cifs share
using sssd-libwbclient
* `#3488 <
https://pagure.io/SSSD/sssd/issue/3488>`_ - SUDO doesn't work for IPA
users on IPA clients after applying ID Views for them in IPA server
* `#3478 <
https://pagure.io/SSSD/sssd/issue/3478>`_ - sudo: fall back to the full
refresh after reaching a certain threshold
* `#3473 <
https://pagure.io/SSSD/sssd/issue/3473>`_ - Failures on
test_idle_timeout()
* `#3472 <
https://pagure.io/SSSD/sssd/issue/3472>`_ - sysdb index improvements -
missing ghost attribute indexing, unneeded objectclass index etc..
* `#3363 <
https://pagure.io/SSSD/sssd/issue/3363>`_ - secrets: Per UID secrets
quota
* `#3507 <
https://pagure.io/SSSD/sssd/issue/3507>`_ - Long search filters are
created during IPA sudo command + command group retrieval
* `#3499 <
https://pagure.io/SSSD/sssd/issue/3499>`_ - Change the
ldap_user_certificate to userCertificate;binary for the generic LDAP provider as well
* `#3482 <
https://pagure.io/SSSD/sssd/issue/3482>`_ - Fleet Commander: Add a
timeout to avoid contacting the DP too often in case there was no profile fetched in the
last login
* `#3460 <
https://pagure.io/SSSD/sssd/issue/3460>`_ - id root triggers an LDAP
lookup
* `#3315 <
https://pagure.io/SSSD/sssd/issue/3315>`_ - infopipe:
org.freedesktop.sssd.infopipe.Groups.Group doesn't show users
* `#3308 <
https://pagure.io/SSSD/sssd/issue/3308>`_ - SELinux: Use libselinux's
getseuserbyname to get the correct seuser
* `#3307 <
https://pagure.io/SSSD/sssd/issue/3307>`_ - RFE: Log to syslog when sssd
cannot contact servers, goes offline
* `#3306 <
https://pagure.io/SSSD/sssd/issue/3306>`_ - infopipe: List* with limit =
0 returns 0 results
* `#3305 <
https://pagure.io/SSSD/sssd/issue/3305>`_ - infopipe: crash when filter
doesn't contain '*'
* `#3254 <
https://pagure.io/SSSD/sssd/issue/3254>`_ - Set udp_preference_limit=0 by
sssd-ad using a krb5 snippet
* `#2995 <
https://pagure.io/SSSD/sssd/issue/2995>`_ - RFE: Deliver FleetCommander
URL endpoint from an IPA server
* `#2893 <
https://pagure.io/SSSD/sssd/issue/2893>`_ - [RFE] Conditionally wrap user
terminal with tlog
* `#3513 <
https://pagure.io/SSSD/sssd/issue/3513>`_ - MAN: Document that
full_name_format must be set if the output of trusted domains user resolution should be
shortnames only
* `#3450 <
https://pagure.io/SSSD/sssd/issue/3450>`_ - Unnecessary second log event
causing much spam to syslog
* `#3417 <
https://pagure.io/SSSD/sssd/issue/3417>`_ - MAN: document that attribute
'provider' is not allowed in section 'secrets'
* `#3399 <
https://pagure.io/SSSD/sssd/issue/3399>`_ - Improve description of
'trusted domain section' in sssd.conf's man page
* `#3061 <
https://pagure.io/SSSD/sssd/issue/3061>`_ - Add systemtap probes into the
top-level data provider requests
* `#2809 <
https://pagure.io/SSSD/sssd/issue/2809>`_ - CI doesn't work with DNF
* `#2301 <
https://pagure.io/SSSD/sssd/issue/2301>`_ - Print a warning when
enumeration is requrested but disabled
* `#1898 <
https://pagure.io/SSSD/sssd/issue/1898>`_ - Move header files consumed by
both server and client to special folder
* `#3517 <
https://pagure.io/SSSD/sssd/issue/3517>`_ - Prevent "TypeError: must
be type, not classobj"
* `#3147 <
https://pagure.io/SSSD/sssd/issue/3147>`_ - sssctl: get and set debug
level
* `#3057 <
https://pagure.io/SSSD/sssd/issue/3057>`_ - Merge existing command line
tools into sssctl