shadow policy
by Angel Bosch
hi,
I'm not sure if this is sss related, but I can't get passwd policies working.
Is there anyone using shadow attributes for passwd policies?
regards,
muzzol
11 years, 3 months
Announcing SSSD 1.9.0 beta 3
by Stephen Gallagher
The SSSD is proud to announce the third of five preview releases of
version 1.9 of the System Security Services Daemon.
Beta 4 will be released on July 10th and include a new AD provider
(wrapping the intricacies of setting up AD, configuring LDAP attributes
and Kerberos realm into a simpler set of configuration options)
Beta 5 will be released on July 31st and will contain a new tool for
"seeding" accounts with a temporary password for sending machines to
remotees as well as introducing a concept of primary vs. secondary
servers.
After Beta 5, no new features will be added to SSSD 1.9.0 and we will
focus on stability and our backlog of bugfixes until the final release
around September 1st. We will most likely issue a series of release
candidate builds prior to that, but these have not yet been scheduled.
As always, you can download the latest sources at
https://fedorahosted.org/sssd/
== Highlights ==
* Add a new PAC responder for dealing with cross-realm Kerberos trusts
* Terminate idle connections to the NSS and PAM responders
* Switch from libunistring to glib2 for unicode support
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1163
[Feature] SSSD AD Integration Feature (Cross Realm Kerberos Trusts)
https://fedorahosted.org/sssd/ticket/1354
Add support for terminating idle connections in sssd_nss
https://fedorahosted.org/sssd/ticket/1383
sssd_nss segfaults performing netgroup lookups without a specified
domain
== Detailed Changelog ==
Jan Zeleny (5):
* Fix possible segfault in sdap_save_group()
* PAC responder: add some utility functions
* PAC responder: test suite
* Fix re_expression matching with subdomains
* SELinux user maps: pick just one map
Shantanu Goel (4):
* Set return errno to the value prior to calling close().
* Log message if close() fails in destructor.
* Do not send SIGPIPE on disconnection
* Add support for terminating idle connections
Simo Sorce (2):
* Do not leak file descriptors in client libs.
* Add close on exec support for old platforms
Stef Walter (1):
* Move some debug lines to new debug log levels
Stephen Gallagher (6):
* Bumping version to 1.9.0 beta 3
* Fix typo breaking DIR cache detection
* Make the client idle timeout configurable
* UTILS: Fix segfault due to sss_parse_name_for_domains
* BUILD: Change default unicode library to glib2
* Update translations for 1.9.0 beta 3 release
Sumit Bose (11):
* PAC responder: add basic infrastructure
* PAC responder: add the core functionality
* PAC responder: support in spec file
* PAC client: add basic support in common client code
* PAC client: add krb5 authdata plugin
* Add support for ID ranges
* Add range support to PAC responder
* Try to build PAC responder only if all dependencies are available
* Build pac responder tests only if pac responder is build
* Add man page section for the PAC responder
* Set default for subdomain_homedir
11 years, 3 months
Announcing SSSD 1.9.0 beta 2
by Stephen Gallagher
The SSSD team is proud to announce the second beta of our upcoming 1.9.0
release. We have revised our beta plan and will be having five betas
instead of three as originally communicated. Originally, the plan was to
have our next beta be the final one, at the end of July. We now have the
following schedule:
Beta 3 will be released next Friday (Jun 22nd) or the following Monday
and contain enhancements necessary to support Kerberos cross-realm
trusts with FreeIPA, a server-side piece of which will be released a few
days after.
Beta 4 will be released on July 10th and include a new AD provider
(wrapping the intricacies of setting up AD, configuring LDAP attributes
and Kerberos realm into a simpler set of configuration options)
Beta 5 will be released on July 31st and will contain a new tool for
"seeding" accounts with a temporary password for sending machines to
remotees as well as introducing a concept of primary vs. secondary
servers.
After Beta 5, no new features will be added to SSSD 1.9.0 and we will
focus on stability and our backlog of bugfixes until the final release
around September 1st. We will most likely issue a series of release
candidate builds prior to that, but these have not yet been scheduled.
As always, you can download the latest sources at
https://fedorahosted.org/sssd/
== Highlights ==
* Add support for the Kerberos DIR cache for storing multiple TGTs
automatically
* Major performance enhancement when storing large groups in the cache
* Major performance enhancement when performing initgroups() against
Active Directory
* SSSDConfig data file default locations can now be set during
configure for easier packaging
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/974
[RFE] Support DIR: credential caches for multiple TGT support
https://fedorahosted.org/sssd/ticket/984
RFE: sssd should support Netscape LDAP password expiration controls
https://fedorahosted.org/sssd/ticket/1213
Warn to syslog when dereference requests fail
https://fedorahosted.org/sssd/ticket/1240
sudo: contact data provider only once
https://fedorahosted.org/sssd/ticket/1255
RFE: change the way we deal with fake users
https://fedorahosted.org/sssd/ticket/1256
Document the expectations about ghost users showing in the lookups
https://fedorahosted.org/sssd/ticket/1330
Potential NULL dereference in sss_krb5_read_etypes_for_keytab
https://fedorahosted.org/sssd/ticket/1336
Please only use named parameters in translatable strings
https://fedorahosted.org/sssd/ticket/1337
Minor typos in SSSD messages and man pages
https://fedorahosted.org/sssd/ticket/1346
in-memory cache causes nss to segfault if it cannot be initialized
properly
https://fedorahosted.org/sssd/ticket/1367
Optimize AD memberOf lookups with LDAP_MATCHING_RULE_IN_CHAIN
== Detailed Changelog ==
Ariel Barria (3):
* Potential NULL dereference in proxy provider
* Warn to syslog when dereference requests fail
* Clarify how comments work in sssd.conf
Jakub Hrozek (20):
* NSS: keep a pointer to body after body is reallocated
* Use sized_string correctly in FQDN domains
* Use the sysdb attribute name, not LDAP attribute name
* LDAP nested groups: Do not process callback with _post deep in the
nested structure
* Send 16bit protocol numbers from the sss_client
* Revert the client packet length, too, after reverting the packet
protocol
* Fix the default sssd.conf path
* Fix the 0.11 sysdb upgrade
* sss_names_init: Report correct error code if allocation failed
* Two small krb5_child fixes
* Provide more debugging in krb5_child and ldap_child
* Allow redefining the KRB5_CHILD path
* Split parse_krb5_child_response so it can be reused
* Add a krb5_child test tool
* Residual util functions
* Handle trailing slash in the ccname template
* Add a credential cache back end structure
* Add support for storing credential caches in the DIR: back end
* Use Kerberos context in KRB5_DEBUG
* Make krb5_ccname_template and krb5_ccachedir configurable
Jan Cholasta (3):
* SSH: Update sss_ssh_knownhostsproxy manual page
* SSH: Supress error message output in sss_ssh_knownhostsproxy
* SSH: Don't abort connection in sss_ssh_knownhostsproxy when DNS
records are missing
Jan Zeleny (20):
* Fixed two minor memory leaks
* Fixed issue in SELinux user maps
* Ghost members - add the ghost attribute to sysdb
* Ghost members - support in LDAP provider
* Ghost members - support in proxy provider
* Ghost members - modifications in sysdb
* Ghost members - modifications in memberof plugin
* Ghost members - sysdb upgrade routine
* Ghost members - NSS responder changes
* Ghost members - removed sdap_check_aliases()
* Ghost members - modified sss_groupshow
* Ghost members - various small changes
* Add support for filtering atributes
* Utilize attribute exclusion in LDAP initgroups
* Fixed setting of debug level in test suite
* IPA subdomains - ask for information about master domain
* Allow fast memcache timeout to be configurable
* Fix an issue in ghost users
* Provide "service filter" for SELinux context
* Fixed debug message in sdap_save_group()
Joshua Roys (1):
* Simple implementation of Netscape password warning expiration control
Nick Guay (1):
* added DEBUG messages to krb5_child and ldap_child
Stef Walter (1):
* Make re_expression and full_name_format per domain options
Stephen Gallagher (27):
* Bumping version ton 1.8.92 for beta 2 development
* RPM: Allow running 'make rpms' on RHEL 5 machines
* NSS: Expire in-memory netgroup cache before the nowait timeout
* Always use positional arguments in translatable strings
* KRB5: Avoid NULL-dereference with empty keytab
* Update translation sources
* NSS: Fix segfault when mmap cache cannot be initialized
* NSS: Restore original protocol for getservbyport
* SSSDConfig: Make SSSDConfig a package
* SSSDConfig: Make default config and schema file locations
configurable
* PAM: Better pam_reply message
* SYSDB: Reduce noise level of debug messages in lookups
* LDAP: Remove redundant check
* LDAP: Fix incorrect switch statement in sdap_get_initgr_done()
* LDAP: Add helper function to get list of a user's groups from sysdb
* LDAP: Make sdap_initgr_common_store() non-static
* LDAP: Add ldap_*_use_matching_rule_in_chain options
* LDAP: Add support for AD chain matching extension in group lookups
* LDAP: Add support for AD chain matching extension in initgroups
* LDAP: Auto-detect support for the ldap match rule
* LDAP: Fix missing variable in debug message
* SSS_CLIENT: Fix uninitialized value error
* Fix compilation on older little-endian systems
* KRB5: Update DEBUG macros for create_ccache_dir and
find_ccdir_parent_data
* KRB5: Auto-detect DIR cache support in configure
* KRB5: Avoid shadowing dirname
* Updating translations for 1.9.0 beta 2 release
Sumit Bose (4):
* Rename struct dom_sid to struct sss_dom_sid
* Fix libsss_hbac library version
* sss_idmap: add support for samba struct dom_sid
* sss_idmap: fix typo which prevents sub auth larger then 2^31
Yuri Chornoivan (1):
* Fix typos in message and man pages.
11 years, 3 months
enumerate=false still enumerates a lot of users/groups
by GOLLSCHEWSKY, Tim
Hi SSSD Users.
I'm trying to increase the performance of my user's logins, we have a medium sized Active Direcctory.
According to the man page, the enumerate directive:
enumerate (bool)
Determines if a domain can be enumerated. This parameter can have one of the following values:
TRUE = Users and groups are enumerated
FALSE = No enumerations for this domain
However when I start sssd with no cache and simulate an initgroups, it still seems to enumerate many
many groups and user accounts.
I'm running sssd v1.8.4:
# pkill sssd
# pgrep sssd
# pwd
/apps/sssd-1.8.4
# rm -f var/lib/sss/db/*
# grep enumerate /etc/sssd/sssd.conf
enumerate = FALSE
# grep ldap_access /etc/sssd/sssd.conf
ldap_access_filter = memberOf=cn=xxxgroup,ou=yyyOU,ou=zzzOU,ou=Groups,dc=aaa,dc=bbb,dc=ccc
# sbin/sssd -c /etc/sssd/sssd.conf
# su - myuser -c "groups | wc"
1 193 1181
# strings var/lib/sss/db/cache_AAA.BBB.CCC.ldb | grep OU=Groups,DC=aaa,DC=bbb,DC=ccc | sort -u | wc -l
522
# strings var/lib/sss/db/cache_AAA.BBB.CCC.ldb | grep OU=Accounts,DC=aaa,DC=bbb,DC=ccc | sort -u | wc -l
1938
Sorry for my use of strings and sort -u, I don't know a better way to interrogate the cache.
Why does it still enumerate so many users and groups (that are not me, and not in my ldap_access_filter) when I log in? Even when
I have disabled domain enumeration?
Regards,
Tim.
________________________________
This e-mail is sent by Suncorp Group Limited ABN 66 145 290 124 or one of its related entities "Suncorp".
Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on 13 11 55 or at suncorp.com.au.
The content of this e-mail is the view of the sender or stated author and does not necessarily reflect the view of Suncorp. The content, including attachments, is a confidential communication between Suncorp and the intended recipient. If you are not the intended recipient, any use, interference with, disclosure or copying of this e-mail, including attachments, is unauthorised and expressly prohibited. If you have received this e-mail in error please contact the sender immediately and delete the e-mail and any attachments from your system.
11 years, 4 months
