ldap_sasl_mech EXTERNAL and SSL client authc
by Michael Ströder
HI!
Is it possible to use SASL/EXTERNAL when connecting to a LDAP server with
StartTLS or LDAPS using client certs?
In a project they have certs in all systems anyway (because of using puppet)
and I'd like to let the sssd instances on all the systems authenticate to the
LDAP server to restrict visibility of LDAP entries by ACL. I'd like to avoid
having to set/configure passwords for each system's sssd.
Ciao, Michael.
8 years, 6 months
RFC: dropping upstream support of RHEL5 starting with 1.10
by Jakub Hrozek
Hi,
many new features rely on library APIs and features that are only available
in recent versions of SSSD dependencies. As a result, the code often needs
#ifdefs and special branches in order to at least compile or run on RHEL5.
So far we've been doing nightly builds also for RHEL5 and fixing issues
as we were finding them. But recently we are considering dropping support
for RHEL5 -- it is causing some engineering effort and at the same time
the audience is probably very limited. If you are running super-stable
enterprise distribution, chances are you are not all that interested in
the latest and possibly very unstable SSSD version.
The proposal would be to keep building and supporting the 1.9.x branch
for RHEL5 and switch to using RHEL6 as the oldest supported release
starting from the 1.10 upstream version. Of course we would still accept
patches from any potential contributors.
Any objections against the plan?
10 years, 4 months
Announcing SSSD 1.8.6
by Jakub Hrozek
=== SSSD 1.8.6 ===
The SSSD team is proud to announce the bugfix release of the System
Security Services Daemon version 1.8.6.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora shortly, this time for
F-16 and F-17 (before F-17 rebases to 1.9.4)
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* A security bug assigned CVE-2013-0219 was fixed - TOCTOU race conditions
when creating or removing home directories for users in local domain
* A security bug assigned CVE-2013-0220 was fixed - out-of-bounds reads
in autofs and ssh responder
* Handle servers that return an empty string as the value of namingContext,
in particular Novell eDirectory
* The netgroup midpoint cache refresh works as documented in the manual page
* The sssd_pam responder processes pending requests after reconnect
== Tickets Fixed ==
* https://fedorahosted.org/sssd/ticket/1542
User authentication using LDAP doesn't work
* https://fedorahosted.org/sssd/ticket/1581
sssd_be crashes while looking up users
* https://fedorahosted.org/sssd/ticket/1717
Limit requests coalescing in time
* https://fedorahosted.org/sssd/ticket/1683
arithmetic bug in the SSSD causes netgroup midpoint refresh to be always
set to 10 seconds
* https://fedorahosted.org/sssd/ticket/1655
Login fails - sssd_be module polling fd indefinitely and gets killed
* https://fedorahosted.org/sssd/ticket/1781
sssd: Out-of-bounds read flaws in autofs and ssh services responders
* https://fedorahosted.org/sssd/ticket/1528
SSSD_NSS failure to gracefully restart after sbus failure
* https://fedorahosted.org/sssd/ticket/1783
Group lookup fails and takes ~60s to return to shell if member dn is
incorrect
* https://fedorahosted.org/sssd/ticket/1782
TOCTOU race conditions by copying and removing directory trees
== Detailed Changelog ==
Jakub Hrozek (9):
* Updating the version for the 1.8.6 release
* Initialize Kerberos ticket renewal in the IPA provider
* LDAP: Check validity of naming_context
* Free the internal DP request
* Do not always return PAM_SYSTEM_ERR when offline krb5 authentication fails
* NSS: Fix netgroup midpoint cache refresh
* TOOLS: Use openat/unlinkat when removing the homedir
* TOOLS: Compile on old platforms such as RHEL5
* Include the auth_utils.h header in the distribution
Jan Cholasta (1):
* Check that strings do not go beyond the end of the packet body in
autofs and SSH requests.
Ondrej Kos (2):
* Restart services with a delay in case they are restarted too often
* TOOLS: Use file descriptor to avoid races when creating a home directory
Pavel Březina (1):
* nested groups: fix group lookup hangs if member dn is incorrect
Simo Sorce (2):
* responder_dp: Add timeout to side requets
* sssd_pam: Cleanup requests cache on sbus reconect
Stephen Gallagher (1):
* LDAP: Handle empty namingContexts values safely
Timo Aaltonen (1):
* link sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy with -lpthread
10 years, 7 months
Problems with Kerberos authentication: Cannot find KDC for requested realm
by C. S.
Hi folks,
Any help here would be appreciated, I don't seem to see what the issue is.
I can login using kinit just fine, but sssd fails when using ssh. It seems
like it has something to do with the files in /var/lib/sss/pubconf going
missing, which causes sssd-krb5 to fail with: Cannot find KDC for requested
realm.
This is CentOS 6, sssd-1.8.0-32.el6.x86_64.
e.g. kinit logins works:
[testuser@test01 ~]$ kinit
Password for testuser(a)MYREALM.COM:
Warning: Your password will expire in 41 days on Sun Mar 10 19:01:44 2013
[testuser@test01 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_501
Default principal: testuser(a)MYREALM.COM
Valid starting Expires Service principal
01/27/13 22:13:00 01/28/13 08:13:00 krbtgt/MYREALM.COM(a)MYREALM.COM
renew until 02/03/13 22:12:53
[testuser@test01 ~]$
But over ssh:
/var/log/secure:
Jan 27 21:57:03 test1 sshd[2882]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.74.34.39
user=testuser
Jan 27 21:57:03 test1 sshd[2882]: pam_sss(sshd:auth): system info: [Cannot
find KDC for requested realm]
Jan 27 21:57:03 test1 sshd[2882]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.74.34.39
user=testuser
Jan 27 21:57:03 test1 sshd[2882]: pam_sss(sshd:auth): received for user
testuser: 4 (System error)
Jan 27 21:57:05 test1 sshd[2882]: Failed password for testuser from
10.74.34.39 port 55143 ssh2
Jan 27 21:57:11 test1 sshd[2883]: Connection closed by 10.74.34.39
sssd -i -d9 + SSSD_KRB5_LOCATOR_DEBUG=1 output:
(Sun Jan 27 21:57:03 2013) [sssd[pam]] [sss_dp_req_destructor] (0x0400):
Deleting request: [0x4175f0:3:testuser@MYREALM.COM]
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [acctinfo_callback]
(0x0100): Request processed. Returned 0,0,Success
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [sdap_process_result]
(0x2000): Trace: sh[0x248b180], connected[1], ops[(nil)], ldap[0x248b360]
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [sbus_dispatch]
(0x4000): dbus conn: 2485210
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [sbus_dispatch]
(0x4000): Dispatching.
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [sbus_message_handler]
(0x4000): Received SBUS method [pamHandler]
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [be_pam_handler]
(0x0100): Got request with the following data
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [pam_print_data]
(0x0100): command: PAM_AUTHENTICATE
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [pam_print_data]
(0x0100): domain: MYREALM.COM
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [pam_print_data]
(0x0100): user: testuser
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [pam_print_data]
(0x0100): service: sshd
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [pam_print_data]
(0x0100): tty: ssh
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [pam_print_data]
(0x0100): ruser:
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [pam_print_data]
(0x0100): rhost: 10.74.34.39
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [pam_print_data]
(0x0100): authtok type: 1
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [pam_print_data]
(0x0100): authtok size: 12
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [pam_print_data]
(0x0100): newauthtok type: 0
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [pam_print_data]
(0x0100): newauthtok size: 0
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [pam_print_data]
(0x0100): priv: 1
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [pam_print_data]
(0x0100): cli_pid: 2882
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [krb5_pam_handler]
(0x1000): Wait queue of user [testuser] is empty, running request
immediately.
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [ldb] (0x4000): tevent:
Added timed event "ltdb_callback": 0x2537a00
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [ldb] (0x4000): tevent:
Added timed event "ltdb_timeout": 0x2539b50
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [ldb] (0x4000): tevent:
Destroying timer event 0x2539b50 "ltdb_timeout"
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [ldb] (0x4000): tevent:
Ending timer event 0x2537a00 "ltdb_callback"
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [krb5_auth_send]
(0x0100): No ccache file for user [testuser] found.
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [krb5_auth_send]
(0x4000): Ccache_file is [not set] and is not active and TGT is not valid.
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'KERBEROS'
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [get_server_status]
(0x1000): Status of server 'auth01.myrealm.com' is 'working'
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [get_port_status]
(0x1000): Port status of port 88 for server 'auth01.MYREALM.COM' is
'neutral'
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]]
[fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 10
seconds
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [get_server_status]
(0x1000): Status of server 'auth01.myrealm.com' is 'working'
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [be_resolve_server_done]
(0x1000): Saving the first resolved server
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [be_resolve_server_done]
(0x0200): Found address for server auth01.MYREALM.COM: [192.168.246.37] TTL
300
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [krb5_find_ccache_step]
(0x4000): Recreating ccache file.
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [create_ccache_dir]
(0x4000): Ccache directory name [/tmp/krb5cc_501_XXXXXX] does not contain
illegal patterns.
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [child_handler_setup]
(0x2000): Setting up signal handler up for pid [2884]
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [become_user] (0x4000):
Trying to become user [501][501].
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [child_handler_setup]
(0x2000): Signal handler set up for pid [2884]
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [write_pipe_handler]
(0x0400): All data has been sent!
(Sun Jan 27 21:57:03 2013) [sssd] [main] (0x1000): krb5_child started.
(Sun Jan 27 21:57:03 2013) [[sssd[krb5_child[2884]]]] [krb5_child_setup]
(0x1000): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Sun Jan 27 21:57:03 2013) [[sssd[krb5_child[2884]]]] [krb5_child_setup]
(0x1000): Cannot read [SSSD_KRB5_LIFETIME] from environment.
(Sun Jan 27 21:57:03 2013) [[sssd[krb5_child[2884]]]] [krb5_child_setup]
(0x4000): Not using FAST.
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [2][No such file or directory].
sssd_krb5_locator] open failed [2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
(Sun Jan 27 21:57:03 2013) [[sssd[krb5_child[2884]]]] [get_and_save_tgt]
(0x0020): 660: [-1765328230][Cannot find KDC for requested realm]
(Sun Jan 27 21:57:03 2013) [[sssd[krb5_child[2884]]]] [tgt_req_child]
(0x0020): 919: [-1765328230][Cannot find KDC for requested realm]
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [read_pipe_handler]
(0x0400): EOF received, client finished
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [krb5_child_done]
(0x4000): child response [4][1][36].
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [check_wait_queue]
(0x1000): Wait queue for user [testuser] is empty.
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>)
[Success]
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]]
[be_pam_handler_callback] (0x0100): Sending result [4][MYREALM.COM]
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]]
[be_pam_handler_callback] (0x0100): Sent result [4][MYREALM.COM]
(Sun Jan 27 21:57:03 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000):
0x751c90
(Sun Jan 27 21:57:03 2013) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn:
754800
(Sun Jan 27 21:57:03 2013) [sssd[pam]] [sbus_dispatch] (0x4000):
Dispatching.
(Sun Jan 27 21:57:03 2013) [sssd[pam]] [pam_dp_process_reply] (0x0100):
received: [4][MYREALM.COM]
(Sun Jan 27 21:57:03 2013) [sssd[pam]] [pam_reply] (0x0100): pam_reply get
called.
(Sun Jan 27 21:57:03 2013) [sssd[pam]] [pam_reply] (0x0100): blen: 79
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [child_sig_handler]
(0x1000): Waiting for child [2884].
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [child_sig_handler]
(0x0100): child [2884] finished successfully.
(Sun Jan 27 21:57:03 2013) [sssd[be[MYREALM.COM]]] [sss_child_handler]
(0x2000): waitpid failed [10]: No child processes
/etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYREALM.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
MYREALM.COM = {
kdc = auth01.myrealm.com:88
admin_server = auth01.myrealm.com
default_domain = myrealm.com
}
[domain_realm]
.myrealm.com = MYREALM.COM
myrealm.com = MYREALM.COM
/etc/sssd/sssd.conf:
[sssd]
debug_level = 0xFFF0
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = MYREALM.COM
[nss]
debug_level = 0xFFF0
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
debug_level = 0xFFF0
[domain/MYREALM.COM]
debug_level = 0xFFF0
min_id = 1max_id = 0
ldap_page_size = 1000
enumerate = true
cache_credentials = true
id_provider = ldap
chpass_provider = krb5
ldap_uri = ldaps://auth01.myrealm.com:3269
ldap_search_base = dc=myrealm,dc=com
ldap_user_search_base = dc=myrealm,dc=com
ldap_group_search_base =dc=myrealm,dc=com
ldap_schema = rfc2307bis
ldap_default_bind_dn = Administrator(a)MYREALM.COM
ldap_default_authtok = p@$$word
ldap_default_authtok_type = password
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_home_directory = unixHomeDirectory
ldap_group_object_class = group
ldap_user_principal = userPrincipalName
ldap_user_shadow_last_change = pwdLastSet
ldap_tls_reqcert = never
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_referrals = false
auth_provider = krb5
krb5_server = auth01.myrealm.com:88
krb5_realm = MYREALM.COM
krb5_changepw_principal = kadmin/changepw
krb5_ccachedir = /tmp
krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX
krb5_auth_timeout = 15
/etc/pam.d/password-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_sss.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
10 years, 8 months
Announcing SSSD 1.9.4
by Jakub Hrozek
=== SSSD 1.9.4 ===
The SSSD team is proud to announce the release of version 1.9.4 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
This is another bug fix only release of the 1.9 series. In addition to
fixing functionality, this release also includes two security patches. With
the release of 1.9.4, all the known regressions that were introduced during
the 1.9 development are fixed. We are still tracking a couple of important
bugs, though, mostly in the 1.9.5 milestone.
Our focus for the next couple of months will change from bug fixing only to
both bug fixing and new feature development. The new features will be developed
in the master branch, which will later become 1.10, and only backported to
1.9 as appropriate.
RPM packages will be made available for Fedora shortly, initially for F-18
and rawhide and later also backported to F-17.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel or
sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* This release focused mainly on fixing regressions compared to the 1.8
series and bugfixes for features introduced in the 1.9 release cycle
* A security bug assigned CVE-2013-0219 was fixed - TOCTOU race conditions
when creating or removing home directories for users in local domain
* A security bug assigned CVE-2013-0220 was fixed - out-of-bounds reads in
autofs and ssh responder
* A serious memory leak in the NSS responder was fixed
* The sssd_pam responder processes pending requests after reconnect
* Requests that were processing group entries with DNs pointing out of any
configured search bases were not terminated correctly, causing long timeouts
* Kerberos tickets are correctly renewed even after SSSD daemon restart
* The autofs LDAP provider correctly updates entries that changed mount
options on the LDAP server
* Secondary groups are now reported correctly for a user coming from a
trusted Active Directory server
* Kerberos principal selection was fixed to behave correctly when accessing
an Active Directory server
* Multiple fixes related to SUDO integration, in particular fixing
functionality when the sssd back end process was changing its online/offline
status
* The pwd_exp_warning option was fixed to function as documented in the
manual page
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1564
pam_sss(crond:account): Request to sssd failed. Timer expired
https://fedorahosted.org/sssd/ticket/1592
always reread the master map from LDAP
https://fedorahosted.org/sssd/ticket/1620
sss_cache: fqdn not accepted
https://fedorahosted.org/sssd/ticket/1624
sudoUser group and netgroup specifications don't work
https://fedorahosted.org/sssd/ticket/1626
sssd caching not working as expected for selinux usermap contexts
https://fedorahosted.org/sssd/ticket/1635
investigate the behaviour of ldap_sasl_authid in 1.9.x
https://fedorahosted.org/sssd/ticket/1655
Login fails - sssd_be module polling fd indefinitely and gets killed
https://fedorahosted.org/sssd/ticket/1659
sss_userdel doesn't remove entries from in-memory cache
https://fedorahosted.org/sssd/ticket/1666
IPA Trust does not show secondary groups for AD Users for commands
like id and getent
https://fedorahosted.org/sssd/ticket/1672
Error in PAC responder
https://fedorahosted.org/sssd/ticket/1677
memberUid required for primary groups to match sudo rule
https://fedorahosted.org/sssd/ticket/1679
Primary server status is not always reset after failover to backup
server happened
https://fedorahosted.org/sssd/ticket/1680
krb5_kpasswd failover doesn't work
https://fedorahosted.org/sssd/ticket/1682
Offline sudo denies access with expired entry_cache_timeout
https://fedorahosted.org/sssd/ticket/1685
Negative cache timeout is not working for proxy provider
https://fedorahosted.org/sssd/ticket/1687
Disallow root SSH public key authentication
https://fedorahosted.org/sssd/ticket/1689
sudo: if first full refresh fails, schedule another first full refresh
https://fedorahosted.org/sssd/ticket/1690
Option ldap_sudo_include_regexp named incorrectly
https://fedorahosted.org/sssd/ticket/1694
Incorrect synchronization in mmap cache
https://fedorahosted.org/sssd/ticket/1699
ldap_chpass_uri failover fails on using same hostname
https://fedorahosted.org/sssd/ticket/1701
sudo denies access with disabled ldap_sudo_use_host_filter
https://fedorahosted.org/sssd/ticket/1702
sssd_nss crashes during enumeration
https://fedorahosted.org/sssd/ticket/1703
Wrong variable check in the memberof plugin
https://fedorahosted.org/sssd/ticket/1704
Wrong error handler in sss_mc_create_file
https://fedorahosted.org/sssd/ticket/1706
segfault in async_resolv.c
https://fedorahosted.org/sssd/ticket/1708
sssd components seem to mishandle sighup
https://fedorahosted.org/sssd/ticket/1710
man sssd-sudo has wrong title
https://fedorahosted.org/sssd/ticket/1714
user id lookup fails for case sensitive users using proxy provider
https://fedorahosted.org/sssd/ticket/1716
Make functions manipulating with mmap cache more defensive
https://fedorahosted.org/sssd/ticket/1717
Limit requests coalescing in time
https://fedorahosted.org/sssd/ticket/1722
crash in memory cache
https://fedorahosted.org/sssd/ticket/1724
Explicit null dereferenced
https://fedorahosted.org/sssd/ticket/1727
AD provider: getgrgid removes nested group memberships
https://fedorahosted.org/sssd/ticket/1728
Failure in memberof can lead to failed database update
https://fedorahosted.org/sssd/ticket/1730
MEmory leak in new memcache initgr cleanup function
https://fedorahosted.org/sssd/ticket/1731
krb5 ticket renewal does not read the renewable tickets from cache
https://fedorahosted.org/sssd/ticket/1732
clarify the disadvantages of enumeration in sssd.conf
https://fedorahosted.org/sssd/ticket/1735
Failover to krb5_backup_kpasswd doesn't work
https://fedorahosted.org/sssd/ticket/1736
Smart refresh doesn't notice "defaults" addition with OpenLDAP
https://fedorahosted.org/sssd/ticket/1740
Incorrect principal searched for in keytab
https://fedorahosted.org/sssd/ticket/1754
wrong filter for autofs maps in sss_cache
https://fedorahosted.org/sssd/ticket/1757
memory cache is not updated after user is deleted from ldb cache
https://fedorahosted.org/sssd/ticket/1758
sssd fails to update to changes on autofs maps
https://fedorahosted.org/sssd/ticket/1760
Failover to ldap_chpass_backup_uri doesn't work
https://fedorahosted.org/sssd/ticket/1761
sssd_be crashes looking up members with groups outside the nesting limit
https://fedorahosted.org/sssd/ticket/1764
Modifications using sss_usermod tool are not reflected in memory cache
https://fedorahosted.org/sssd/ticket/1770
ipa-client-automount: autofs failed in s390x and ppc64 platform
https://fedorahosted.org/sssd/ticket/1773
SSSD should warn when pam_pwd_expiration_warning value is higher than
passwordWarning LDAP attribute.
https://fedorahosted.org/sssd/ticket/1775
local provider: All member users are not returned on looking up top
level parent group.
https://fedorahosted.org/sssd/ticket/1779
Rule mismatch isn't noticed before smart refresh on ppc64 and s390x
https://fedorahosted.org/sssd/ticket/1781
sssd: Out-of-bounds read flaws in autofs and ssh services responders
https://fedorahosted.org/sssd/ticket/1782
TOCTOU race conditions by copying and removing directory trees
https://fedorahosted.org/sssd/ticket/1783
Group lookup fails and takes ~60s to return to shell if member dn
is incorrect
https://fedorahosted.org/sssd/ticket/1787
reset the release in upstream spec before releasing 1.9.4
== Detailed Changelog ==
Jakub Hrozek (47):
* Updating the version for the 1.9.4 release
* SUDO: strdup the input variable
* PAC: check the return value of diff_git_lists
* SYSDB: Move misplaced assignment
* LDAP: remove dead assignment
* MEMBEROF: Fix copy-n-paste error
* NSS: Fix the error handler in sss_mc_create_file
* SYSDB: More debugging during the conversion to ghost users
* MAN: Fix the title of sssd-sudo
* MEMBEROF: silence compilation warnings
* Set cloexec flag for log files
* RESOLV: Do not steal the resulting hostent on error
* SYSDB: fix copy-n-paste error
* SYSDB: Add API to invalidate all map objects
* DP: invalidate all cached maps if a request for auto.master comes in
* AUTOFS: allow removing entries from hash table
* AUTOFS: remove all maps from hash if request for auto.master comes in
* RESPONDERS: Create a common file with service names and versions
* AUTOFS: Clear enum cache if a request comes in from the sss_cache
* Add responder_sbus.h to noinst_HEADERS
* Free resources if fileno failed
* Search for SHORTNAME$@REALM instead of fqdn$@REALM by default
* Potential resource leak in sss_nss_mc_get_record
* SYSDB: Remove duplicate selinux defines
* SYSDB: Split a function to read all SELinux maps
* SELINUX: Process maps even when offline
* IPA: Rename IPA_CONFIG_SELINUX_DEFAULT_MAP
* AD: replace GID/UID, do not add another one
* AD: Add user as a direct member of his primary group
* TOOLS: move memcache related functions to tools_mc_utils.c
* TOOLS: Split querying nss responder into a separate function
* TOOLS: Provide a convenience function to refresh a list of groups
* TOOLS: Refresh memcache after changes to local users and groups
* LDAP: avoid complex realloc logic in save_rfc2307bis_group_memberships
* autofs: Use SAFEALIGN_SET_UINT32 instead of SAFEALIGN_COPY_UINT32
* NSS: invalidate memcache user entry on initgr, too
* Invalidate user entry even if there are no groups
* LDAP: Compare lists of DNs when saving autofs entries
* TOOLS: invalidate parent groups in memory cache, too
* Convert the value of pwd_exp_warning to seconds
* TOOLS: Use openat/unlinkat when removing the homedir
* TOOLS: Use file descriptor to avoid races when creating a home directory
* SYSDB: make the sss_ldb_modify_permissive function public
* SYSDB: Expire group if adding ghost users fails with EEXIST
* MAN: Clarify that saving users after enumerating large domain might
be CPU intensive
* TOOLS: Compile on old platforms such as RHEL5
* Updating the translations for the 1.9.4 release
Jan Cholasta (2):
* SSH: Reject requests for authorized keys of root
* Check that strings do not go beyond the end of the packet body in
autofs and SSH requests.
Michal Zidek (4):
* sssd_nss: Remove entries from memory cache if not found in sysdb
* tools: sss_userdel and groupdel remove entries from memory cache
* sss_cache: fqdn not accepted
* sss_userdel and sss_groupdel with use_fully_qualified_names
Ondrej Kos (4):
* PROXY: fix negative cache
* PROXY: fix groups caching
* LDAP: initialize refresh function handler
* SYSDB: Modify ghosts in permissive mode
Pavel Březina (22):
* sudo manpage: clarify that sudoHost may contain wildcards and not
regular expression
* let krb5_kpasswd failover work
* sudo: don't get stuck in rules and smart refresh when offline
* sysdb_get_sudo_user_info() initialize attrs on declaration
* sudo: include primary group in user group list
* sudo: support generalized time format
* let ldap_chpass_uri failover work when using same hostname
* try primary server after retry_timeout + 1 seconds when switching
to backup
* add sdap_sudo_schedule_refresh()
* check dp error in sdap_sudo_full_refresh_done()
* sudo: schedule another full refresh in short interval if the first fails
* sudo: do full refresh when data provider is back online
* let krb5_backup_kpasswd failover work
* memcache: add macro that validates record length
* explicit null dereferenced in sss_nss_mc_get_record()
* memcache: make MC_PTR_TO_SLOT() more readable
* sudo smart refresh: do not include usn in filter if no valid usn
is known
* sudo smart refresh: fix debug message
* let ldap_backup_chpass_uri work
* fix backend callbacks: remove callback properly from dlist
* sudo responder: change num_rules type from size_t to uint32_t
* nested groups: fix group lookup hangs if member dn is incorrect
Simo Sorce (12):
* Add a macro to copy with barriers
* Allow mmap calls to gracefully return absent ctx
* sssd_pam: Cleanup requests cache on sbus reconect
* responder_dp: Add timeout to side requets
* memberof: Prevent unneded failure case
* sssd_nss: Plug memory leaks
* nss_mc: Add extra checks when dereferencing records
* Update free table when records are invalidated.
* Carefully check records when forcibly invalidating
* mmap cache: invalidate cache on fatal error
* Remove unused header
* Fix invalidating autofs maps
Sumit Bose (18):
* select_principal_from_keytab() look for plain input as well
* select_principal_from_keytab() do wildcard lookups after specific ones
* Fix a 'shadows a global declaration' warning
* Add default section to switch statement
* krb5 tgt renewal: fix usage of ldb_dn_get_component_val()
* Use struct pac_grp instead of gid_t for groups from PAC
* Add find_domain_by_id()
* IDMAP: add sss_idmap_smb_sid_to_unix()
* Update domain ID for local domain as well
* Always get user data from PAC
* Save domain and GID for groups from the configured domain
* Remote groups do not have an original DN attribute
* Read remote groups from PAC
* Translate LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS to EEXIST
* Use hash table to collect GIDs from PAC to avoid dups
* Add tests for get_gids_from_pac()
* PAC responder: check if existing user differs
* Refactor gid handling in the PAC responder
10 years, 8 months
Plan for sssd-1.8.6
by Jakub Hrozek
Hi,
the recent security issue means we need to release a 1.8.6 LTM release
upstream as well.
I plan on releasing 1.8.6 with fixes listed below. Does the list makes
sense for everybody? Would you like to add some fixes that went upstream
but may not be fixed in your distribution or release you are using?
Please respond by tomorrow, I'll tag and release 1.8.6 then.
The tentative list of fixes, tickets they fixed (if any) and commit
hashes from the sssd-1-9 branch (as backporting from master might be
challenging already) is below:
* security fix for CVE-2013-2019
- https://fedorahosted.org/sssd/ticket/1782
- sssd-1-9: e864d914a44a37016736554e9257c06b18c57d37
3843b284cd3e8f88327772ebebc7249990fd87b9
5c17895a272b06897608d951ea4e60c539138208
* security fix for CVE-2013-2020
- https://fedorahosted.org/sssd/ticket/1781
- sssd-1-9: 30e2585dd46b62aa3a4abdf6de3f40a20e1743ab
* Handle empty namingContexts values safely - was affecting Novell eDirectory
users
- https://fedorahosted.org/sssd/ticket/1542
- sssd-1-9: 3f5953b0cd6ad826141c62dd239efc675b351689
* sssd_pam: Cleanup requests cache on sbus reconect
- This bug was causing the infamous "Timer Expired" errors on reconnect
- https://fedorahosted.org/sssd/ticket/1655
- sssd-1-9: 23669fdf7afd1f0b427f98eb20a760101fb80300
* Do not always return PAM_SYSTEM_ERR when offline krb5 authentication fails
- The backport was explicitly requested by a SuSE user
- sssd-1-9: 16e0b00c9f6444f058304f669b3a4b18ed751a52
* Free the internal DP request
- This bug was causing slow and steady memory growth of responders
- sssd-1-9: ff73778464f56c51716140b69ab29f101c036603
* NSS: Fix netgroup midpoint cache refresh
- The netgroup midpoint refresh didn't work as advertized
- https://fedorahosted.org/sssd/ticket/1683
- sssd-1-9: 83c5a0123f8d473d46091ee0d41a9ed019c78b6c
* responder_dp: Add timeout to side requets
- A general robustness fix, our QE hit the problem, too while testing
6.4
- https://fedorahosted.org/sssd/ticket/1717
- sssd-1-9: dd85581b726d7db264348ae27d77c4615b7f79d0
* Restart services with a delay in case they are restarted too often
- We've seen several users hit this problem in production
- https://fedorahosted.org/sssd/ticket/1528
- sssd-1-9: 3c922410f0b92a9b8556e28ff5d46ee7a59709c6
10 years, 8 months
SSSD over slow or dropping link
by Bolesław Tokarski
Hello,
I am having a problem where a user is trying to authenticate to our
European servers while sitting in our Asian office where the link is not
of the best quality.
What he is experiencing is a number of failed authentication attempts.
SSSD version 1.8.5 from Timo Aaltonen's PPA running on Ubuntu 12.04.
auth.log says:
sudo: pam_sss(sudo:auth): Request to sssd failed. Broken pipe
sssd.log says:
[sssd] [monitor_quit] (0x0010): Monitor received Terminated: terminating
children
I am attaching our sssd.conf (template, treat [% ... %] entries as
containing valid information, I can't disclose that).
From what I understand, an LDAP query is being fired, but it cannot
complete due to network going down each now and then.
Can we do something to limit the impact of failed communication attempts?
Best regards,
Bolesław Tokarski
10 years, 8 months
A security bug in SSSD (CVE-2013-0219)
by Jakub Hrozek
======================== A security bug in SSSD ===============
=
= Subject: TOCTOU race conditions when creating or removing home
= directories for users in local domain
=
= CVE ID#: CVE-2013-0219
=
= Summary: A TOCTOU (time-of-check, time-of-use) race condition was found
= in the way SSSD performed copying and removal of home
= directory trees.
=
=
= Impact: low
=
= Acknowledgements: The bug was found by Florian Weimer of the Red Hat
= Product Security Team
=
= Affects default
= configuration: no
=
= Introduced with: 0.7.0
=
===============================================================
==== DESCRIPTION ====
SSSD versions 0.7.0 through 1.9.3 (inclusive) are vulnerable to a security bug.
The removal of a home directory is sensitive to concurrent modification of the
directory tree being removed and can unlink files outside the directory tree.
When removing a home directory, if another process is modifying that directory
at the same time, it becomes possible for the SSSD to unlink files that are
outside the directory tree.
When creating a home directory, the destination tree can be modified in various
ways while it is being constructed because directory permissions are set before
populating the directory. This can lead to file creation and permission changes
outside the target directory tree using hard links.
The fix will be delivered as part of the upcoming 1.9.4 release. There
won't be a separate 1.9 security release as the 1.9.4 version will be
released later this week. The flaw will be fixed in a separate release
for the 1.8 and 1.5 LTM release branches as well.
The bug is being tracked in the following Red Hat Bugzilla report:
https://bugzilla.redhat.com/show_bug.cgi?id=884254
==== WORKAROUND ====
These vulnerabilities are present only while creating or removing home
directories, so until patched packages are available, you can simply
refrain from performing these actions.
==== PATCH AVAILABILITY ====
The patches are available at:
http://git.fedorahosted.org/cgit/sssd.git/patch/?id=94cbf1cfb0f88c967f1fb...
http://git.fedorahosted.org/cgit/sssd.git/patch/?id=020bf88fd1c5bdac8fc67...
10 years, 8 months
A security bug in SSSD 1.8 and 1.9 (CVE-2013-0220)
by Jakub Hrozek
================= A security bug in SSSD 1.8 and 1.9 ===============
=
= Subject: out-of-bounds reads in autofs and ssh responder
=
= CVE ID#: CVE-2013-0220
=
= Summary: Multiple out-of-bounds buffer read flaws were found in
= the way the autofs and ssh responders of the SSSD
= performed the parsing of input packet values. An attacker
= could crash the autofs and ssh responders with the use
= of a carefully crafted packet written to the responder
= sockets.
=
=
= Impact: low
=
= Acknowledgements: The bug was found by Florian Weimer of the Red Hat
= Product Security team
=
= Affects default
= configuration: yes (as generated by ipa-client-install)
=
= Introduced with: 1.8.0
=
===============================================================
==== DESCRIPTION ====
SSSD versions 1.8.0 through 1.9.3 are vulnerable to a security bug.
The functions that parse the incoming data packet from client applications
in both the ssh and autofs responders do not check the string lengths against
the packet length correctly. An attacker could exploit the bug and crash
the autofs or the ssh responder with the use of a specially crafted packet
sent to the responder sockets, causing a temporary denial of service.
If you are not using the autofs or SSH integration, you can disable the
vulnerable responders by removing "ssh" or "autofs" respectively from the
list of services configured in the [sssd] section of the SSSD config file.
The default configuration of a client of FreeIPA - as generated by
ipa-client-install - is affected because the ssh responder is enabled
by default.
The fix will be delivered as part of the upcoming 1.9.4 release. There won't
be a separate 1.9 security release as the 1.9.4 version will be released later
this week. The flaw will be fixed in a separate release for the 1.8 and 1.5 LTM
releases as well.
The bug is being tracked in the following Red Hat Bugzilla report:
https://bugzilla.redhat.com/show_bug.cgi?id=884601
==== PATCH AVAILABILITY ====
The patch is available at:
http://git.fedorahosted.org/cgit/sssd.git/patch/?id=2bd514cfde1938b1e245a...
10 years, 8 months
Problem limiting access to Users in Certain AD groups.
by Daniel Laird
I am stuck with Ubuntu 10.04 (no chance of upgrading our servers).
This means I am currently running SSSD 1.0.5.
I want to limit which users can login.
In later versions I believe I would use
'ldap_access_filter'
This would allow only users in the specified groups to login.
Given my limitation on the version of SSSD can anyone help me achieve the same or is it not possible?
I am a bit scared of rebuilding newer versions of SSSD.
Hope you can help
Dan
Sent from my ASUS Eee Pad
10 years, 8 months
