Announcing SSSD 2.1
by Jakub Hrozek
== SSSD 2.1 ===
The SSSD team is proud to announce the release of version 2.1 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora shortly.
Feedback
--------
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Highlights
----------
New features
^^^^^^^^^^^^
* Any provider can now match and map certificates to user identities. This
feature enables to log in with a smart card without having to store the
full certificate blob in the directory or in user overrides. Please see
`The design page
<https://docs.pagure.org/SSSD.sssd/design_pages/certmaps_for_LDAP_AD_file....>`_
for more information (#3500)
* ``pam_sss`` can now be configured to only perform Smart Card authentication
or return an error if this is not possible.
* ``pam_sss`` can also prompt the user to insert a Smart Card if, during an
authentication it is not available. SSSD would then wait for the card
until it is inserted or until timeout defined by
``p11_wait_for_card_timeout`` passes.
* The device or reader used for Smart Card authentication can now be
selected or restricted using a PKCS#11 URI (see RFC-7512) specified in
the ``p11_uri`` option.
* Multiple certificates are now supported for Smart Card authentication
even if SSSD is built with OpenSSL
* OCSP checks were added to the OpenSSL version of certificate
authentication
* A new option ``crl_file`` can be used to select a Certificate Revocation
List (CRL) file to be used during verification of a certificate for Smart
Card authentication.
* Certificates with Elliptic Curve keys are now supported (#3887)
* It is now possible to refresh the KCM configuration without restarting the
whole SSSD deamon, just by modifying the ``[kcm]`` section of ``sssd.conf``
and running ``systemctl restart sssd-kcm.service``.
* A new configuration option ``ad_gpo_implicit_deny`` was added. This option
(when set to True) can be used to deny access to users even if there is
not applicable GPO. Normally users are allowed access in this situation.
(#3701)
* The dynamic DNS update can now batch DNS updates to include all address
family updates in a single transaction to reduce replication traffic
in complex environments (#3829)
* Configuration file snippets can now be used even when the main
``sssd.conf`` file does not exist. This is mostly useful to configure
e.g. the KCM responder, the implicit files provider or the session
recording with setups that have no explicit domain (#3439)
* The ``sssctl user-checks`` tool can now display extra attributes set
with the InfoPipe ``user_attributes`` configuraton option (#3866)
Security issues fixed
^^^^^^^^^^^^^^^^^^^^^
* CVE-2019-3811: SSSD used to return "/" in case a user entry had no home
directory. This was deemed a security issue because this flaw could
impact services that restrict the user's filesystem access to within
their home directory. An empty home directory field would indicate
"no filesystem access", where sssd reporting it as "/" would grant full
access (though still confined by unix permissions, SELinux etc).
Notable bug fixes
^^^^^^^^^^^^^^^^^
* Many fixes for the internal "sbus" IPC that was rewritten in the
2.0 release including crash on reconnection (#3821), a memory leak
(#3810), a proxy provider startup crash (#3812), sudo responder
crash (#3854), proxy provider authentication (#3892), accessing
the ``extraAttributes`` InfoPipe property (#3906) or a potential
startup failure (#3924)
* The Active Directory provider now fetches the user information from the
LDAP port and switches to using the Global Catalog port, if available
for the group membership. This fixes an issue where some attributes
which are not available in the Global Catalog, typically the home
directory, would be removed from the user entry. (#2474)
* Session recording can now be enabled also for local users when the session
recording is configured with ``scope=some`` and restricted to certain
groups.
* Smart Card authentication did not work with the KCM credentials cache
because with KCM root cannot write to arbitrary user's credential caches
(#3903)
* A KCM bug that prevented SSH Kerberos credential forwarding from functioning
was fixed (#3873)
* The KCM responder did not work with completely empty database (#3815)
* The sudo responder did not reflect the case_sensitive domain option
(#3820)
* The SSH responder no longer fails completely if the ``p11_child`` times out
when deriving SSH keys from a certificate (#3937)t
* An issue that caused SSSD to sometimes switch to offline mode in case
not all domains in the forest ran the Global Catalog service was
fixed (#3902)
* If any of the SSSD responders was too busy, that responder wouldn't have
refreshed the trusted domain list (#3967)
* The IPA SELinux provider now sets the user login context even if it is the
same as the system default. This is important in case the user has
a non-standard home directory, because then only adding the user to
the SELinux database ensures the home directory will be labeled properly.
However, this fix causes a performance hit during the first login
as the context must be written into the semanage database.
* A memory leak when requesting netgroups repeatedly was fixed (#3870)
* The ``pysss.getgrouplist()`` interface that was removed by accident
in the 2.0 version was re-added (#3493)
* Crash when requesting users with the ``FindByNameAndCertificate`` D-Bus
method was fixed (#3863)
* SSSD can again run as the non-privileged sssd user (#3871)
* The cron PAM service name used for GPO access control now defaults to
a different service name depending on the OS (Launchpad #1572908)
Packaging Changes
-----------------
* The sbus code generator no longer relies on existance of the "python"
binary, the python2/3 binary is used depending on which bindings are
being generated (#3807)
* Very old libini library versions are no longer supported
Documentation Changes
---------------------
* Two new ``pam_sss`` options ``try_cert_auth`` and ``require_cert_auth``
can restrict authentication to use a Smart Card only or wait for a Smart
Card to be inserted.
* A new option ``p11_wait_for_card_timeout`` controls how long would SSSD
wait for a Smart Card to be inserted before failing with
``PAM_AUTHINFO_UNAVAIL``.
* A new option ``p11_uri`` is available to restrict the device or reader
used for Smart Card authentication.
Tickets Fixed
-------------
* `3967 <https://pagure.io/SSSD/sssd/issue/3967>`_ - NSS responder does no refresh domain list when busy
* `3961 <https://pagure.io/SSSD/sssd/issue/3961>`_ - sssd config-check reports an error for a valid configuration option
* `3958 <https://pagure.io/SSSD/sssd/issue/3958>`_ - sssd_krb5_locator_plugin introduces delay in cifs.upcall krb5 calls
* `3949 <https://pagure.io/SSSD/sssd/issue/3949>`_ - gdm login not prompting for username when smart card maps to multiple users
* `3942 <https://pagure.io/SSSD/sssd/issue/3942>`_ - RemovedInPytest4Warning: Fixture "passwd_ops_setup" called directly
* `3937 <https://pagure.io/SSSD/sssd/issue/3937>`_ - If p11_child spawned from sssd_ssh times out, sssd_ssh fails completely
* `3936 <https://pagure.io/SSSD/sssd/issue/3936>`_ - Missing sssd-files in last section(SEE ALSO) of sssd man pages
* `3924 <https://pagure.io/SSSD/sssd/issue/3924>`_ - "Corrupted" name of "Hello" method of org.freedesktop.DBus sssd sbus interface on Fedora Rawhide
* `3921 <https://pagure.io/SSSD/sssd/issue/3921>`_ - crash when requesting extra attributes
* `3919 <https://pagure.io/SSSD/sssd/issue/3919>`_ - sss_cache prints spurious error messages when invoked from shadow-utils on package install
* `3917 <https://pagure.io/SSSD/sssd/issue/3917>`_ - Double free error in tev_curl
* `3916 <https://pagure.io/SSSD/sssd/issue/3916>`_ - Wrong spelling of method
* `3912 <https://pagure.io/SSSD/sssd/issue/3912>`_ - incorrect example in the man page of idmap_sss suggests using * for backend sss
* `3911 <https://pagure.io/SSSD/sssd/issue/3911>`_ - Re-setting the trusted AD domain fails due to wrong subdomain service name being used
* `3910 <https://pagure.io/SSSD/sssd/issue/3910>`_ - KCM destroy operation returns KRB5_CC_NOTFOUND, should return KRB5_FCC_NOFILE if non-existing ccache is about to be destroyed
* `3909 <https://pagure.io/SSSD/sssd/issue/3909>`_ - SSSD 2.0 has drastically lower sbus timeout than 1.x, this can result in time outs
* `3906 <https://pagure.io/SSSD/sssd/issue/3906>`_ - extraAttributes is org.freedesktop.DBus.Error.UnknownProperty: Unknown property
* `3903 <https://pagure.io/SSSD/sssd/issue/3903>`_ - PKINIT with KCM does not work
* `3902 <https://pagure.io/SSSD/sssd/issue/3902>`_ - SSSD must be cleared/restarted periodically in order to retrieve AD users through IPA Trust
* `3901 <https://pagure.io/SSSD/sssd/issue/3901>`_ - sssd returns '/' for emtpy home directories
* `3896 <https://pagure.io/SSSD/sssd/issue/3896>`_ - sss_cache shouldn't return ENOENT when no entries match
* `3892 <https://pagure.io/SSSD/sssd/issue/3892>`_ - The proxy provider does not copy reply from the child
* `3890 <https://pagure.io/SSSD/sssd/issue/3890>`_ - SSSD changes the memory cache file ownership away from the SSSD user when running as root
* `3889 <https://pagure.io/SSSD/sssd/issue/3889>`_ - Abort LDAP authentication if the check_encryption function finds out the connection is not authenticated
* `3887 <https://pagure.io/SSSD/sssd/issue/3887>`_ - sssd support for for smartcards using ECC keys
* `3882 <https://pagure.io/SSSD/sssd/issue/3882>`_ - Missing concise documentation about valid options for sssd-files-provider
* `3876 <https://pagure.io/SSSD/sssd/issue/3876>`_ - Unable to su to root when logged in as a local user
* `3875 <https://pagure.io/SSSD/sssd/issue/3875>`_ - CURLE_SSL_CACERT is deprecated in recent curl versions
* `3874 <https://pagure.io/SSSD/sssd/issue/3874>`_ - RefreshRules_recv marks the wrong request as done
* `3873 <https://pagure.io/SSSD/sssd/issue/3873>`_ - Perform some basic ccache initialization as part of gen_new to avoid a subsequent switch call failure
* `3872 <https://pagure.io/SSSD/sssd/issue/3872>`_ - SSSD 2.x does not sanitize domain name properly for D-bus, resulting in a crash
* `3871 <https://pagure.io/SSSD/sssd/issue/3871>`_ - sbus: allow non-root execution
* `3866 <https://pagure.io/SSSD/sssd/issue/3866>`_ - sssctl user-checks does not show custom IFP user_attributes
* `3865 <https://pagure.io/SSSD/sssd/issue/3865>`_ - Off-by-one error in retrieving host name causes hostnames with exactly 64 characters to not work
* `3863 <https://pagure.io/SSSD/sssd/issue/3863>`_ - sssd ifp crash when trying FindByNameAndCertificate
* `3862 <https://pagure.io/SSSD/sssd/issue/3862>`_ - Restarting the sssd-kcm service should reload the configuration without having to restart the whole sssd
* `3858 <https://pagure.io/SSSD/sssd/issue/3858>`_ - sssctl user-show says that user is expired if the user comes from files provider
* `3855 <https://pagure.io/SSSD/sssd/issue/3855>`_ - session not recording for local user when groups defined
* `3854 <https://pagure.io/SSSD/sssd/issue/3854>`_ - sudo: sbus2 related crash
* `3849 <https://pagure.io/SSSD/sssd/issue/3849>`_ - Files: The files provider always enumerates which causes duplicate when running getent passwd
* `3848 <https://pagure.io/SSSD/sssd/issue/3848>`_ - pam_unix unable to match fully qualified username provided by sssd during smartcard auth using gdm
* `3845 <https://pagure.io/SSSD/sssd/issue/3845>`_ - The config file validator says that certmap options are not allowed
* `3841 <https://pagure.io/SSSD/sssd/issue/3841>`_ - The simultaneous use of strncpy and a length-check in client code is confusing Coverity
* `3830 <https://pagure.io/SSSD/sssd/issue/3830>`_ - Printing incorrect information about domain with sssctl utility
* `3829 <https://pagure.io/SSSD/sssd/issue/3829>`_ - SSSD does not batch DDNS update requests
* `3828 <https://pagure.io/SSSD/sssd/issue/3828>`_ - Invalid domain provider causes SSSD to abort startup
* `3827 <https://pagure.io/SSSD/sssd/issue/3827>`_ - SSSD should log to syslog if a domain is not started due to a misconfiguration
* `3826 <https://pagure.io/SSSD/sssd/issue/3826>`_ - Remove references of sss_user/group/add/del commands in man pages since local provider is deprecated
* `3821 <https://pagure.io/SSSD/sssd/issue/3821>`_ - crash related to sbus_router_destructor()
* `3815 <https://pagure.io/SSSD/sssd/issue/3815>`_ - KCM: The secdb back end might fail creating a new ID with a completely empty database
* `3814 <https://pagure.io/SSSD/sssd/issue/3814>`_ - [RFE] Add option to specify a Smartcard with a PKCS#11 URI
* `3813 <https://pagure.io/SSSD/sssd/issue/3813>`_ - sssd startup issues since 1.16.2 (PID file related)
* `3812 <https://pagure.io/SSSD/sssd/issue/3812>`_ - sssd 2.0.0 segfaults on startup
* `3810 <https://pagure.io/SSSD/sssd/issue/3810>`_ - sbus2: fix memory leak in sbus_message_bound_ref
* `3807 <https://pagure.io/SSSD/sssd/issue/3807>`_ - The sbus codegen script relies on "python" which might not be available on all distributions
* `3802 <https://pagure.io/SSSD/sssd/issue/3802>`_ - Reuse sysdb_error_to_errno() outside sysdb
* `3798 <https://pagure.io/SSSD/sssd/issue/3798>`_ - When passwords are set to cache=false, userCertificate auth fails when backend is offline
* `3797 <https://pagure.io/SSSD/sssd/issue/3797>`_ - When AD provider is offline, usercertmap fails
* `3701 <https://pagure.io/SSSD/sssd/issue/3701>`_ - [RFE] Allow changing default behavior of SSSD from an allow-any default to a deny-any default when it can't find any GPOs to apply to a user login.
* `3650 <https://pagure.io/SSSD/sssd/issue/3650>`_ - RFE: Require smartcard authentication
* `3598 <https://pagure.io/SSSD/sssd/issue/3598>`_ - [RFE] Allow sssd to read the certificate attributes instead of blob look-up against the LDAP
* `3576 <https://pagure.io/SSSD/sssd/issue/3576>`_ - sssd-kcm failed to start on F-27 after installing sssd-kcm
* `3567 <https://pagure.io/SSSD/sssd/issue/3567>`_ - SYSDB: Lowercased email is stored as nameAlias
* `3500 <https://pagure.io/SSSD/sssd/issue/3500>`_ - Make sure sssd is a replacement for pam_pkcs11 also for local account authentication
* `3489 <https://pagure.io/SSSD/sssd/issue/3489>`_ - p11_child should work wit openssl1.0+
* `3451 <https://pagure.io/SSSD/sssd/issue/3451>`_ - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.
* `3439 <https://pagure.io/SSSD/sssd/issue/3439>`_ - Snippets are not used when sssd.conf does not exist
* `3413 <https://pagure.io/SSSD/sssd/issue/3413>`_ - a bug in libkrb5 causes kdestroy -A to not work with more than 2 principals with KCM
* `3334 <https://pagure.io/SSSD/sssd/issue/3334>`_ - sssctl config-check does not check any special characters in domain name of domain section
* `3333 <https://pagure.io/SSSD/sssd/issue/3333>`_ - usermod -a -G bar foo fails due to some file providers races
* `3276 <https://pagure.io/SSSD/sssd/issue/3276>`_ - Revert workaround in CI for bug in python-{request,urllib3}
* `3263 <https://pagure.io/SSSD/sssd/issue/3263>`_ - consider adding sudo-i to the list of pam_response_filter services by default
* `2817 <https://pagure.io/SSSD/sssd/issue/2817>`_ - dynamic dns - remove detection of 'realm' keyword support
* `2474 <https://pagure.io/SSSD/sssd/issue/2474>`_ - AD: do not override existing home-dir or shell if they are not available in the global catalog
* `1944 <https://pagure.io/SSSD/sssd/issue/1944>`_ - convert dyndns timer to be_ptask
Detailed Changelog
------------------
* Adam Williamson (1):
* sbus: use 120 second default timeout
* Alexey Tikhonov (16):
* Fix error in hostname retrieval
* util/tev_curl: Fix double free error in schedule_fd_processing()
* CONFIG: validator rules & test
* sss_client/common.c: fix Coverity issue
* sss_client/common.c: fix off-by-one error in sizes check
* sss_client/common.c: comment amended
* sss_client/nss_services.c: indentation fixed
* sss_client/nss_services.c: fixed incorrect mutex usage
* sss_client: global unexported symbols made static
* providers/ldap: abort unsecure authentication requests
* providers/ldap: fixed check of ldap_get_option return value
* providers/ldap: init sasl_ssf in specific case
* sbus/interface: fixed interface copy helpers
* lib/cifs_idmap_sss: fixed unaligned mem access
* Util: fixed mistype in error string representation
* TESTS: fixed bug in guests startup function
* George McCollister (1):
* build: remove hardcoded samba include path
* Jakub Hrozek (38):
* Updating the version to track 2.1 development
* KCM: Don't error out if creating a new ID as the first step
* SELINUX: Always add SELinux user to the semanage database if it doesn't exist
* pep8: Ignore W504 and W605 to silence warnings on Debian
* TESTS: Add a test for whitespace trimming in netgroup entries
* TESTS: Add two basic multihost tests for the files provider
* FILES: The files provider should not enumerate
* p11: Fix two instances of -Wmaybe-uninitialized in p11_child_openssl.c
* UTIL: Suppress Coverity warning
* PYSSS: Re-add the pysss.getgrouplist() interface
* IFP: Use subreq, not req when calling RefreshRules_recv
* CI: Make the c-ares suppression file more relaxed to prevent failures on Debian
* INI: Return errno, not -1 on failure from sss_ini_get_stat
* MONITOR: Don't check for pidfile if SSSD is already running
* SSSD: Allow refreshing only certain section with --genconf
* SYSTEMD: Re-read KCM configuration on systemctl restart kcm
* TEST: Add a multihost test for sssd --genconf
* TESTS: Add a multihost test for changing sssd-kcm debug level by just restarting the KCM service
* RESPONDER: Log failures from bind() and listen()
* LDAP: minor refactoring in auth_send() to conform to our coding style
* LDAP: Only authenticate the auth connection if we need to look up user information
* PROXY: Copy the response to the caller
* NSS: Avoid changing the memory cache ownership away from the sssd user
* KCM: Deleting a non-existent ccache should not yield an error
* TESTS: Add a test for deleting a non-existent ccache with KCM
* MAN: Explicitly state that not all generic domain options are supported for the files provider
* AD/IPA: Reset subdomain service name, not domain name
* IPA: Add explicit return after tevent_req_error
* MULTIHOST: Do not use the deprecated namespace
* KCM: Return a valid tevent error code if a request cannot be created
* KCM: Allow representing ccaches with a NULL principal
* KCM: Create an empty ccache on switch to a non-existing one
* TESTS: Add a multihost test for ssh credentials forwarding
* MAN: Add sssd-files(5) to the See Also section
* TESTS: Add a simple integration test for retrieving the extraAttributes property
* TESTS: Don't fail when trying to create an OU that already exists
* Updating translations for the 2.1 release
* Updating the version for the 2.1.0 release
* Lukas Slebodnik (29):
* BUILD: Fix issue with installation of libsss_secrets
* BUILD: Add missing deps to libsss_sbus*.so
* BUILD: Reduce compilation of unnecessary files
* MAN: Fix typo in ad_gpo_implicit_deny default value
* CONFIGURE: Add minimal required version for p11-kit
* SBUS: Silence warning maybe-uninitialized
* UTIL: Fix compilation with curl 7.62.0
* test_pac_responder: Skip test if pac responder is not installed
* INTG: Show extra test summary info with pytest
* p11_child: Fix warning cast discards ‘const’ qualifier from pointer target type
* CI: Modify suppression file for c-ares-1.15.0
* sss_cache: Do not fail for missing domains
* intg: Add test for sss_cache & shadow-utils use-case
* sss_cache: Do not fail if noting was cached
* test_sss_cache: Add test case for invalidating missing entries
* pyhbac-test: Do not use assertEquals
* SSSDConfigTest: Do not use assertEquals
* SSSDConfig: Fix ResourceWarning unclosed file
* SSSDConfigTest: Remove usage of failUnless
* BUILD: Fix condition for building sssd-kcm man page
* DIST: Do not use conditional include for template files
* NSS: Do not use deprecated header files
* sss_cache: Fail if unknown domain is passed in parameter
* test_sss_cache: Add test case for wrong domain in parameter
* Remove macro ZERO_STRUCT
* test_files_provider: Do not use pytest fixtures as functions
* test_ldap: Do not uses pytest fixtures as functions
* Revert "intg: Generate tmp dir with lowercase"
* ent_test: Update assertions for python 3.7.2
* Madhuri Upadhye (1):
* pytest: Add test cases for configuration validation
* Michal Židek (4):
* GPO: Add gpo_implicit_deny option
* CONFDB: Skip 'local' domain if not supported
* confdb: Always read snippet files
* CONFDB: Remove old libini support
* Niranjan M.R (20):
* Python3 changes to multihost tests
* Minor fixes related to converting of ldap attributes to bytes
* test-library: fixes related to KCM, TLS on Directory server
* Multihost-SanityTests: New test case for ssh login with KCM as default
* pytest: Remove installing idm module
* pytest/testlib: Add function to create organizational Unit
* pytest/testlib: Fix related to removing kerberos database
* pytest: Add test for sudo: search with lower cased name for case insensitive domains
* pytest/testlib: function to create sudorules in ldap
* pytest/testlib: remove space in CA DN
* pytest/conftest.py: Delete krb5.keytab as part of cleanup
* pytest: split kcm test cases in to separate file.
* testlib: Update update_resolv_conf() to decode str to bytes
* testlib: Replace Generic Exception with SSSDException and LdapException
* pytest/sudo: Modify fixture to restore sssd.conf
* pytest/sudo: Rename create_sudorule to case_sensitive_sudorule
* pytest/sudo: call case_sensitive_sudorule fixture instead of create_sudorule
* pytest/sudo: Add 2 fixtures set_entry_cache_sudo_timeout and generic_sudorule
* pytest/sudo: Add Testcase: sssd crashes when refreshing expired sudo rules.
* pytest: use ConfigParser() instead of SafeConfigParser()
* Pavel Březina (25):
* sbus: register filter on new connection
* sbus: fix typo
* sbus: check for null message in sbus_message_bound
* sbus: replace sbus_message_bound_ref with sbus_message_bound_steal
* sbus: add unit tests for public sbus_message module
* sudo: respect case sensitivity in sudo responder
* proxy: access provider directly not through be_ctx
* dp: set be_ctx->provider as part of dp_init request
* sbus: read destination after sender is set
* sbus: do not try to remove signal listeners when disconnecting
* sbus: free watch_fd->fdevent explicitly
* be: use be_is_offline for the main domain when asking for domain status
* sudo: use correct sbus interface
* sudo: fix error handling in sudosrv_refresh_rules_done
* sbus: remove leftovers from previous implementation
* sbus: allow access for sssd user
* nss: use enumeration context as talloc parent for cache req result
* sss_iface: prevent from using invalid names that start with digits
* ci: add ability to run tests in jenkins
* ci: add Fedora 29
* sbus: do not use signature when copying dictionary entry
* sbus: avoid using invalid stack point in SBUS_INTERFACE
* sbus: improve documentation of SBUS_INTERFACE
* ci: add Fedora Rawhide
* sbus: terminated active ongoing request when reconnecting
* Sumit Bose (63):
* intg: flush the SSSD caches to sync with files
* sbus: dectect python binary for sbus_generate.sh
* sysdb: extract sysdb_ldb_msg_attr_to_certmap_info() call
* sysdb_ldb_msg_attr_to_certmap_info: set SSS_CERTMAP_MIN_PRIO
* sysdb: add attr_map attribute to sysdb_ldb_msg_attr_to_certmap_info()
* confdb: add confdb_certmap_to_sysdb()
* AD/LDAP: read certificate mapping rules from config file
* sysdb: sysdb_certmap_add() handle domains more flexible
* confdb: add special handling for rules for the files provider
* files: add support for Smartcard authentication
* responder: make sure SSS_DP_CERT is passed to files provider
* PAM: add certificate matching rules from all domains
* doc: add certificate mapping section to man page
* intg: user default locale
* PAM: use better PAM error code for failed Smartcard authentication
* test_ca: test library only for readable
* test_ca: set a password/PIN to nss databases
* getsockopt_wrapper: add support for PAM clients
* intg: add Smartcard authentication tests
* ci: add http-parser-devel for Fedora
* p11: handle multiple certs during auth with OpenSSL
* p11_child: add --wait_for_card option
* PAM: add p11_wait_for_card_timeout option
* pam_sss: make flags public
* pam_sss: add try_cert_auth option
* pam_sss: add option require_cert_auth
* intg: require SC tests
* p11_child: show PKCS#11 URI in debug output
* p11_child: add PKCS#11 uri to restrict selection
* PAM: add p11_uri option
* tests: add PKCS#11 URI tests
* PAM: return short name for files provider users
* p11_child: add OCSP check ot the OpenSSL version
* p11_child: add crl_file option for the OpenSSL build
* files: add session recording flag
* ifp: fix typo causing a crash in FindByNameAndCertificate
* pam_sss: return PAM_AUTHINFO_UNAVAIL if sc options are set
* p11_child(NSS): print key type in a debug message
* pam_test_srv: set default value for SOFTHSM2_CONF
* tests: add ECC CA
* test_pam_srv: add test for certificate with EC keys
* p11_child(openssl): add support for EC keys
* utils: refactor ssh key extraction (OpenSSL)
* utils: add ec_pub_key_to_ssh() (OpenSSL)
* utils: refactor ssh key extraction (NSS)
* utils: add ec_pub_key_to_ssh() (NSS)
* BUILD: Accept krb5 1.17 for building the PAC plugin
* tests: fix mocking krb5_creds in test_copy_ccache
* tests: increase p11_child_timeout
* LDAP: Log the encryption used during LDAP authentication
* Revert "IPA: use forest name when looking up the Global Catalog"
* ipa: use only the global catalog service of the forest root
* p11_child(openssl): do not free static memory
* krb5_child: fix permissions during SC auth
* idmap_sss: improve man page
* PAM: use user name hint if any domain has set it
* utils: make N_ELEMENTS public
* ad: replace ARRAY_SIZE with N_ELEMENTS
* responder: fix domain lookup refresh timeout
* ldap: add get_ldap_conn_from_sdom_pvt
* ldap: prefer LDAP port during initgroups user lookup
* ldap: user get_ldap_conn_from_sdom_pvt() where possible
* krb5_locator: always use port 88 for master KDC
* Thorsten Scherf (1):
* CONFIG: add missing ldap attributes for validation
* Tomas Halman (14):
* doc: remove local provider reference from manpages
* confdb: log an error when domain is misconfigured
* doc: Add nsswitch.conf note to manpage
* test_config: Test for invalid characker in domain
* UTIL: move and rename sysdb_error_to_errno to utils
* DYNDNS: Drop support for legacy NSUPDATE
* SSSCTL: user-show says that user is expired
* DYNDNS: Convert dyndns timer to be_ptask
* DYNDNS: SSSD does not batch DDNS update requests
* nss: sssd returns '/' for emtpy home directories
* ifp: extraAttributes is UnknownProperty
* SSSCTL: user-checks does not show custom attributes
* ssh: sssd_ssh fails completely on p11_child timeout
* ssh: p11_child error message is too generic
* Victor Tapia (1):
* GPO: Allow customization of GPO_CROND per OS
* mateusz (1):
* Added note about default value of ad_gpo_map_batch parameter
1 month, 2 weeks
How to keep the password in sync with AD?
by Ian Puleston
Hi,
I have a laptop running F28 and which is set up with "Enterprise Login" to authenticate against my company's Active Directory domain network using realmd & SSSD. When we set this up a few months back and joined the laptop to the Windows domain it worked great, letting me log in with my AD user name (name(a)x.y.com) and password. It still works great generally, except that my AD password expired and I changed it, but I can't get the laptop to update to the new password. It just goes on requiring me to enter the old AD account password that it has cached. That is fine when I'm offline and away from work, but when I'm in the office and plugged into the corporate network then I'd expect it to update itself with the new password from the domain server, which just isn't happening.
Is there some way to force SSSD to re-sync its cached password with the domain server?
Some more detail:
After logging out and then back in while connected to the corporate AD domain (and using the old cached password) I checked the logs in /var/log/sssd:
sssd_<domain>.log:
(Thu Jan 24 17:43:30 2019) [sssd[be[sv.us.sonicwall.com]]] [id_callback] (0x0010): The Monitor returned an error [org.freedesktop.DBus.Error.NoReply]
sssd_nss.log has a bunch of these:
(Thu Jan 24 17:38:04 2019) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
(Thu Jan 24 17:44:27 2019) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
and sssd_pam.log a bunch of the same:
(Thu Jan 24 17:38:07 2019) [sssd[pam]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
(Thu Jan 24 17:44:27 2019) [sssd[pam]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
And also, while using sudo to view those I got this error a couple of times:
sudo: PAM account management error: Authentication service cannot retrieve authentication info
But I've verified that I can ping the sv.us.sonicwall.com domain server from the laptop after logging in, so network connectivity is not the issue.
With more detailed logging enabled, I can see that it successfully pulls a list of 12 domain controllers from the LDAP server, then tries to kinit with each in turn. A couple don't respond, but those that do all fail as follows:
(Thu Jan 24 18:51:27 2019) [sssd[be[sv.us.sonicwall.com]]] [sdap_kinit_send] (0x0400): Attempting kinit (default, IAN-LAPTOP$, SV.US.SONICWALL.COM, 86400)
(Thu Jan 24 18:51:27 2019) [sssd[be[sv.us.sonicwall.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Thu Jan 24 18:51:27 2019) [sssd[be[sv.us.sonicwall.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved
(Thu Jan 24 18:51:27 2019) [sssd[be[sv.us.sonicwall.com]]] [be_resolve_server_process] (0x0200): Found address for server stc4svdc01.sv.us.sonicwall.com: [10.50.129.149] TTL 3600
(Thu Jan 24 18:51:27 2019) [sssd[be[sv.us.sonicwall.com]]] [create_tgt_req_send_buffer] (0x0400): buffer size: 54
(Thu Jan 24 18:51:27 2019) [sssd[be[sv.us.sonicwall.com]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for TGT child
...
(Thu Jan 24 18:51:27 2019) [sssd[be[sv.us.sonicwall.com]]] [sdap_get_tgt_recv] (0x0400): Child responded: 14 [Preauthentication failed], expired on [0]
(Thu Jan 24 18:51:27 2019) [sssd[be[sv.us.sonicwall.com]]] [sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address]
(Thu Jan 24 18:51:27 2019) [sssd[be[sv.us.sonicwall.com]]] [sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret [1432158226](Authentication Failed)
(Thu Jan 24 18:51:27 2019) [sssd[be[sv.us.sonicwall.com]]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [13]: Permission denied
(Thu Jan 24 18:51:27 2019) [sssd[be[sv.us.sonicwall.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'stc4svdc01.sv.us.sonicwall.com' as 'not working'
(Thu Jan 24 18:51:27 2019) [sssd[be[sv.us.sonicwall.com]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'stc4svdc01.sv.us.sonicwall.com' as 'not working'
I don't really know this stuff, but that looks like the Kerberos ticket has expired? What I've read says that renewing an expired ticket should happen automatically when I use the password, but that doesn't seem to be happening.
Ideas?
1 month, 2 weeks
ldap_id_mapping=True login linux the user UID auto change
by CharlesLee
Hi, everyone
I have a problem with sssd 1.16.0 use in CentOS7 with AD(windows server 2008R2).
I'm use realm join the AD,and sssd config is next:
[domain/default]
autofs_provider = ldap
cache_credentials = True
krb5_realm = ARD.INC
ldap_search_base = dc=BEIJ,dc=inc
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://192.168.201.207/
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
[sssd]
domains = default, ARD.inc
config_file_version = 2
services = nss, pam
[pam]
[autofs]
[domain/ARD.inc]
ad_domain = ARD.inc
krb5_realm = ARD.INC
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_sasl_authid = YW-CLUSTER-LOGI$
ldap_id_mapping = true
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
ldap_idmap_range_min = 5000
ldap_idmap_range_max = 7000
ldap_idmap_range_size = 10
At the beginning it's running very good.
But the recent we discovery some user's UID have changed , the UID auto +10.
For example, the UID initial is 5333 then user UID auto change to 5343.
Why?
How to solve it?
Thanks.
1 month, 3 weeks
Getting kerberos TGT with smartcard when going online
by Winberg, Adam
When I login with smartcard and SSSD is offline, for example if I am at
home, I will of course not get a TGT. But when SSSD goes online (via VPN),
I would like to automatically get a TGT. I can't get this to work with
smartcard auth - is this possible? I'm testing on RHEL8 beta.
Regards
Adam Winberg
1 month, 3 weeks
No netgroup_provider?
by Spike White
All,
Spoiler alert: my configuration is working; I just want verification I
did it right.
BACKGROUND:
I have an LDAP domain that was delivering autofs maps exclusively. Other
(AD) domains were delivering users, groups, authentication and access.
Since this back-end LDAP domain didn’t participate in any user
authentication or access, I configured that backup LDAP domain in sssd.conf
with only an autofs_provder:
[domain/LDAP]
debug_level = 9
id_provider = none
autofs_provider = ldap
ldap_uri= ldap://austgcore17.example.com
ldap_schema = rfc2307bis
ldap_default_bind_dn = cn=ldapadm,dc=itzgeek,dc=local
ldap_default_authtok = ldppassword
ldap_autofs_search_base = ou=automount,ou=admin,dc=itzgeek,dc=local
ldap_autofs_map_object_class = automountMap
ldap_autofs_map_name = automountMapName
ldap_autofs_entry_object_class = automount
ldap_autofs_entry_key = automountKey
ldap_autofs_entry_value = automountInformation
ldap_netgroup_search_base = ou=netgroup,ou=admin,dc=itzgeek,dc=local
Works great! Get all expected automount maps.
CURRENT (ADDED NETGROUPS):
Now I have added NIS netgroups to this backend LDAP server. Thus, it now
successfully delivers automount maps + netgroups.
I still don’t want this LDAP backend domain to even attempt authentication
and access – that’s in my other (AD) domains.
So you’d think all I’d have to do is change this:
[domain/LDAP]
…
id_provider = none
autofs_provider = ldap
to this:
[domain/LDAP]
…
id_provider = none
autofs_provider = ldap
netgroup_provider = ldap
But – point in fact – there is no “netgroup_provider” setting for sssd.conf
file. Netgroup takes whatever the value is of ‘id_provider’.
So I turned on id_provider, then explicitly turned off all providers I
don’t want. Is this correct?
[domain/LDAP]
debug_level = 9
#id_provider = none
id_provider = ldap
auth_provider = none
account_provider = none
chpass_provider = none
sudo_provider = none
subdomains_provider = none
autofs_provider = ldap
Also, any particular reason there’s not a netgroup_provider?
BTW, retrieving netgroups via sssd does not seem explicitly and concretely
documented. That is, I had to consult multiple sources to get the RFC
2307bis setup, another to get the sssd.conf settings. (I’m not faulting
anyone; netgroups are rarely used anymore.)
Is there someone that maintains sssd documentation, I could submit a
concrete example – to help any future intrepid explorer? I have the
specific back-end LDIF files, the specific sssd.conf and nsswitch.conf
file setup.
Spike White
2 months
Any way to disallow unauthorized users in the pam "authentication" phase instead of "account" phase?
by Spike White
All,
This is not a big deal -- just curious.
We have a commercial Linux AD integration product. In it, the incoming
user's authorization to log in is validated during the PAM "authentication"
phase. So if it's a legal AD user and good password, but that user is not
authorized in -- you're returned to the "login name: / password:" prompt.
In sssd, it appears that validating if you're a legally-authorized user or
in a legally-authorized group occurs in the PAM "account" phase. It's done
by the "simple" access_provider.
Consider again a legal AD user and good password, but again -- that user is
not authorized in.
Now that user name is accepted, that password is accepted, but then the
server closes your putty session. You're not returned to a "login name: /
password:" prompt.
Like I say -- not a big deal. Unauthorized users are intercepted and
disallowed, just in different ways. Just curious if there's a way to make
sssd fail in the former manner, instead of the latter.
Spike White
2 months
SSO works on one server but not the other (reinstall?)
by Hans Schou
Hi
I have two servers "L" & "R" which are connected to the AD.
On server L I can login with SSO and I don't have to type password.
On server R I can't login with SSO and I have to type the AD password.
The user is only defined in the AD not locally.
I have tried "realm leave" + "realm join" and "sss_cache -E".
Removed
/etc/sssd/*
/etc/krb5.keytab
/var/lib/sss/db/*
to make sure no config was leftover.
The /etc/sssd/sssd.conf is equal on both servers.
Both servers are running RHEL 7.6.
/etc/sssd/sssd.conf :
[sssd]
domains = acme.com
config_file_version = 2
services = nss, pam
[domain/acme.com]
ad_domain = acme.com
krb5_realm = ACME.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
debug_level = 7
Any hint much appreciated.
best regards
Hans
2 months
smartcard cert mapping offline (AD)
by Winberg, Adam
I'm having a hard time understanding how cert mapping is supposed to work
offline. Currently I have the following certmap config (this is on
RHEL8-beta):
[certmap/ad.example.com/smartcard]
maprule =
(|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name}))
to map the CN on the card to 'samAccountName' in AD. This works as long as
I'm online (access to AD), but when I go offline (disconnect network) the
maprule is not working. I thought that the mapping would then use the sssd
cache but apparantly not - so how is smartcard login supposed to work
offline?
Regards
Adam
2 months
Cant get new TGT after kdestroy on gdm login with smartcard.
by Winberg, Adam
I am having problems consistently getting a TGT after logging in via GDM
with smartcard. On first login it normally works, but if I do a 'kdestroy'
and then logout of my gnome session, I don't get a new TGT when I login to
a new session. Instead, the root user has a TGT for my AD user:
[a001329@c20693 ~]$ klist
klist: Credentials cache 'KCM:60483' not found
[root@c20693 ~]# klist
Ticket cache: KCM:0:63363
Default principal: a001329(a)EXAMPLE.COM
Valid starting Expires Service principal
2019-02-13 15:11:38 2019-02-14 01:11:33 krbtgt/EXAMPLE.com(a)EXAMPLE.com
renew until 2019-02-20 15:11:33
A wild guess is that krb5-pkinit works by letting the root user get a TGT
for my user and then transfer that cache to my user, or something? In my
case that transfer does not happen if I previously performed a kdestroy.
From krb5_child.log:
(Wed Feb 13 14:46:14 2019) [[sssd[krb5_child[12020]]]]
[sss_get_ccache_name_for_principal] (0x4000): Location: [KCM:]
(Wed Feb 13 14:46:14 2019) [[sssd[krb5_child[12020]]]]
[sss_get_ccache_name_for_principal] (0x4000): tmp_ccname: [KCM:0:71555]
(Wed Feb 13 14:46:14 2019) [[sssd[krb5_child[12020]]]] [create_ccache]
(0x4000): Initializing ccache of type [KCM]
(Wed Feb 13 14:46:14 2019) [[sssd[krb5_child[12020]]]] [create_ccache]
(0x4000): CC supports switch
(Wed Feb 13 14:46:14 2019) [[sssd[krb5_child[12020]]]] [create_ccache]
(0x4000): returning: 0
(Wed Feb 13 14:46:14 2019) [[sssd[krb5_child[12020]]]]
[safe_remove_old_ccache_file] (0x0400): New and old ccache file are the
same, none will be deleted.
(Wed Feb 13 14:46:14 2019) [[sssd[krb5_child[12020]]]] [k5c_send_data]
(0x0200): Received error code 0
(Wed Feb 13 14:46:14 2019) [[sssd[krb5_child[12020]]]]
[pack_response_packet] (0x2000): response packet size: [95]
(Wed Feb 13 14:46:14 2019) [[sssd[krb5_child[12020]]]] [k5c_send_data]
(0x4000): Response sent.
(Wed Feb 13 14:46:14 2019) [[sssd[krb5_child[12020]]]] [main] (0x0400):
krb5_child completed successfully
After a while (not sure how long) it works as expected again, presumably
after a timeout of some sort.
If I disable KCM (by removing /etc/krb5.conf.d/kcm_default_ccache) TGT
retrieval works as expected. Am I missing something or is this a bug?
Regards,
Adam
2 months