Chapter 2. Authentication and Interoperability
SSSD correctly reports supplementary groups for AD users in a nested domain
Resolving supplementary groups sometimes failed for Active Directory (AD) users with the same
samAccountName
attribute who existed in two AD domains, when:
- one of the AD domains was nested under the other
- the users were stored in a non-default organizational unit (OU)
Consequently, the
id [user_name]
command reported only the primary group for these users.
The underlying SSSD code has been improved to better match the user account with its domain. As a result, SSSD reports also supplementary groups of AD users in the described situation. (BZ#1293168)
Authentication no longer fails when two SRV resolution requests are running at the same time
When multiple service record (SRV) resolution requests were running concurrently, one of them returned a failure indicating that no new servers were found. Consequently, authentication using the
ssh
utility failed. With this update, SSSD handles two concurrent SRV resolution requests gracefully. As a result, authentication no longer fails in this situation. (BZ#1367435)
Users with expired or locked accounts now cannot log in to IdM clients with their SSH keys
When a trusted Active Directory (AD) user with an expired or locked user account attempted to log in to an Identity Management (IdM) client using a non-password login method, such as SSH keys, the login was successful. With this update, the IdM client checks the AD lockout attribute when verifying whether an AD user is allowed to log in. As a result, AD users with expired or locked accounts are no longer permitted to log in in this situation.
Note that this bug has no security impact: The AD user could not obtain a Kerberos ticket on the IdM client because the user account was expired or locked on the server side. (BZ#1335400)
sssd_be
subprocesses no longer unnecessarily consume memory
Previously, when the
id_provider
option was set to ad
in the /etc/sssd/sssd.conf
file, a helper process inside the sssd_be
process sometimes failed. In consequence, the process was spawning new sssd_be
instances, which consumed additional memory.
With this update, SSSD does not fork
sssd_be
subprocesses if no helper program is available. This reduces the amount of consumed memory. (BZ#1336453)
Attempts to renew the system password in a keytab no longer cause SSSD to stop working
When attempting to renew the system password stored in a keytab, System Security Services Daemon (SSSD) leaked a file descriptor. The leaked file descriptors gradually accumulated, which caused SSSD to stop working.
With this update, SSSD no longer leaks file descriptors in this situation. As a result, SSSD is able to keep updating the system password without the described negative impact on the system. (BZ#1340176)
SSSD now correctly processes GPO files that contain attributes in a format other than key=value
Previously, System Security Services Daemon (SSSD) did not correctly process INI files that contained attribute pairs in a format other than
key=value
. Consequently, SSSD failed to process group policy object (GPO) files that contained such attributes.
This update ensures that SSSD processes the mentioned files correctly even if they use a different attribute format than
key=value
. (BZ#1374813)
SSSD now resolves users with externalUser
correctly
Support for the
externalUser
LDAP attribute was removed from the System Security Services Daemon (SSSD) in Red Hat Enterprise Linux 6.8. In consequence, the assignment of sudo
rules to local accounts, such as by using the /etc/passwd
file, failed. The problem affected only accounts outside of Identity Management (IdM) domains and Active Directory (AD) trusted domains.
This update ensures that SSSD correctly resolves users with the
externalUser
attribute defined. As a result, assigning sudo
rules works as expected in the described situation. (BZ#1321884)
SSSD correctly creates local overrides in an AD environment
Previously, the
sss_override
utility created case-insensitive distinguished names (DNs) when the id_provider
option was set to ad
in the /etc/sssd/sssd.conf
file. However, the DNs in the SSSD cache are stored as case-sensitive. As a consequence, local overrides were not created for users from the Active Directory (AD) subdomain and for users with mixed-case account names. With this update, SSSD searches the object in the cache and uses the DN from the search result. This fixes the problem in the mentioned situation. (BZ#1327272)
OpenLDAP now correctly sets NSS settings
Previously, the OpenLDAP server used an incorrect handling of network security settings (NSS) code. As a consequence, settings were not applied, which caused certain NSS options, such as
olcTLSProtocolMin
, not to work correctly. This update addresses the bug and as a result, the affected NSS options now work as expected. (BZ#1249092)
IPA replica installation no longer fails due to malformed HTTP requests
A bug in pki-core previously caused PKI to generate HTTP requests missing a
Host
header and using incorrect line delimiters during IPA replica installation. At the same time, an update to httpd
caused these malformed requests to be rejected, even though they were accepted in previous versions, and as a result, IPA replica installations failed. This update to pki-core fixes the problem in HTTP request generation, and replica installations now work as expected. (BZ#1403943)