- Issued:
- 2015-07-22
- Updated:
- 2015-07-22
RHBA-2015:1448 - sssd bug fix and enhancement update
Synopsis
sssd bug fix and enhancement update
Type/Severity
Bug Fix Advisory
Topic
Updated sssd packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
Description
The System Security Services Daemon (SSSD) provides a set of daemons to manage access to remote directories and authentication mechanisms.
The sssd packages have been upgraded to upstream version 1.12.4, which provides a number of bug fixes and enhancements over the previous version. (BZ#1168347)
Several enhancements are described in the Red Hat Enterprise Linux 6.7 Release Notes, linked from the References section:
- The "domains=" option for the pam_sss module (BZ#1168363)
- The UPN (User Principal Name) attribute to identify users and user logins (BZ#1088402)
- Password expiration warnings for non-password authentication (BZ#1036745)
- The ID views feature (BZ#1168344)
- Transferring the user shell attribute from an Active Directory (AD) server to an Identity Management (IdM) client (BZ#1168377)
- Updating cached entries out-of-band in the background (BZ#1098147)
- The ad_site option can be used to override the AD site discovered from DNS (BZ#1161564)
- A new Kerberos plug-in maps Kerberos principals to local SSSD user names (BZ#1168357)
- Groups for AD trusted users are displayed without logging in (BZ#1168378)
- The case_sensitive option accepts the "preserve" value. (BZ#1171782)
- The ldap_access_order option accepts the "ppolicy" value. (BZ#1173198)
- SSSD can use GPOs on an AD server (BZ#1187642)
Bug fixes:
-
Applications leveraging identities from SSSD could terminate unexpectedly while invalidating the memory cache using the sss_cache utility. This bug has been fixed, and using sss_cache is safe. (BZ#1123291)
-
SSSD properly recognizes Windows 2012R2 as an AD server and applies the correct AD-specific performance optimizations. (BZ#1134942)
-
SSSD failed to connect to servers that only allowed authenticated connections to read the rootDSE entry, such as IBM Tivoli LDAP servers. SSSD now retries an authenticated connection after a non-authenticated connection fails while reading rootDSE. As a result, SSSD works as expected with these servers. (BZ#1139878)
-
When the simple_allow_groups and simple_allow_users options contained non-existent and existing entries, SSSD denied access to the existing users or groups. Now, SSSD logs and skips the non-existent entries and correctly handles the existing ones. (BZ#1170910)
-
This update fixes bugs that caused SSSD to terminate unexpectedly due to memory errors or when trying to access callback data. (BZ#1173738, BZ#1194367)
-
The sssd-ldap(5) and sssd.conf(5) man pages have been modified. (BZ#1135838, BZ#1172865)
-
SSSD downloaded an unnecessary amount of data when obtaining information about groups from an AD provider when using POSIX attributes on the server. With this update, SSSD downloads only the information about the group object, not the contents of the group. (BZ#1201847)
-
SSSD did not properly handle the "objectGUID" AD LDAP attribute. Now, SSSD considers "objectGUID" a binary value as expected, and the attribute is stored correctly. (BZ#1205382)
-
If a multi-process program requested the initgroups data immediately after SSSD startup, before the SSSD cache was ready, the NSS responder could incorrectly return an empty group list. With this update, the initgroups requests from a multi-process program with an empty cache work correctly, and the described problem no longer occurs. (BZ#1215765)
-
Setups with "subdomains_provider=none" set for AD domains did not sometimes work as expected. Now, the ldap_idmap_default_domain_sid option value is used for the SSSD main domain, thus fixing the bug. Note that ldap_idmap_default_domain_sid must be set for SSSD to function correctly in this situation. (BZ#1221358)
Enhancement:
- SRV queries now honor the time to live (TTL) values from DNS. (BZ#1171378)
Users of sssd are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.
Solution
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat Enterprise Linux for Scientific Computing | 6 | x86_64 |
| Red Hat Enterprise Linux for Power, big endian | 6 | ppc64 |
| Red Hat Enterprise Linux for IBM z Systems | 6 | s390x |
| Red Hat Enterprise Linux Workstation | 6 | x86_64 |
| Red Hat Enterprise Linux Workstation | 6 | i386 |
| Red Hat Enterprise Linux Server | 6 | x86_64 |
| Red Hat Enterprise Linux Server | 6 | i386 |
| Red Hat Enterprise Linux Server from RHUI | 6 | x86_64 |
| Red Hat Enterprise Linux Server from RHUI | 6 | i386 |
| Red Hat Enterprise Linux Server - Retired Extended Life Cycle Support | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support | 6 | i386 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension | 6 | i386 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) | 6 | s390x |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) | 6 | s390x |
| Red Hat Enterprise Linux Desktop | 6 | x86_64 |
| Red Hat Enterprise Linux Desktop | 6 | i386 |
Updated Packages
- sssd-common-pac-1.12.4-47.el6.s390x.rpm
- sssd-ldap-1.12.4-47.el6.s390x.rpm
- sssd-client-1.12.4-47.el6.s390x.rpm
- sssd-ipa-1.12.4-47.el6.s390x.rpm
- sssd-krb5-common-1.12.4-47.el6.x86_64.rpm
- sssd-ipa-1.12.4-47.el6.ppc64.rpm
- sssd-client-1.12.4-47.el6.s390.rpm
- libsss_idmap-devel-1.12.4-47.el6.s390x.rpm
- libsss_idmap-devel-1.12.4-47.el6.ppc64.rpm
- sssd-dbus-1.12.4-47.el6.ppc64.rpm
- libsss_simpleifp-devel-1.12.4-47.el6.x86_64.rpm
- libsss_simpleifp-devel-1.12.4-47.el6.ppc64.rpm
- sssd-krb5-common-1.12.4-47.el6.ppc64.rpm
- sssd-common-pac-1.12.4-47.el6.i686.rpm
- libsss_simpleifp-1.12.4-47.el6.s390.rpm
- sssd-1.12.4-47.el6.src.rpm
- sssd-proxy-1.12.4-47.el6.s390x.rpm
- libipa_hbac-devel-1.12.4-47.el6.ppc.rpm
- libsss_idmap-devel-1.12.4-47.el6.x86_64.rpm
- libipa_hbac-python-1.12.4-47.el6.x86_64.rpm
- sssd-tools-1.12.4-47.el6.ppc64.rpm
- sssd-1.12.4-47.el6.i686.rpm
- sssd-ldap-1.12.4-47.el6.i686.rpm
- libipa_hbac-python-1.12.4-47.el6.s390x.rpm
- sssd-krb5-1.12.4-47.el6.ppc64.rpm
- libsss_idmap-devel-1.12.4-47.el6.i686.rpm
- libsss_idmap-1.12.4-47.el6.i686.rpm
- sssd-client-1.12.4-47.el6.ppc64.rpm
- sssd-tools-1.12.4-47.el6.x86_64.rpm
- libsss_simpleifp-devel-1.12.4-47.el6.s390x.rpm
- sssd-common-1.12.4-47.el6.x86_64.rpm
- sssd-proxy-1.12.4-47.el6.ppc64.rpm
- sssd-1.12.4-47.el6.s390x.rpm
- libipa_hbac-devel-1.12.4-47.el6.s390.rpm
- libipa_hbac-1.12.4-47.el6.ppc64.rpm
- sssd-krb5-common-1.12.4-47.el6.i686.rpm
- libipa_hbac-devel-1.12.4-47.el6.x86_64.rpm
- sssd-debuginfo-1.12.4-47.el6.i686.rpm
- libsss_simpleifp-devel-1.12.4-47.el6.ppc.rpm
- libsss_nss_idmap-devel-1.12.4-47.el6.ppc64.rpm
- libsss_nss_idmap-1.12.4-47.el6.s390.rpm
- sssd-1.12.4-47.el6.x86_64.rpm
- sssd-ldap-1.12.4-47.el6.x86_64.rpm
- libsss_idmap-1.12.4-47.el6.ppc.rpm
- libipa_hbac-python-1.12.4-47.el6.ppc64.rpm
- libipa_hbac-devel-1.12.4-47.el6.ppc64.rpm
- libsss_idmap-1.12.4-47.el6.s390.rpm
- libsss_simpleifp-1.12.4-47.el6.ppc64.rpm
- libsss_nss_idmap-devel-1.12.4-47.el6.x86_64.rpm
- sssd-debuginfo-1.12.4-47.el6.ppc64.rpm
- python-sssdconfig-1.12.4-47.el6.noarch.rpm
- sssd-client-1.12.4-47.el6.x86_64.rpm
- libsss_simpleifp-devel-1.12.4-47.el6.s390.rpm
- sssd-ipa-1.12.4-47.el6.i686.rpm
- sssd-debuginfo-1.12.4-47.el6.x86_64.rpm
- libipa_hbac-1.12.4-47.el6.s390.rpm
- libsss_simpleifp-1.12.4-47.el6.s390x.rpm
- sssd-common-1.12.4-47.el6.i686.rpm
- libsss_nss_idmap-python-1.12.4-47.el6.i686.rpm
- libsss_idmap-devel-1.12.4-47.el6.ppc.rpm
- sssd-common-1.12.4-47.el6.s390x.rpm
- libsss_nss_idmap-1.12.4-47.el6.i686.rpm
- sssd-common-pac-1.12.4-47.el6.ppc64.rpm
- sssd-dbus-1.12.4-47.el6.i686.rpm
- libsss_nss_idmap-python-1.12.4-47.el6.ppc64.rpm
- libipa_hbac-devel-1.12.4-47.el6.i686.rpm
- sssd-debuginfo-1.12.4-47.el6.s390x.rpm
- sssd-krb5-1.12.4-47.el6.s390x.rpm
- libsss_nss_idmap-devel-1.12.4-47.el6.s390.rpm
- sssd-proxy-1.12.4-47.el6.x86_64.rpm
- libsss_idmap-1.12.4-47.el6.x86_64.rpm
- sssd-common-1.12.4-47.el6.ppc64.rpm
- libsss_nss_idmap-1.12.4-47.el6.x86_64.rpm
- sssd-client-1.12.4-47.el6.i686.rpm
- libsss_simpleifp-1.12.4-47.el6.i686.rpm
- libipa_hbac-1.12.4-47.el6.x86_64.rpm
- libsss_simpleifp-1.12.4-47.el6.x86_64.rpm
- sssd-debuginfo-1.12.4-47.el6.ppc.rpm
- libipa_hbac-1.12.4-47.el6.i686.rpm
- sssd-tools-1.12.4-47.el6.i686.rpm
- libsss_nss_idmap-python-1.12.4-47.el6.x86_64.rpm
- sssd-krb5-1.12.4-47.el6.i686.rpm
- libipa_hbac-1.12.4-47.el6.ppc.rpm
- sssd-ad-1.12.4-47.el6.i686.rpm
- sssd-proxy-1.12.4-47.el6.i686.rpm
- libsss_nss_idmap-devel-1.12.4-47.el6.ppc.rpm
- sssd-debuginfo-1.12.4-47.el6.s390.rpm
- libsss_idmap-1.12.4-47.el6.s390x.rpm
- sssd-ipa-1.12.4-47.el6.x86_64.rpm
- sssd-krb5-common-1.12.4-47.el6.s390x.rpm
- libsss_simpleifp-devel-1.12.4-47.el6.i686.rpm
- sssd-krb5-1.12.4-47.el6.x86_64.rpm
- sssd-1.12.4-47.el6.ppc64.rpm
- libsss_nss_idmap-devel-1.12.4-47.el6.s390x.rpm
- libsss_nss_idmap-1.12.4-47.el6.s390x.rpm
- libsss_nss_idmap-1.12.4-47.el6.ppc64.rpm
- sssd-ad-1.12.4-47.el6.x86_64.rpm
- libipa_hbac-python-1.12.4-47.el6.i686.rpm
- sssd-common-pac-1.12.4-47.el6.x86_64.rpm
- libsss_simpleifp-1.12.4-47.el6.ppc.rpm
- sssd-tools-1.12.4-47.el6.s390x.rpm
- sssd-dbus-1.12.4-47.el6.x86_64.rpm
- libsss_nss_idmap-1.12.4-47.el6.ppc.rpm
- sssd-client-1.12.4-47.el6.ppc.rpm
- sssd-ad-1.12.4-47.el6.ppc64.rpm
- sssd-ldap-1.12.4-47.el6.ppc64.rpm
- libsss_idmap-1.12.4-47.el6.ppc64.rpm
- libipa_hbac-1.12.4-47.el6.s390x.rpm
- sssd-dbus-1.12.4-47.el6.s390x.rpm
- libsss_idmap-devel-1.12.4-47.el6.s390.rpm
- libipa_hbac-devel-1.12.4-47.el6.s390x.rpm
- libsss_nss_idmap-python-1.12.4-47.el6.s390x.rpm
- libsss_nss_idmap-devel-1.12.4-47.el6.i686.rpm
- sssd-ad-1.12.4-47.el6.s390x.rpm
Fixes
- This content is not included.BZ - 1134942
- This content is not included.BZ - 1135432
- This content is not included.BZ - 1135643
- This content is not included.BZ - 1135838
- This content is not included.BZ - 1140909
- This content is not included.BZ - 1148113
- This content is not included.BZ - 1148582
- This content is not included.BZ - 1154042
- This content is not included.BZ - 1161564
- This content is not included.BZ - 1168344
- This content is not included.BZ - 1170910
- This content is not included.BZ - 1172494
- This content is not included.BZ - 1194302
- This content is not included.BZ - 1198478
- This content is not included.BZ - 1200093
- This content is not included.BZ - 1200487
- This content is not included.BZ - 1201847
- This content is not included.BZ - 1202728
- This content is not included.BZ - 1203630
- This content is not included.BZ - 1203643
- This content is not included.BZ - 1205382
- This content is not included.BZ - 1205716
- This content is not included.BZ - 1206121
- This content is not included.BZ - 1207720
- This content is not included.BZ - 1211728
- This content is not included.BZ - 1213716
- This content is not included.BZ - 1213822
- This content is not included.BZ - 1216094
- This content is not included.BZ - 1217328
- This content is not included.BZ - 1219844
- This content is not included.BZ - 1221358
- This content is not included.BZ - 1225614
- This content is not included.BZ - 1226834
- This content is not included.BZ - 1232738
CVEs
(none)
References
- This content is not included.This content is not included.https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.7_Release_Notes/index.html
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at Security Contacts and Procedures.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.