Skip to content


Choose a tag to compare
@pbrezina pbrezina released this 16 Apr 09:01
· 3525 commits to master since this release

SSSD 1.16.0


Security fixes

  • This release fixes CVE-2017-12173: Unsanitized input when searching in local cache database. SSSD stores its cached data in an LDAP like local database file using libldb. To lookup cached data LDAP search filters like (objectClass=user)(name=user_name) are used. However, in sysdb_search_user_by_upn_res(), the input was not sanitized and allowed to manipulate the search filter for cache lookups. This would allow a logged in user to discover the password hash of a different user.

New Features

  • SSSD now supports session recording configuration through tlog. This feature enables recording of everything specific users see or type during their sessions on a text terminal. For more information, see the sssd-session-recording(5) manual page.
  • SSSD can act as a client agent to deliver Fleet Commander policies defined on an IPA server. Fleet Commander provides a configuration management interface that is controlled centrally and that covers desktop, applications and network configuration.
  • Several new systemtap probes were added into various locations in SSSD code to assist in troubleshooting and analyzing performance related issues. Please see the sssd-systemtap(5) manual page for more information.
  • A new LDAP provide access control mechanism that allows to restrict access based on PAM's rhost data field was added. For more details, please consult the sssd-ldap(5) manual page, in particular the options ldap_user_authorized_rhost and the rhost value of ldap_access_filter.

Performance enhancements

  • Several attributes in the SSSD cache that are quite often used during cache searches were not indexed. This release adds the missing indices, which improves SSSD performance in large environments.

Notable bug fixes

  • The SSSD libwbclient implementation adjusted its behaviour in order to be compatible with Winbind's return value of wbcAuthenticateUserEx(). This enables the SSSD libwbclient library to work with Samba-4.6 or newer.
  • SSSD's plugin for MIT Kerberos to send the PAC to the PAC responder did not protect the communication with the PAC responder with a mutex. This was causing multi-threaded applications that process the Kerberos PAC to miss a reply from SSSD and then were blocked until the default client timeout of 300 seconds passed. This release adds the mutex, which fixes the PAC responder usage in multi-threaded environments.
  • Previously, SSSD used to refresh several expired sudo rules by combining them into a long LDAP filter. This was ineffective, because the LDAP server had to process the query, but at that point, the client was quite often querying most or all of the sudo rules anyway. In this version, when the number of sudo rules to be refreshed exceeds the value of a new option sudo_threshold, all sudo rules are fetched instead.
  • A bug in the sudo integration that prevented the rules from matching if the user name referenced in that rule was overriden with sss_override or IPA ID views was fixed
  • When SSSD is configured with id_provider=ad, then a Kerberos configuration is created that instructs libkrb5 to use TCP for communication with the AD DC by default. This would save switching from UDP to TCP, which happens almost every time with the ad provider due to the PAC attached to the Kerberos ticket.

Packaging Changes

  • The sss_debuglevel and sss_cache utilities were superseded by sssctl commands sssctl debug-level and sssctl cache-expire, respectively. While this change is backwards-compatible in the sense that the old commands continue to work, it is recommended to switch to the sssctl command which will in future encompass all SSSD administration tasks.
  • Two new manpages, sssd-session-recording(5) and sssd-systemtap(5) were added.
  • A new systemtap example script, which is packaged by default at /usr/share/sssd/systemtap/dp_request.stp was added.
  • A new directory called deskprofile under the SSSD state directory (typically /var/lib/sss/) was added. SSSD downloads the Fleet Commander profiles into this directory.

Documentation Changes

  • The ldap_user_certificate option has changed its default value in the LDAP provider from "not set" to userCertificate;binary.
  • The ldap_access_filter option has a new allowed value rhost to support access control based on the PAM rhost value. The attribute that SSSD reads during the rhost access control can be configured using the new option ldap_user_authorized_rhost.
  • The thresholds after which the IPA and LDAP sudo providers will refresh all sudo rules instead of only the expired ones can be tuned using the sudo_threshold option.
  • A new provider handler, session_provider was added. At the moment, only two handlers, ipa and none are supported. The IPA session handler is used to fetch the Fleet Commander profiles from an IPA server.
  • The interval after which the IPA session provider will check for new FleetCommander profiles can be configured using the new ipa_deskprofile_request_interval option.

See full release notes here.