Skip to content


Choose a tag to compare
@pbrezina pbrezina released this 16 Apr 09:01
· 2980 commits to master since this release

SSSD 1.16.3


New Features

  • The kdcinfo files that SSSD uses to inform libkrb5 about which KDCs were discovered for a Kerberos realm used to be only generated for the joined domain, not the trusted domains. Starting with this release, the kdcinfo files are generated automatically also for trusted domains in setups that use id_provider=ad and IPA masters in a trust relationship with an AD domain.
  • The SSSD Kerberos locator plugin which processes the kdcinfo files and actually tells libkrb5 about the available KDCs can now process multiple address if SSSD generates more than one. At the moment, this feature is only used on IPA clients (see below). Please see the sssd_krb5_locator_plugin(8) manual page for more information about the Kerberos locator plugin.
  • On IPA clients, the AD DCs or the AD site which should be used to authenticate users can now be listed in a subdomain section. Please see the feature design page or the section "trusted domains configuration" for more details.

Notable bug fixes

  • SECURITY: The permissions on /var/lib/sss/pipes/sudo were set so that anyone could read anyone else's sudo rules. This was considered an information leak and assigned CVE-2018-10852 (#3766)
  • IMPORTANT: The 1.16.2 release was storing the cached passwords without a salt prefix string. This bug was fixed in this release, but any password hashes generated by 1.16.2 are incompatible with the hashes generated by 1.16.3. The effect is that upgrade from 1.16.2 to 1.16.3 should be done when the authentication server is reachable so that the first authentication after the upgrade fix the cached password.
  • The sss_ssh proces leaked file descriptors when converting more than one x509 certificate to SSH public key (#3794)
  • SSSD, when configured with id_provider=ad was using too expensive LDAP search to find out whether the required POSIX attributes were replicated to the Global Catalog. Instead, SSSD now consults the Partial Attribute Set, which is much more effective (#3755)
  • The PAC responder is now able to process Domain Local in case the PAC uses SID compression. Typicaly this is the case with Windows Server 2012 and newer (#3767)
  • Some versions of OpenSSH (e.g. the one shipped in RHEL-7.5) would close the pipe towards sss_ssh_authorizedkeys when the matching key is found before the rest of the output is read. The sss_ssh_authorizedkeys helper was not handling this behaviour well and would exit with SIGPIPE, which also meant the public key authentication failed (#3747)
  • User lookups no longer fail if user's e-mail address conflicts with another user's fully qualified name (#3607)
  • The override_shell and override_homedir options are no longer applied to entries from the files domain. (#3758)
  • Several bugs related to the FleetCommander integration were fixed (#3773, #3774)
  • The grace logins with an expired password when authenticating against certain newer versions of the 389DS/RHDS LDAP server did not work (#3597)
  • Whitespace around netgroup triple separator is now stripped
  • The sss_ssh_knownhostproxy utility can now print the host key without proxying the connection.
  • Due to an overly restrictive check, the fast in-memory cache was sometimes skipped, which caused a high load on the sssd_nss process (#3776).

Packaging Changes

  • The python2 bindings are not built by default on Fedora 29 or newer
  • The sssd-secrets responder is now packaged in the sssd-kcm subpackage and might be removed in a future release

Documentation Changes

  • sss_ssh_knownhostsproxy has a new option -k/--print.

See full release notes here.