| Description: | The System Security Services Daemon (SSSD) provides a set of daemons to manage access to remote directories and authentication mechanisms.
This update adds several enhancements that are described in more detail in the Red Hat Enterprise Linux 7.1 Release Notes, linked to in the References section, including:
Added the "domains=" option to the pam_sss module. Added an SSSD plug-in to enable accessing a CIFS share. (BZ#727466, BZ#922081)
This update fixes the following bugs:
The sssd-ad(5) man page did not explain that when using multiple types of providers, such as an Active Directory (AD) provider and an LDAP provider, the user must fully configure each of the providers. The man page explains this now. (BZ#1075141)
The system added the "sss" module to the nsswitch.conf file, even when SSSD was not running. The GNU C Library (glibc) calls returned incorrect error messages, which caused certain user space tools to not work properly. The "sssd_nss" module returns correct error codes, so that the user space tools handle them gracefully. (BZ#1124320)
The hard-coded list of supported AD servers in SSSD did not include the Windows Server 2012R2 (WS2012R2) release. Clients connected to WS2012R2 printed a warning to the logs and were unable to use some AD-specific performance enhancements. To fix these problems, this update adds WS2012R2 to the list. (BZ#1134940)
SSSD overwrote a variable containing password expiration data under certain circumstances, and did not sometimes display password expiration messages to the user. This update fixes the problem, and SSSD displays password expiration data as expected. (BZ#1144011)
Several AD-specific codepaths in the LDAP provider assumed data structures and functions that were available only with a full AD provider. Looking up secondary groups using the LDAP provider failed. This update modifies the codepaths to allow using the "id_provider=ldap" setting with AD servers and disables the support for the tokenGroups attribute when using this configuration. Clients using "id_provider=ldap" with an AD server work seamlessly. (BZ#1146541)
SSSD sometimes did not map some of the group security identifiers (SIDs) returned from the tokenGroups attribute, unless an SSSD client used the "id_provider=ad" setting. SSSD did not display all groups in the "id" output and could deny access to users. Support for tokenGroups is now disabled if "id_provider=ad" is not used, and SSSD reports the group membership correctly. (BZ#1161741)
Failed attempts to convert a GID to a group name during certain access control checks, which is required for comparison with the "simple_allow_groups" list, could cause SSSD to incorrectly deny access. SSSD now continues to resolve the next groups when only allow rules are used, and the users can log in even if SSSD cannot perform the conversion for some of their groups. (BZ#1175408)
This update adds the following enhancements:
The sssd service can now be run as a non-root user. Previously, sssd could only be run as root, which could potentially pose a security risk. To set sssd to run unprivileged, add the "user=sssd" option to the [sssd] section of the sssd.conf file. (BZ#1113783)
SSSD is able use the group policy objects (GPOs) stored on an AD server for access control. Windows administrators can now use the GPOs to control access to Linux clients. (BZ#1115429)
A new Kerberos plug-in helps to map Kerberos principals to local SSSD user names. It is no longer necessary to configure the .k5login file or the "auth_to_local" rules in the krb5.conf file to enable passwordless logins to IdM clients for AD users in a setup with AD trusts. (BZ#1135043)
Users of sssd are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.
|