On (19/10/17 23:00), Jakub Hrozek wrote: >Hi, > >below are the 1.16.0 release notes in the RST format. Please feel free to >provide feedback. > >SSSD 1.16.0 >=========== > >Highlights >---------- > >Security fixes >^^^^^^^^^^^^^^ > * This release fixes CVE-2017-12173: Unsanitized input when searching in > local cache database. SSSD stores its cached data in an LDAP like local > database file using ``libldb.`` To lookup cached data LDAP search filters > like ``(objectClass=user)(name=user_name)`` are used. However, in > ``sysdb_search_user_by_upn_res()``, the input was not sanitized and > allowed to manipulate the search filter for cache lookups. This would > allow a logged in user to discover the password hash of a different user. > >New Features >^^^^^^^^^^^^ > * SSSD now supports session recording configuration through ``tlog``. This > feature > enables recording of everything specific users see or type during their > sessions on > a text terminal. For more information, see the ``sssd-session-recording(5)`` > manual page. > > * SSSD can act as a client agent to deliver > `Fleet Commander <https://wiki.gnome.org/Projects/FleetCommander>`_ > policies defined on an IPA server. Fleet Commander provides a > configuration management interface that is controlled centrally and > that covers desktop, applications and network configuration. > > * Several new `systemtap <https://sourceware.org/systemtap/>`_ probes > were added into various locations in SSSD code to assist in > troubleshooting and analyzing performance related issues. Please see the > ``sssd-systemtap(5)`` manual page for more information. > > * A new LDAP provide access control mechanism that allows to restrict > access based on PAM's rhost data field was added. For more details, > please consult the ``sssd-ldap(5)`` manual page, in particular the > options ``ldap_user_authorized_rhost`` and the ``rhost`` value of > ``ldap_access_filter``. > >Performance enhancements >^^^^^^^^^^^^^^^^^^^^^^^^ > * Several attributes in the SSSD cache that are quite often used during > cache searches were not indexed. This release adds the missing indices, > which improves SSSD performance in large environments. > IMHO it's questionable whether it is really performance enhancement. It might help in few cases and get worst result in different cases. Especially if you set SSS_NSS_USE_MEMCACHE to all processes + remove sssd cache and restart sssd quite often to speed things up.
>Notable bug fixes >^^^^^^^^^^^^^^^^^ > * The SSSD libwbclient implementation adjusted its behaviour in order to > be compatible with Winbind's return value of wbcAuthenticateUserEx(). > This enables the SSSD libwbclient library to work with Samba-4.6 or newer. > > * SSSD's plugin for MIT Kerberos to send the PAC to the PAC responder > did not protect the communication with the PAC responder with a mutex. > This was causing multi-threaded applications that process the Kerberos > PAC to miss a reply from SSSD and then were blocked until the default > client timeout of 300 seconds passed. This release adds the mutex, > which fixes the PAC responder usage in multi-threaded environments. > > * Previously, SSSD used to refresh several expired sudo rules by combining > them into a long LDAP filter. This was ineffective, because the LDAP server > had to process the query, but at that point, the client was quite often > querying most or all of the sudo rules anyway. In this version, when > the number of sudo rules to be refreshed exceeds the value of a new option > ``sudo_threshold``, all sudo rules are fetched instead. > > * A bug in the sudo integration that prevented the rules from matching if the > user name referenced in that rule was overriden with ``sss_override`` or > IPA ID views was fixed > > * When SSSD is configured with ``id_provider=ad``, then a Kerberos > configuration is created that instructs libkrb5 to use TCP for communication > with the AD DC by default. This would save switching from UDP to TCP, which > happens almost every time with the ``ad`` provider due to the PAC attached > to > the Kerberos ticket. > >Packaging Changes >----------------- > * The ``sss_debuglevel`` and ``sss_cache`` utilities were superseded by > ``sssctl`` commands ``sssctl debug-level`` and ``sssctl cache-expire``, > respectively. While this change is backwards-compatible in the sense > that the old commands continue to work, it is recommended to switch > to the ``sssctl`` command which will in future encompass all SSSD > administration tasks. > Just a nitpick sss_cache is not superseded by sssctl. "sssctl cache-expire" execute /usr/sbin/sss_cache which is the same binary as it was before. LS _______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
