Patch  oval:com.redhat.rhba:def:20150441
RHBA-2015:0441: sssd bug fix and enhancement update (None)  

The System Security Services Daemon (SSSD) provides a set of daemons to manage access to remote directories and authentication mechanisms.
This update adds several enhancements that are described in more detail in the Red Hat Enterprise Linux 7.1 Release Notes, linked to in the References section, including:
* Added the "domains=" option to the pam_sss module. * Added an SSSD plug-in to enable accessing a CIFS share. (BZ#727466, BZ#922081)
This update fixes the following bugs:
* The sssd-ad(5) man page did not explain that when using multiple types of providers, such as an Active Directory (AD) provider and an LDAP provider, the user must fully configure each of the providers. The man page explains this now. (BZ#1075141)
* The system added the "sss" module to the nsswitch.conf file, even when SSSD was not running. The GNU C Library (glibc) calls returned incorrect error messages, which caused certain user space tools to not work properly. The "sssd_nss" module returns correct error codes, so that the user space tools handle them gracefully. (BZ#1124320)
* The hard-coded list of supported AD servers in SSSD did not include the Windows Server 2012R2 (WS2012R2) release. Clients connected to WS2012R2 printed a warning to the logs and were unable to use some AD-specific performance enhancements. To fix these problems, this update adds WS2012R2 to the list. (BZ#1134940)
* SSSD overwrote a variable containing password expiration data under certain circumstances, and did not sometimes display password expiration messages to the user. This update fixes the problem, and SSSD displays password expiration data as expected. (BZ#1144011)
* Several AD-specific codepaths in the LDAP provider assumed data structures and functions that were available only with a full AD provider. Looking up secondary groups using the LDAP provider failed. This update modifies the codepaths to allow using the "id_provider=ldap" setting with AD servers and disables the support for the tokenGroups attribute when using this configuration. Clients using "id_provider=ldap" with an AD server work seamlessly. (BZ#1146541)
* SSSD sometimes did not map some of the group security identifiers (SIDs) returned from the tokenGroups attribute, unless an SSSD client used the "id_provider=ad" setting. SSSD did not display all groups in the "id" output and could deny access to users. Support for tokenGroups is now disabled if "id_provider=ad" is not used, and SSSD reports the group membership correctly. (BZ#1161741)
* Failed attempts to convert a GID to a group name during certain access control checks, which is required for comparison with the "simple_allow_groups" list, could cause SSSD to incorrectly deny access. SSSD now continues to resolve the next groups when only allow rules are used, and the users can log in even if SSSD cannot perform the conversion for some of their groups. (BZ#1175408)
This update adds the following enhancements:
* The sssd service can now be run as a non-root user. Previously, sssd could only be run as root, which could potentially pose a security risk. To set sssd to run unprivileged, add the "user=sssd" option to the [sssd] section of the sssd.conf file. (BZ#1113783)
* SSSD is able use the group policy objects (GPOs) stored on an AD server for access control. Windows administrators can now use the GPOs to control access to Linux clients. (BZ#1115429)
* A new Kerberos plug-in helps to map Kerberos principals to local SSSD user names. It is no longer necessary to configure the .k5login file or the "auth_to_local" rules in the krb5.conf file to enable passwordless logins to IdM clients for AD users in a setup with AD trusts. (BZ#1135043)
Users of sssd are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.
Create Date: 2015-03-05 Last Update Date: 2015-03-05

Affected Platforms/Products

Affected Products (CPE + CVE references)
Platforms: unix (from OVAL definitions)
  • Red Hat Enterprise Linux 7 (please do not use for >= RHEL-7.5)

References

Criteria

The patch should be installed
IF : All of the following are true
IF : Any one of the following are true
IF : All of the following are true
IF : libsss_nss_idmap-python is signed with Red Hat redhatrelease2 key
WARNING! Unknown test oval:com.redhat.rhba:tst:20141375034. Please see help for possible reasons
IF : libsss_nss_idmap-python is earlier than 0:1.12.2-58.el7
WARNING! Unknown test oval:com.redhat.rhba:tst:20150441049. Please see help for possible reasons
IF : All of the following are true
IF : sssd is earlier than 0:1.12.2-58.el7
WARNING! Unknown test oval:com.redhat.rhba:tst:20150441047. Please see help for possible reasons
IF : sssd is signed with Red Hat redhatrelease2 key
WARNING! Unknown test oval:com.redhat.rhba:tst:20141375008. Please see help for possible reasons
IF : All of the following are true
IF : sssd-ldap is signed with Red Hat redhatrelease2 key
WARNING! Unknown test oval:com.redhat.rhba:tst:20141375016. Please see help for possible reasons
IF : sssd-ldap is earlier than 0:1.12.2-58.el7
WARNING! Unknown test oval:com.redhat.rhba:tst:20150441045. Please see help for possible reasons
IF : All of the following are true
IF : sssd-krb5-common is signed with Red Hat redhatrelease2 key
WARNING! Unknown test oval:com.redhat.rhba:tst:20141375028. Please see help for possible reasons
IF : sssd-krb5-common is earlier than 0:1.12.2-58.el7
WARNING! Unknown test oval:com.redhat.rhba:tst:20150441043. Please see help for possible reasons
IF : All of the following are true
IF : sssd-libwbclient is signed with Red Hat redhatrelease2 key
WARNING! Unknown test oval:com.redhat.rhba:tst:20150441042. Please see help for possible reasons
IF : sssd-libwbclient is earlier than 0:1.12.2-58.el7
WARNING! Unknown test oval:com.redhat.rhba:tst:20150441041. Please see help for possible reasons
IF : All of the following are true
IF : libsss_idmap is signed with Red Hat redhatrelease2 key
WARNING! Unknown test oval:com.redhat.rhba:tst:20141375006. Please see help for possible reasons
IF : libsss_idmap is earlier than 0:1.12.2-58.el7
WARNING! Unknown test oval:com.redhat.rhba:tst:20150441039. Please see help for possible reasons
IF : All of the following are true
IF : sssd-common is signed with Red Hat redhatrelease2 key
WARNING! Unknown test oval:com.redhat.rhba:tst:20141375014. Please see help for possible reasons
IF : sssd-common is earlier than 0:1.12.2-58.el7
WARNING! Unknown test oval:com.redhat.rhba:tst:20150441037. Please see help for possible reasons
IF : All of the following are true
IF : sssd-ad is signed with Red Hat redhatrelease2 key
WARNING! Unknown test oval:com.redhat.rhba:tst:20141375022. Please see help for possible reasons
IF : sssd-ad is earlier than 0:1.12.2-58.el7
WARNING! Unknown test oval:com.redhat.rhba:tst:20150441035. Please see help for possible reasons
IF : All of the following are true
IF : libsss_nss_idmap is signed with Red Hat redhatrelease2 key
WARNING! Unknown test oval:com.redhat.rhba:tst:20141375042. Please see help for possible reasons
IF : libsss_nss_idmap is earlier than 0:1.12.2-58.el7
WARNING! Unknown test oval:com.redhat.rhba:tst:20150441033. Please see help for possible reasons
IF : All of the following are true
IF : libipa_hbac-python is signed with Red Hat redhatrelease2 key
WARNING! Unknown test oval:com.redhat.rhba:tst:20141375026. Please see help for possible reasons
IF : libipa_hbac-python is earlier than 0:1.12.2-58.el7
WARNING! Unknown test oval:com.redhat.rhba:tst:20150441031. Please see help for possible reasons
IF : All of the following are true
IF : sssd-proxy is signed with Red Hat redhatrelease2 key
WARNING! Unknown test oval:com.redhat.rhba:tst:20141375020. Please see help for possible reasons
IF : sssd-proxy is earlier than 0:1.12.2-58.el7
WARNING! Unknown test oval:com.redhat.rhba:tst:20150441029. Please see help for possible reasons
IF : All of the following are true
IF : sssd-client is signed with Red Hat redhatrelease2 key
WARNING! Unknown test oval:com.redhat.rhba:tst:20141375024. Please see help for possible reasons
IF : sssd-client is earlier than 0:1.12.2-58.el7
WARNING! Unknown test oval:com.redhat.rhba:tst:20150441027. Please see help for possible reasons
IF : All of the following are true
IF : sssd-ipa is signed with Red Hat redhatrelease2 key
WARNING! Unknown test oval:com.redhat.rhba:tst:20141375004. Please see help for possible reasons
IF : sssd-ipa is earlier than 0:1.12.2-58.el7
WARNING! Unknown test oval:com.redhat.rhba:tst:20150441025. Please see help for possible reasons
IF : All of the following are true
IF : sssd-common-pac is signed with Red Hat redhatrelease2 key
WARNING! Unknown test oval:com.redhat.rhba:tst:20141375030. Please see help for possible reasons
IF : sssd-common-pac is earlier than 0:1.12.2-58.el7
WARNING! Unknown test oval:com.redhat.rhba:tst:20150441023. Please see help for possible reasons
IF : All of the following are true
IF : libipa_hbac is signed with Red Hat redhatrelease2 key
WARNING! Unknown test oval:com.redhat.rhba:tst:20141375010. Please see help for possible reasons
IF : libipa_hbac is earlier than 0:1.12.2-58.el7
WARNING! Unknown test oval:com.redhat.rhba:tst:20150441021. Please see help for possible reasons
IF : All of the following are true
IF : sssd-krb5 is signed with Red Hat redhatrelease2 key
WARNING! Unknown test oval:com.redhat.rhba:tst:20141375018. Please see help for possible reasons
IF : sssd-krb5 is earlier than 0:1.12.2-58.el7
WARNING! Unknown test oval:com.redhat.rhba:tst:20150441019. Please see help for possible reasons
IF : All of the following are true
IF : python-sssdconfig is signed with Red Hat redhatrelease2 key
WARNING! Unknown test oval:com.redhat.rhba:tst:20141375002. Please see help for possible reasons
IF : python-sssdconfig is earlier than 0:1.12.2-58.el7
WARNING! Unknown test oval:com.redhat.rhba:tst:20150441017. Please see help for possible reasons
IF : All of the following are true
IF : libipa_hbac-devel is signed with Red Hat redhatrelease2 key
WARNING! Unknown test oval:com.redhat.rhba:tst:20141375040. Please see help for possible reasons
IF : libipa_hbac-devel is earlier than 0:1.12.2-58.el7
WARNING! Unknown test oval:com.redhat.rhba:tst:20150441015. Please see help for possible reasons
IF : All of the following are true
IF : libsss_simpleifp-devel is signed with Red Hat redhatrelease2 key
WARNING! Unknown test oval:com.redhat.rhba:tst:20150441014. Please see help for possible reasons
IF : libsss_simpleifp-devel is earlier than 0:1.12.2-58.el7
WARNING! Unknown test oval:com.redhat.rhba:tst:20150441013. Please see help for possible reasons
IF : All of the following are true
IF : sssd-dbus is signed with Red Hat redhatrelease2 key
WARNING! Unknown test oval:com.redhat.rhba:tst:20141375012. Please see help for possible reasons
IF : sssd-dbus is earlier than 0:1.12.2-58.el7
WARNING! Unknown test oval:com.redhat.rhba:tst:20150441011. Please see help for possible reasons
IF : All of the following are true
IF : libsss_simpleifp is earlier than 0:1.12.2-58.el7
WARNING! Unknown test oval:com.redhat.rhba:tst:20150441009. Please see help for possible reasons
IF : libsss_simpleifp is signed with Red Hat redhatrelease2 key
WARNING! Unknown test oval:com.redhat.rhba:tst:20150441010. Please see help for possible reasons
IF : All of the following are true
IF : libsss_idmap-devel is signed with Red Hat redhatrelease2 key
WARNING! Unknown test oval:com.redhat.rhba:tst:20141375036. Please see help for possible reasons
IF : libsss_idmap-devel is earlier than 0:1.12.2-58.el7
WARNING! Unknown test oval:com.redhat.rhba:tst:20150441007. Please see help for possible reasons
IF : All of the following are true
IF : sssd-tools is signed with Red Hat redhatrelease2 key
WARNING! Unknown test oval:com.redhat.rhba:tst:20141375032. Please see help for possible reasons
IF : sssd-tools is earlier than 0:1.12.2-58.el7
WARNING! Unknown test oval:com.redhat.rhba:tst:20150441005. Please see help for possible reasons
IF : All of the following are true
IF : sssd-libwbclient-devel is earlier than 0:1.12.2-58.el7
WARNING! Unknown test oval:com.redhat.rhba:tst:20150441003. Please see help for possible reasons
IF : sssd-libwbclient-devel is signed with Red Hat redhatrelease2 key
WARNING! Unknown test oval:com.redhat.rhba:tst:20150441004. Please see help for possible reasons
IF : All of the following are true
IF : libsss_nss_idmap-devel is signed with Red Hat redhatrelease2 key
WARNING! Unknown test oval:com.redhat.rhba:tst:20141375038. Please see help for possible reasons
IF : libsss_nss_idmap-devel is earlier than 0:1.12.2-58.el7
WARNING! Unknown test oval:com.redhat.rhba:tst:20150441001. Please see help for possible reasons
IF : Any one of the following are true
IF : Red Hat Enterprise Linux 7 ComputeNode is installed
WARNING! Unknown test oval:com.redhat.rhba:tst:20150364030. Please see help for possible reasons
IF : Red Hat Enterprise Linux 7 Workstation is installed
WARNING! Unknown test oval:com.redhat.rhba:tst:20150364029. Please see help for possible reasons
IF : Red Hat Enterprise Linux 7 Server is installed
WARNING! Unknown test oval:com.redhat.rhba:tst:20150364028. Please see help for possible reasons
IF : Red Hat Enterprise Linux 7 Client is installed
WARNING! Unknown test oval:com.redhat.rhba:tst:20150364027. Please see help for possible reasons

Quick Help

Unknown Tests
There is a hardcoded maximum limit for number of tests displayed for a definition. For a small number of oval definitions, about ~1% of all, hundreds of test have been defined. This causes the pages to grow in size, exceed even 1mb, and they are unsuitable for display in a web page. So they are not displayed.Please refer to the xml definition files if you really want to view them.
Other Help Topics
Data Types
What is an Object?
What is a State?
What is a Test?
Other Help Topics
Regular Expression Patterns
Some object or state definitions are defined as regular expression patterns, you should interpret the regexp pattern while evaluating them.

OVAL Definitions By Referenced Objects

How does it work?   User agreement and privacy statement   About & Contact
CVE is a registred trademark of the MITRE Corporation and the authoritive source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritive source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritive source of OVAL content is MITRE's OVAL web site.
Warning: This site and all data are provided as is. It is not guaranteed that all information is accurate and complete. Use any information provided on this site at your own risk. By using this site you accept that you know that these data are provided as is and not guaranteed to be accurate, correct or complete. All trademarks appearing on this site are the property of their respective owners in the US or other countries. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss. PLEASE SEE nvd.nist.gov and oval.mitre.org for more details about OVAL language and definitions.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor/web site owner/maintainer be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Use of OVAL and all related data is subject to terms of use defined by Mitre at http://oval.mitre.org/oval/about/termsofuse.html