[Freeipa-devel] Announcing SSSD 1.9.0 beta 1

[Stephen Gallagher]

The SSSD team is proud to announce the first beta of our upcoming 1.9.0
release. We plan to have three beta releases, the first today, the
second in mid-June and the last at the end of July. Each beta release
will provide a set of new enhancements (mostly revolving around Kerberos
cross-realm trust support and Active Directory integration).

As always, you can download the latest sources at
https://fedorahosted.org/sssd/

== Highlights ==
 * Add native support for autofs to the IPA provider
 * Support for ID-mapping when connecting to Active Directory
 * Support for handling very large (> 1500 users) groups in Active
Directory
 * Support for sub-domains (will be used for dealing with trust
relationships)
 * Add a new fast in-memory cache to speed up lookups of cached data on
repeated requests

== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/357
    SSSD should provide fast in memory cache to provide similar
functionality as NSCD currently provides
https://fedorahosted.org/sssd/ticket/783
    Support range retrievals
https://fedorahosted.org/sssd/ticket/887
    Implement mechanism to fetch and store domain info
https://fedorahosted.org/sssd/ticket/917
    Document sss_tools better
https://fedorahosted.org/sssd/ticket/949
    Filter out inappropriate IP addresses from IPA dynamic DNS update
https://fedorahosted.org/sssd/ticket/996
    RFE: Allow Constructing uid from Active Directory objectSid
https://fedorahosted.org/sssd/ticket/1031
    [RFE] Implement "AD friendly" schema mapping
https://fedorahosted.org/sssd/ticket/1064
    Sub-Domains: define new get_domains method
https://fedorahosted.org/sssd/ticket/1065
    Sub-Domains: implement new get_domains method in IPA provider
https://fedorahosted.org/sssd/ticket/1067
    Sub-Domains: add new get_domains method to responders
https://fedorahosted.org/sssd/ticket/1114
    get_uid_from_pid() perfoms an improper read
https://fedorahosted.org/sssd/ticket/1119
    Monitor SIGKILL time should be configurable
https://fedorahosted.org/sssd/ticket/1140
    RFE Request for including pam_pwd_expiration_warning = 0 in
sssd.conf
https://fedorahosted.org/sssd/ticket/1170
    sss_cache should support invalidating services and autofs maps
https://fedorahosted.org/sssd/ticket/1172
    Bad check for id_provider=local and access_provider=permit
https://fedorahosted.org/sssd/ticket/1174
    sssd.conf has wrong defaults for the "command" parameter
https://fedorahosted.org/sssd/ticket/1176
    SSH: Add dp_get_host_send to common responder code
https://fedorahosted.org/sssd/ticket/1181
    Typos in sssd manual
https://fedorahosted.org/sssd/ticket/1203
    Hash the hostname/port information in the known_hosts file.
https://fedorahosted.org/sssd/ticket/1209
    Convert all read and write loops to use atomic I/O function
https://fedorahosted.org/sssd/ticket/1233
    Memory leak in sss_sudo_send_recv_generic
https://fedorahosted.org/sssd/ticket/1250
    Add default home directory mapping
https://fedorahosted.org/sssd/ticket/1271
    Stop using HTML_FOOTER_DESCRIPTION in doxygen docs
https://fedorahosted.org/sssd/ticket/1281
    Add unit test for compatibility of ldap options between schemas
https://fedorahosted.org/sssd/ticket/1289
    Create a way to define a default shell for cases when there no shell
https://fedorahosted.org/sssd/ticket/1297
    Use keytab to select etypes for krb5_get_init_creds_keytab()
https://fedorahosted.org/sssd/ticket/1298
    Invalid cache file created when canoning principals during
krb5_get_init_creds_keytab()
https://fedorahosted.org/sssd/ticket/1301
    sss_cache does nothing when executed without any options.
https://fedorahosted.org/sssd/ticket/1305
    sss_cache should return a warning/error while validating unknown
user/group
https://fedorahosted.org/sssd/ticket/1306
    sss_cache should return an error, when executed against inactive
domains
https://fedorahosted.org/sssd/ticket/1313
    exec_child, execv and friends don't return success
https://fedorahosted.org/sssd/ticket/1316
    kpasswd server status set to working when Kerberos auth succeeds

== Detailed Changelog ==

Ariel Barria (1):
 * Bad check for id_provider=local and access_provider=permit

Jakub Hrozek (105):
 * Fix SSH compilation on RHEL5
 * AUTOFS: IPA provider
 * Two sssd-ldap manual pages fixes
 * Fix group enumeration
 * Only fetch SELinux string if the user is found
 * Remove setent structure when callback is called
 * Allocate setent structure on state, not on the client context
 * Fix memory hierarchy when processing nested group memberships
 * Fix case insensitive service lookups
 * Include the fd_limit configuration option
 * End request if ldap_parse_result fails
 * remove unused function
 * Save errno value before calling DEBUG
 * libnl: fix the path to phy80211 subdirectory
 * AUTOFS: Invoke implicit setautomntent if needed
 * AUTOFS: Search all search bases for automounter map entries
 * AUTOFS: speed up the client by requesting multiple entries at once
 * Use proper errno code
 * Only do one cycle when resolving a server
 * krb5_child: set debugging sooner
 * Search netgroups by alias, too
 * Detect cycle in the fail over on subsequent resolve requests only
 * Autofs: operate on contents of double-pointer, not address
 * Only free returned values on success
 * Save original name into the in-memory cache
 * Handle errors from lookup_netgr_step gracefully
 * Fix nested groups processing
 * Fix netgroup error handling
 * Handle empty elements in proxy netgroups:
 * Fix uninitialized variable
 * Free entry found in negative cache
 * Make the string_equal() function public
 * Save alias of the primary name, too
 * NSS: Look for services with correct case when cache is updated
 * AUTOFS: fix copy-and-paste bug in the autofs client
 * LDAP services: Keep the protocol around
 * Silence Coverity warning in the autofs test tool
 * Return correct resolv_status on resolver timeout
 * Add sss_get_cased_name_list utility function
 * LDAP services: Save lowercased protocol names in case-insensitive
domains
 * Proxy services: Save lowercased protocol names and aliases in
case-insensitive domains
 * Fix off-by-one error in principal selection
 * Catch cases where D-Bus connection is NULL
 * Use HTML_TIMESTAMP instead of HTML_FOOTER_DESCRIPTION
 * Fix regression in SSSDConfig.py
 * netlink integration: ensure that interface name is NULL-terminated
 * Remove forgotten DEBUG message
 * autofs: load the correct option
 * man: document that referral chasing might bring performance penalty
 * Prevent printing NULL from DEBUG messages
 * Do not call sdap_auth if not needed
 * pam_sss: improve error handling in SELinux code
 * Remove the "command" option from documentation
 * Add sysdb_set_service_attr and sysdb_set_autofsmap_attr
 * sss_cache: support invalidating services and autofs maps
 * autofs: Raise the maximum key length to PATH_MAX
 * sss_cache: Better error reporting
 * MAN: timeout can be specified for services, too
 * MAN: document the hostid and autofs providers
 * proxy: Canonicalize user and group names
 * proxy: new option proxy_fast_alias
 * Free controls in sdap_rebind_proc
 * Make the monitor SIGKILL time configurable
 * sdap_check_aliases must not error when detects the same user
 * sss_atomic_io: Do not fail reads with EPIPE if there is not enough
data to read
 * Move atomic io function to a separate module
 * Convert read and write operations to sss_atomic_read
 * Document sss_tools better
 * Warn on 'make update-po' if there are manpages not listed in po4a.cfg
 * Test RFC2307bis and RFC2307 option maps
 * Get the RootDSE after binding if not successfull before
 * Lowercase group members in case-insensitive domains
 * NSS: Only return data from initgroups once
 * SUDO: Return ret, not EOK
 * SYSDB: return EOK if empty message is passed into get_rm_msg
 * SYSDB: check return value
 * SSH: return NULL on error in ssh_host_pubkeys_format_known_host_plain
 * SERVER: use the correct return code of sss_atomic_write_s
 * LDAP: check return value of sysdb_attrs_get_el
 * RESPONDER: check return value from confdb_get_int
 * PYHBAC: Return NULL on failure
 * PAM_SSS: report error code if write fails
 * NSS: Check return code of sss_mmap_cache_gr_store
 * IPA netgroups: return EOK when there are no netgroups to process
 * ipa_get_config_send: remove unused assignment
 * HBAC: Prevent NULL dereference in hbac_evaluate
 * DP: return correct error message when subdomains back end target is
not configured
 * NSS: fix returning group from cache
 * SSS_DEBUGLEVEL: silence analyzer warnings
 * PROXY: return correct return codes
 * IPA: Check return values
 * AUTOFS: remove unused assignments
 * Rename split_service_name_filter
 * SSH: Add dp_get_host_send to common responder code
 * Read sysdb attribute name, not LDAP attribute map name
 * Kerberos locator: Include the correct krb5.h header file
 * Special-case LDAP_SIZELIMIT_EXCEEDED
 * krb5 locator: Do not leak addrinfo
 * Only reset kpasswd server status when performing a chpass operation
 * Try all KDCs when getting TGT for LDAP
 * Send the correct enumeration request
 * subdomains: Fix error handling in Data Provider
 * Filter out IP addresses inappropriate for DNS forward records
 * sysdb: return proper error code from sysdb_sudo_purge_all
 * SYSDB: Handle user and group renames better

Jan Cholasta (22):
 * Add methods for activating and deactivating services to SSSDConfig
 * Add ssh service to sssd.api.conf
 * SSH: Verify that names received from client are valid UTF-8 in
responder
 * SSH: Build man pages conditionally
 * SSH: Save SSH host name aliases
 * SSH: Refactor responder and client common code
 * UTIL: Add function for atomic I/O
 * SSH: Continue connecting to SSH server even when SSSD is not running
in sss_ssh_knownhostsproxy
 * SSH: Manage global known_hosts file in the responder
 * SSH: Don't abort known_hosts update when host search fails
 * SSH: Add more debugging messages
 * SSH: Add missing break statements to sss_ssh_format_pubkey
 * SSH: Use fchmod instead of chmod on known_hosts file
 * SSH: Replace blocking getaddrinfo call in the responder with
asynchronous resolver code
 * SSH: Remove unused --file option of sss_ssh_knownhostsproxy
 * SSH: Update sss_ssh_knownhostsproxy manual page
 * Include missing source files to the list of source files which
contain translatable strings
 * SSH: Allow clients to explicitly specify host alias
 * SSH: Canonicalize host name and do reverse DNS lookup in
sss_ssh_knownhostsproxy
 * SSH: Fix infinite loop in sss_ssh_knownhostsproxy
 * UTIL: Add HMAC-SHA-1 function
 * SSH: Add support for hashed known_hosts

Jan Engelhardt (1):
 * build: resolve link failure

Jan Zeleny (34):
 * Fixed issue with netgroup update in IPA provider
 * Don't give memory context in confdb where not needed
 * IPA hosts refactoring
 * SELinux related attributes added to config API
 * Delete missing attributes from netgroups to be stored
 * Modifications to simplify list_missing_attrs
 * Fix the script path
 * Fixed uninitialized pointer in SSH known host proxy
 * Fixed uninitialized pointer in SSH authorized keys client
 * Add umask before mkstemp() call in SSH responder
 * Fixed resource leak in ssh client code
 * Removed a block of dead code in sdap_async_groups.c
 * Removed unused block of code is sdap_fill_memberships()
 * Removed unused function sysdb_attrs_users_from_ldb_vals()
 * Fixed memory context in sdap_fill_memberships()
 * Fixed minor memory leak in ldap provider
 * Sysdb routines for subdomains
 * Add some utility functions for subdomains
 * Add conn_name to allow different names for domains and connections
 * Responder part of the subdomain retrieval work
 * Modified responder_get_domain()
 * Retrieve subdomains if there is a request for fully qualified user
 * Ask for subdomains in responder in the first request after startup
 * New config option for subdomains
 * Moved expand_homedir_template() from NSS responder to utility code
 * Add ID operations in subdomains
 * Send PAM requests for subdomains to the right provider
 * Basic support for subdomains in auth provider
 * Carry sysdb context and domain info in be_req structure
 * Accept be_req instead if be_ctx in LDAP access provider
 * Detect subdomain request in IPA access provider
 * Utilize sysdb context within be_req in HBAC
 * Two fixes in responder subdomain code
 * Modify behavior of pam_pwd_expiration_warning

Marco Pizzoli (1):
 * Two manual pages fixes

Pavel Březina (16):
 * Improve debug messages in sysdb_sudo_check_time()
 * SUDO responder: check if the input is a UTF-8 string
 * Refactor sss_result into sss_sudo_result
 * Redesign purging of the sudo cache
 * Honor case_sensitive option in sudo responder
 * Move sudo_dom_ctx.user to local variable
 * Hide --debug option in sss_debuglevel
 * Two memory leaks in sss_sudo_get_values
 * Missing debug message if sdap_sudo_refresh_set_timer fails
 * Use of unininitialized value in sudosrv_cache_set_entry and
sudosrv_cache_lookup_internal
 * Use of unininitialized value in sss_sudo_parse_response
 * Potential NULL-dereference in sudosrv_cmd_get_sudorules
 * sudo api: check sss_status instead of errnop in
sss_sudo_send_recv_generic()
 * Install and uninstall all documentation
 * fix copy and paste error in comment
 * Fix typo in debug message

Simo Sorce (11):
 * nss_group: Cache the result from sssd when the glibc provided buffer
is too small.
 * pam_sss: keep selinux optional
 * Use the correct hash table for pending requests
 * util: Helper headers for shared memory cache
 * nsssrv: shared memory cache server initialization
 * nsssrv: Add memory cache record handling utils
 * nsssrv: add handling of memory cache passwd map
 * sss_client: Add common shared memory cache utils
 * sss_client: shared memory cache passwd map support
 * nsssrv: add handling of memory cache group map
 * sss_client: shared memory cache group map support

Stef Walter (6):
 * Fix erronous reference to the 'allow' access_provider
 * execv, excvp and exec_child never return EOK
 * If canon'ing principals, write ccache with updated default principal
 * Remove erroneous failure message in find_principal_in_keytab
 * Limit krb5_get_init_creds_keytab() to etypes in keytab
 * Clearer documentation for use_fully_qualified_names

Stephen Gallagher (96):
 * Set version to 1.9dev
 * Updating translatable strings for string freeze
 * Updating translations
 * Remove dead code
 * Fix missing NULL check after malloc
 * Avoid uninitialized value comparison
 * Add missing breaks to switch statements
 * Fix uninitialized in_transaction
 * Fix bad failure handling in be_sudo_handler()
 * Check for failure in sss_packet_grow()
 * Fix uninitialized value error in proxy provider
 * Ensure NULL-termination in get_uid_from_pid()
 * Move sss_ssh_* binaries to the main 'sssd' package
 * Always include all manpage XML files in the distribution tarball
 * Fix missing %endif in sssd.spec.in
 * NSS: Always return the same protocol that was requested
 * LDAP: Ignore group member users that do not have name attributes
 * RESPONDERS: Allow increasing the file-descriptor limit
 * RESPONDERS: Make the fd_limit setting configurable
 * Add tool to convert debug levels
 * IPA: Add ipa_parse_search_base()
 * LDAP: Properly assign orig_dn
 * LDAP: Only use paging control on requests for multiple entries
 * LDAP: Remove unnecessary filter sanitize
 * Eliminate build-time requirement for nscd
 * PAM: Don't send PAM_SYSTEM_INFO message if module unset
 * Fix typo in autofs option description
 * Include the debug_level upgrade tool in the tarball
 * Include new manpages in translations
 * Fix typo in script name
 * Handle cases where UID is -1
 * IPA: Set the DNS discovery domain to match ipa_domain
 * IPA: Fix segfault with srchost functionality enabled
 * DP: Reorganize memory hierarchy of requests
 * Prune python provides correctly
 * Make RPM spec more explicit
 * Build experimental features by default in RPMs
 * Properly terminate GIT_CHECKOUT
 * LDAP: Make sdap_access_send/recv public
 * IPA: Check nsAccountLock during PAM_ACCT_MGMT
 * PROXY: Create fake user entries for group lookups
 * SSH: Fix missing semicolon
 * IPA: Initialize hbac_ctx to NULL
 * i18n: Remove empty translations
 * LDAP: Add AD 2008r2 schema
 * IPA: Allow service lookups
 * SYSDB: Save only lowercased aliases in case-insensitive domains
 * LDAP: Errors retrieving the RootDSE should not be fatal
 * NSS: Fix debug message
 * Start SSSD earlier and stop it later
 * LDAP: Add better error logging when ldap_result() fails
 * LDAP: Fix memory leaks in synchronous_tls_setup
 * BUILDSYS: Create common libs for LDAP and KRB5 sources
 * Put dp_option maps in their own file
 * Add terminator for dp_option
 * Add better dp_option tests
 * Add terminator for sdap_attr_map
 * Add better tests for sdap_attr compability
 * Remove old compatibility tests
 * Fix building manpages in parallel build dirs
 * Clean up log messages about keytab_name
 * MAN: Improve ldap_disable_paging documentation
 * MAN: Add ldap_sasl_minssf to the manpage
 * Fix linker issue with pam_sss
 * murmurhash: Relax inline requirement
 * Handle endianness issues on older systems
 * SYSDB: Handle upgrade script failures better
 * LDAP: Add objectSID config option
 * LDAP: Add id-mapping option
 * SYSDB: Add sysdb routines for ID-mapping
 * LDAP: Add helper routines for ID-mapping
 * LDAP: Add ID mapping range settings
 * LDAP: Initialize ID mapping when configured
 * LDAP: Enable looking up ID-mapped users by name
 * LDAP: Add autorid compatibility mode
 * LDAP: Allow setting a default domain for id-mapping slice 0
 * LDAP: Add routine to extract domain SID from an object SID
 * LDAP: Allow automatically-provisioning a domain and range
 * LDAP: Enable looking up id-mapped users by UID
 * LDAP: Allow looking up ID-mapped groups by name
 * LDAP: Enable looking up id-mapped groups by GID
 * LDAP: Map the user's primaryGroupID
 * LDAP: Add helper routine to convert LDAP blob to SID string
 * LDAP: Do not remove uidNumber and gidNumber attributes when saving
id-mapped entries
 * LDAP: Add helper function to map IDs
 * LDAP: Treat groups with unmappable SIDs as non-POSIX groups
 * MAN: Add manpage for ID mapping
 * LDAP: Add support for enumeration of ID-mapped users and groups
 * SSSDConfigAPI: Fix missing option in tests
 * NSS: Add fallback_homedir option
 * NSS: Add default_shell option
 * SYSDB: Add better error logging to sysdb_set_entry_attr()
 * LDAP: Add attr_count return value to build_attrs_from_map()
 * LDAP: Handle very large Active Directory groups
 * Updating translations for 1.9.0 beta 1 release
 * Bumping version to 1.8.91 for 1.9.0 beta 1 release

Sumit Bose (13):
 * Use curly braces in pkgconfig metadata file
 * Keep sysdb context in domain info struct
 * Remove sysdb_get_ctx_from_list()
 * Always initialize the returned data in sss_krb5_princ_realm()
 * Add idmap library
 * Check sub-domains in nss_cmd_get{pwuid|grgid}_search()
 * data provider: added subdomains
 * IPA: Add get-domains target
 * Add domain name to get_account_info request
 * Add s2n extended operation
 * Allow different SID representations in libidmap
 * Fix typo in spec file
 * Fix endian issue in SID conversion

Yuri Chornoivan (2):
 * fix typos in manual
 * Fix typo: retreiving->retrieving

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120511/a718d5d2/attachment.sig>