[Freeipa-interest] Announcing the release of SSSD 1.9.3
Jakub Hrozek
jhrozek at redhat.com
Thu Dec 6 00:37:03 UTC 2012
=== SSSD 1.9.3 ===
The SSSD team is proud to announce the release of version 1.9.3 of
the System Security Services Daemon.
This release is mainly focused on fixing regressions in functionality
introduced by new features during the 1.9 development cycle or bugs in
the new features themselves.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora shortly, initially for F-18
and rawhide and later also backported to F-17. We will also provide test builds
for RHEL6.3 as was the case with 1.9.2.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel or
sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* Many fixes related to deployments where the SSSD is running as a client
of IPA server with trust relation established with an Active Directory server
* Multiple fixes related to correct reporting of group memberships,
especially in setups that use nested groups
* Fixed a bug that prevented upgrade from the 1.8 series if the cache
contained nested groups before the upgrade
* Restarting the responders is more robust for cases where the machine is
under heavy load during back end restart
* The default_shell option can now be also set per-domain in addition to
global setting
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1345
sssd does not warn into sssd.log for broken configurations
https://fedorahosted.org/sssd/ticket/1357
Init script reports complete before sssd is actually working
https://fedorahosted.org/sssd/ticket/1437
upstream spec should use systemd where available
https://fedorahosted.org/sssd/ticket/1482
"fullName" in sysdb doesn't match with the "name" ldap attribute on AD Server
https://fedorahosted.org/sssd/ticket/1528
SSSD_NSS failure to gracefully restart after sbus failure
https://fedorahosted.org/sssd/ticket/1581
sssd_be crashes while looking up users
https://fedorahosted.org/sssd/ticket/1583
Allow setting the default_shell per-domain
https://fedorahosted.org/sssd/ticket/1584
invalidating the memcache with sss_cache doesn't work if the sssd is not running
https://fedorahosted.org/sssd/ticket/1589
sss_cache says 'Wrong DB version'
https://fedorahosted.org/sssd/ticket/1590
sssd does not resolve group names from AD
https://fedorahosted.org/sssd/ticket/1593
Silence the DEBUG messages when ID mapping code skips a built-in group
https://fedorahosted.org/sssd/ticket/1594
ldap_child crashes on using invalid keytab during gssapi connection
https://fedorahosted.org/sssd/ticket/1595
Password authentication with users coming via AD trust
https://fedorahosted.org/sssd/ticket/1596
Sudo smart refresh doesn't occur on time
https://fedorahosted.org/sssd/ticket/1600
The sssd_nss process grows the memory consumption over time
https://fedorahosted.org/sssd/ticket/1601
A wrong callback used causes getgrgid to not work for trusted domains
https://fedorahosted.org/sssd/ticket/1602
provider is forcibly killed with SIGKILL instead of SIGTERM if it's not responding
https://fedorahosted.org/sssd/ticket/1604
sssd not granting access for AD trusted user in HBAC rule
https://fedorahosted.org/sssd/ticket/1606
SSSD starts multiple processes due to syntax error in ldap_uri
https://fedorahosted.org/sssd/ticket/1608
sss_cache: Multiple domains not handled properly
https://fedorahosted.org/sssd/ticket/1610
subdomains: Invalid sub-domain request type.
https://fedorahosted.org/sssd/ticket/1611
authconfig chokes on sssd.conf with chpass_provider directive
https://fedorahosted.org/sssd/ticket/1612
Nested groups are not retrieved appropriately from cache
https://fedorahosted.org/sssd/ticket/1613
ipa client setup should configure host properly in a trust is in place
https://fedorahosted.org/sssd/ticket/1614
User appears twice on looking up a nested group
https://fedorahosted.org/sssd/ticket/1615
IPA client cannot change AD Trusted User password
https://fedorahosted.org/sssd/ticket/1616
sudo failing for ad trusted user in IPA environment
https://fedorahosted.org/sssd/ticket/1619
pam: fd leak when writing the selinux login file in the pam responder
https://fedorahosted.org/sssd/ticket/1623
Man page issue to list 'force_timeout' as an option for the [sssd] section
https://fedorahosted.org/sssd/ticket/1628
user id lookup fails using proxy provider
https://fedorahosted.org/sssd/ticket/1629
subdomains code does not save the proper user/group name
https://fedorahosted.org/sssd/ticket/1631
sysdb upgrade failed converting db to 0.11
https://fedorahosted.org/sssd/ticket/1635
investigate the behaviour of ldap_sasl_authid in 1.9.x
https://fedorahosted.org/sssd/ticket/1636
offline authentication failure always returns System Error
https://fedorahosted.org/sssd/ticket/1638
password expiry warning message doesn't appear during auth
https://fedorahosted.org/sssd/ticket/1640
"defaults" entry ignored
https://fedorahosted.org/sssd/ticket/1647
LDAP provider fails to save empty groups
https://fedorahosted.org/sssd/ticket/1649
ldap_connection_expire_timeout doesn't expire ldap connections
https://fedorahosted.org/sssd/ticket/1650
Wrong variable check in sudosrv_parse_query_send
https://fedorahosted.org/sssd/ticket/1651
Unchecked return value from waitpid()
https://fedorahosted.org/sssd/ticket/1652
updating top-level group does not reflect ghost members correctly
https://fedorahosted.org/sssd/ticket/1657
SIGSEGV in IPA provider when ldap_sasl_authid is not set
https://fedorahosted.org/sssd/ticket/1658
ipa password auth failing for user principal name when shorter than IPA Realm name
https://fedorahosted.org/sssd/ticket/1661
Allow backward compatible regex for domain / realm search in sssd 1.9
https://fedorahosted.org/sssd/ticket/1668
delete operation is not implemented for ghost users
https://fedorahosted.org/sssd/ticket/1669
sssd hangs at startup with broken configurations
https://fedorahosted.org/sssd/ticket/1671
mmap cache needs update after db changes
https://fedorahosted.org/sssd/ticket/1674
Explicit null dereferenced
https://fedorahosted.org/sssd/ticket/1683
arithmetic bug in the SSSD causes netgroup midpoint refresh to be always set to 10 seconds
https://fedorahosted.org/sssd/ticket/1684
Dereference after null check in sss_idmap_sid_to_unix
https://fedorahosted.org/sssd/ticket/1686
sssd crashes during start if id_provider is not mentioned
https://fedorahosted.org/sssd/ticket/1688
sssd_sudo prints wrong debug message when notBefore or notAfter attribute is missing
https://fedorahosted.org/sssd/ticket/1694
Incorrect synchronization in mmap cache
https://fedorahosted.org/sssd/ticket/1695
user is not removed from group membership during initgroups
== Packaging Changes ==
* The sss_cache has been moved from sss-tools subpackage to the main sssd package
* The upstream RPM uses a systemd unit file by default, rather than a SystemV init script
* Several rpmlint warnings have been fixed in the upstream spec file
== Detailed Changelog ==
Ariel O. Barria (1):
* Monitor quit when not exists no process no stops
Jakub Hrozek (42):
* Updating the version for the 1.9.3 release
* LDAP: Check validity of naming_context
* Allow setting the default_shell option per-domain as well
* KRB5: Return error when principal selection fails
* Free the internal DP request
* LDAP: Fix off-by-one error when saving ghost users
* Monitor: read the correct SIGKILL timeout for providers, too
* PAM: Do not leak fd after SELinux context file is written
* Do not always return PAM_SYSTEM_ERR when offline krb5 authentication fails
* KRB5: Rename variable to avoid shadowing a global declaration
* Only build extract_and_send_pac on platforms that support it
* Include the auth_utils.h header in the distribution
* SYSDB: Do not touch the member attribute during conversion to ghost users
* Provide AM_COND_IF-combatible implementation for old automake systems
* LDAP: Expire even non authenticated connections
* SUDO: Fix wrong variable check
* SERVER: Check the return value of waitpid
* LDAP: Allocate the temporary context on NULL, not memctx
* LDAP: Fix saving empty groups
* LDAP: use the correct memory context
* LDAP: Refactor saving ghost users
* Restart services with a delay in case they are restarted too often
* MAN: document the ldap_sasl_realm option
* LDAP: Provide a common sdap_set_sasl_options init function
* LDAP: Checking the principal should not be considered fatal
* LDAP: Make it possible to use full principal in ldap_sasl_authid again
* SYSDB: Use the add_string convenience functions for managing ghost user attribute
* LDAP: Only convert direct parents' ghost attribute to member
* MONITOR: Fix off-by-one error in add_string_to_list
* Handle compiling FQDN regular expression with old pcre gracefully
* MEMBEROF: Do not add the ghost attribute to self
* TESTS: Test ghosts users in the RFC2307 schema
* NSS: Fix netgroup midpoint cache refresh
* LDAP: Continue adjusting group membership even if there is nothing to add
* MEMBEROF: Implement delete operation for ghost users
* MEMBEROF: split processing the member modify into a separate function
* MEMBEROF: Split the del ghost attribute op into a reusable function
* MEMBEROF: Split the add ghost operation into a separate function
* MEMBEROF: Implement the modify operation for ghost users
* MEMBEROF: Keep inherited ghost users around on modify operation
* RESOLV: return ENOENT if the address list is empty
* Updating the translations for the 1.9.3 release
Jan Cholasta (3):
* Use systemd by default on Fedora 16+
* Fix errors reported by rpmlint
* MAN: Move ssh_known_hosts_timeout documentation to the correct section
Michal Zidek (11):
* sss_cache: Multiple domains not handled properly
* util: Added new file util_lock.c
* sss_cache: Remove fastcache even if sssd is not running.
* util_lock.c: sss_br_lock_file accepted invalid parameter value
* debug: print fatal and critical errors if debug level is unresolved
* sss_cache: Small refactor.
* Uninitialized pointer read
* idmap: Silence DEBUG messages when dealing with built-in SIDs.
* Null pointer dereferenced.
* Dereference after null check in sss_idmap_sid_to_unix
* Missing parameter in DEBUG message.
Ondrej Kos (4):
* MAN: sssd-simple - suggest awarness of empty rules
* Display more information on DB version crash
* LDAP: fix uninitialized variable
* SYSDB: Don't operate with aliases same as name
Pavel Březina (23):
* sudo: do not fail if usn value is zero but full refresh is completed
* sudo refresh: handle errors properly
* authconfig: allow chpass_provider = proxy
* add SSSDBG_IMPORTANT_INFO macro
* fix indendation, coding style and debug levels in server.c
* make monitor_quit() usable outside signal handler
* exit original process after sssd is initialized
* create pid file immediately after fork again
* do not default fullname to gecos when schema = ad
* sss_dp_get_domains_send(): handle subreq error correctly
* subdomains: check request type on one place only
* backend: add PAC to the list of known clients
* sudo: fix missing parameter in two debug messages
* use tmp_ctx in sudosrv_get_sudorules_from_cache()
* sudo: support users from subdomains
* sudo: do not send domain name with username
* sudo: print how many rules we are refreshing or returning
* sudo: store rules with no sudoHost attribute
* fix SIGSEGV in IPA provider when ldap_sasl_authid is not set
* avoid versioning libsss_sudo
* warn user if password is about to expire
* do not crash when id_provider is not set
* sudo: print rule name if notBefore or notAfter attribute is missing
Simo Sorce (9):
* Simplify writing db update functions
* Refactor the way subdomain accounts are saved
* Handle conversion to fully qualified usernames
* mmap cache: public functions to invalidate records
* Hook to perform a mmap cache update from sssd_nss
* Hook for mmap cache update on initgroup calls
* Add backchannel NSS provider query on initgr calls
* Always append rctx as private data
* Add memory barrier to mmap cache client code loop
Stephen Gallagher (9):
* LDAP: Better debug logging when saving groups
* RPMS: Move sss_cache tool to main package
* Monitor: Better debugging for ping timeouts
* MAN: Specify the correct location for the force_timeout option
* SSSDConfig: Locate the force_timeout option in the correct sections
* MAN: Fix validation error caused by bad 'ca' translation
* SUDO: Remove unused variable
* BUILD: Temporary workaround for Kerberos build
* IPA: Handle bad results from c-ares lookup
Sumit Bose (34):
* Fix two errors in the nss responder
* subdomain-id: Generate homedir only for users not groups
* pac responder: fix copy-and-paste error
* sysdb: look for ranges in the parent tree
* pac responder: use only lower case user name
* pac responder: add user principal and name alias to cached user object
* krb5_auth_send: check for sub-domains
* sysdb: add sysdb_base_dn()
* check_ccache_files: search sub-domains as well
* Add replacement for krb5_find_authdata()
* krb5_auth: check if principal belongs to a different realm
* krb5_auth: send different_realm flag to krb5_child
* krb5_child: send PAC to PAC responder
* krb5_mod_ccname: replace wrong memory context
* krb5_child: send back the client principal
* Add new call find_or_guess_upn()
* Use find_or_guess_upn() where needed
* krb5_auth: update with correct UPN if needed
* sss_parse_name_for_domains: always return the canonical domain name
* Make sub-domains case-insensitive
* Clarify debug message about initgroups and subdomains
* Do not remove a group if it has members from subdomains
* Add diff_gid_lists() with test
* Add pac_user_get_grp_info() to read current group memberships
* Get lists of GIDs to be added and deleted and use them
* Store the original group DN in the subdomain user object
* Add string_in_list() and add_string_to_list() with tests
* Always start PAC responder if IPA ID provider is configured
* Run IPA subdomain provider if IPA ID provider is configured
* Do not save HBAC rules in subdomain subtree
* Just use the service name with krb5_get_init_creds_password()
* Fix compare_principal_realm() check
* Disable canonicalization during password changes
* KRB5: Work around const warning for krb5 releases older than 1.11
Timo Aaltonen (1):
* link sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy with -lpthread
More information about the Freeipa-interest
mailing list