[Freeipa-interest] Announcing SSSD 1.9.0 beta 4

[Jakub Hrozek]

The SSSD team is proud to announce the fourth of six preview releases of
version 1.9 of the System Security Services Daemon.

We added a new Beta release, called Beta 5, and renamed the previous Beta
5 to Beta 6. Beta 5 will be released next week, tentatively scheduled for
next Tuesday, July 17th. This release will include several fixes that
the FreeIPA project needs for their next release.

Beta 6 will be released on July 31st and will contain a new tool for
"seeding" accounts with a temporary password for sending machines to
remotees as well as introducing a concept of primary vs. secondary
servers.

After Beta 6, no new features will be added to SSSD 1.9.0 and we will
focus on stability and our backlog of bugfixes until the final release
around September 1st. We will most likely issue a series of release
candidate builds prior to that, but these have not yet been scheduled.

As always, you can download the latest sources at
https://fedorahosted.org/sssd/

== Highlights ==
  * Add a new AD provider to improve integration with Active Directory
    2008 R2 or later servers
  * SUDO integration was completely rewritten. The new implementation
    works with multiple domains and uses an improved refresh mechanism to
    download only the necessary rules
  * The IPA authentication provider now supports subdomains
  * Fixed regression for setups that were setting default_tkt_enctypes
    manually by reverting a previous workaround.

== Tickets Fixed ==

https://fedorahosted.org/sssd/ticket/1239
    [RFE] sudo: send username and uid while requesting default options
https://fedorahosted.org/sssd/ticket/1299
    Per domain formats for qualified user names
https://fedorahosted.org/sssd/ticket/1352
    [RFE] Add the subdomain functionality to IPA auth provider
https://fedorahosted.org/sssd/ticket/1377
    [RFE] Add AD provider
https://fedorahosted.org/sssd/ticket/1382
    pac responder interface needs checks
https://fedorahosted.org/sssd/ticket/1385
    heimdal: compile time diference
https://fedorahosted.org/sssd/ticket/1398
    Dependency issue while "yum update libsss_sudo"
https://fedorahosted.org/sssd/ticket/1403
    Combine keytab options for AD provider
https://fedorahosted.org/sssd/ticket/1404
    AD provider should default to case-insensitive operation
https://fedorahosted.org/sssd/ticket/1407
    Revert sssd patch for limiting enctypes to keytab

== Detailed Changelog ==

George McCollister (1):
    * libcrypto fully implemented 

Jakub Hrozek (3):
    * Print based on pointer contents not address
    * Cast uid_t to unsigned long long in DEBUG messages
    * Update translations for 1.9.0 beta 4 release 

Pavel Březina (53):
    * sudo api: remove EOK
    * sudo responder: remove code duplication in commands
    * sudo responder: get rid of dctx where possible
    * sudo sysdb: make sysdb_get_sudo_user_info more configurable
    * sudo api: send uid, username and domainname
    * sudo responder: change protocol version to 1
    * libsss_sudo: bump version to 2:0:1
    * sudo responder: discard in-memory cache
    * sudo ldap provider: move async routines to sdap_async_sudo.c
    * sudo ldap provider: give sdap_sudo_refresh_send() search and purge filters
    * confdb: add entry_cache_sudo_timeout option
    * sudo ldap provider: add sysdb ctx in sdap_sudo_refresh_state
    * sudo ldap provider: add domain info in sdap_sudo_refresh_state
    * sudo ldap provider: add expiration time to each rule
    * sysdb: add getter/setter for last sudo full refresh time
    * sudo ldap provider: provide API for full refresh
    * sudo ldap provider: add support for on demand full refresh
    * sudo ldap provider: provide API for refresh of specific rules
    * sudo ldap provider: add support for on demand refresh of specific rules
    * sudo backend - support only on demand full refresh
    * sudo backend - add support for on demand refresh of specific rules
    * sudo provider: add ldap_sudo_full_refresh_interval
    * sudo provider: remove old timer
    * sudo ldap provider: add new timer API
    * sysdb: remove sudo_set/get_refreshed
    * sudo ldap provider: support periodical full refresh
    * ldap provider: add sudo usn value
    * sudo ldap provider: find highest USN
    * sudo ldap provider: add sdap_sudo_set_usn()
    * sudo ldap provider: remember highest usn after full refresh
    * sudo ldap provider: add smart refresh API
    * sudo ldap provider: when sysdb filter is NULL remove downloaded rules
    * sudo provider: add ldap_sudo_smart_refresh_interval
    * sudo ldap provider: add periodical smart refresh API
    * sudo ldap provider: support periodical smart refresh
    * sudo responder: new request enum type
    * sudo sysdb: add expiration time to the filter
    * sudo responder: allow fetching only expired rules in sudosrv_get_sudorules_query_cache()
    * sudo responder: update dp interface
    * sudo responder: refresh expired rules
    * sudo ldap provider: return number of downloaded rules in sdap_sudo_refresh_recv()
    * sudo ldap provider: notify responder when an expired rule has been deleted
    * sudo responder: schedule OOB full refresh when expired rule is deleted
    * sudo: clean up
    * sudo ldap provider: modify highest USN in sdap_sudo_rules_refresh_done()
    * sdap_sudo.c: move _recv after _done
    * sudo ldap provider: pass sudo_ctx instead of id_ctx
    * sudo: add host info options
    * sudo ldap provider: load host filter configuration on init
    * sudo ldap provider: mark sdap_sudo_setup_periodical_refresh() as static
    * sudo ldap provider: do per-host updates
    * sudo ldap provider: support autoconfiguration of IP addresses
    * sudo: manpage updated 

Rambaldi (2):
    * heimdal: fix compile error in krb5-child-test
    * heimdal: use sss_krb5_princ_realm to access realm 

Simo Sorce (1):
    * Fix segfault when sudo is not configured. 

Stef Walter (2):
    * Fix crash when interface doesn't have an address
    * Revert commit 4c157ecedd52602f75574605ef48d0c48e9bfbe8 

Stephen Gallagher (33):
    * Bumping version to 1.9.0 beta 4
    * TESTS: Print messages when LDAP options do not match
    * DEBUG: Log to syslog if we are unable to open a debug fd
    * KRB5: Initialize the credential cache type properly
    * IPA: Don't hang onto memory longer than necessary
    * LDAP: Print extended failure message for SASL bind
    * MAN: Unify "SEE ALSO" sections
    * KRB5: Some logging enhancements for krb5_child
    * KRB5_LOCATOR: Print the filename that couldn't be opened
    * KRB5: Drop memctx parameter of krb5_try_kdcip
    * KRB5: Create a common init routine for krb5_child options
    * LDAP: Rename user and group maps for AD
    * AD: Add AD identity provider
    * AD: Add AD auth and chpass providers
    * AD: Add AD access-control provider
    * AD: Add AD provider to the spec file
    * AD: use krb5_keytab for validation and GSSAPI
    * AD: Add manpages and SSSDConfig entries
    * CONFDB: Add the ability to set a boolean value in the confdb
    * AD: Force case-insensitive operation in AD provider
    * Fix use-after-free
    * Fix uninitialized variable
    * Fix potential NULL-dereference
    * Fix potential NULL-dereference
    * Fix incorrect return value in tests
    * Fix potential NULL-dereference
    * Fix uninitialized value return
    * Fix uninitialized memcpy error
    * Avoid NULL-dereference in error-handling
    * Add missing return value check
    * Check for errors from krb5_unparse_name
    * Fix incorrect error-check
    * Fix segfault when using local provider 

Sumit Bose (5):
    * Fix SSSDConfigTest for separate build directories
    * Set file descriptor limits in pac responder
    * Remove resource leak in sssdpac_import_authdata
    * Remove dead code in ipa_subdomains_handler_done()
    * pac responder: limit access by checking UIDs