[Freeipa-interest] Announcing SSSD 1.9.0
Jakub Hrozek
jhrozek at redhat.com
Mon Sep 24 21:52:52 UTC 2012
=== SSSD 1.9.0 ===
The SSSD team is proud to announce the release of the System Security
Services Daemon version 1.9.0.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora shortly, initially for F-18
and rawhide and later also backported to F-17.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
=== New Features ===
* Add a new AD provider to improve integration with Active Directory 2008
R2 or later servers
- Support for ID-mapping when connecting to Active Directory
- Support for handling very large (> 1500 users) groups in Active Directory
* The SSSD is able to act as an IPA client in cases where the IPA server
has established a trust setup with an Active Directory server
- Support for sub-domains for dealing with trust relationships
- Add a new PAC responder for dealing with cross-realm Kerberos trusts
- The IPA authentication provider now supports subdomains
- In scenarios, where the SSSD is acting as an IPA client, it is able
to discover and save the DNS domain-Kerberos realm mappings between an
IPA server and a trusted Active Directory server.
* Add a new fast in-memory cache to speed up lookups of cached data on
repeated requests
* Many fixes for the support for setting default SELinux user context from
FreeIPA, most notably fixed the specificity evaluation
* Add support for the Kerberos DIR cache for storing multiple TGTs automatically
* SUDO integration was completely rewritten. The new implementation works
with multiple domains and uses an improved refresh mechanism to download
only the necessary rules
* The SSSD supports the concept of a Primary Server and a Back Up
Server. If the SSSD switches to a back up server because a primary server
is not available, it would later try to re-establish a connection to the
primary server.
* Add native support for autofs to the IPA provider
* A new command-line tool sss_seed is available. This tool is able to
prime the internal cache with a user record and a cached password to
support the scenario when a user needs to log in to the client before
the network connection to the centralized identity source is established,
such as the first log in to a new machine.
* A new option, override_shell was added. If this option is set, all users
managed by SSSD will have their shell set to its value.
=== Important Fixes and Enhancements ===
* Major performance enhancement when storing large groups in the cache
* Major performance enhancement when performing initgroups() against Active Directory
* Terminate idle connections to the NSS and PAM responders
* The shadowLastChange attribute value is now correctly updated with the
number of days since the Epoch, not seconds
* Mutexes in the nss_sss module are now released correctly if one thread
in a multithreaded application is cancelled while the mutex is locked
* The fail over code works correctly when the IPA provider is not able to
establish a GSSAPI-encrypted connection to an IPA server
* The SSSD correctly accepts -1 as a valid value of the shadow attributes
* When the SSSD is unable to resolve a host name, it tries the next
configured server now instead of going offline
* The default SELinux login context for IPA users was changed to unconfined_t
when there are no rules on the server
* A file descriptor leak in cases the SSSD was unable to establish SSL
connection to an LDAP server was fixed
* Potential crash when one of two parallel requests would expire the list
of servers resolved from a SRV query
* Fixed a crash that occured when a service was requested by both name
and protocol
=== Packaging Changes ===
* SSSDConfig data file default locations can now be set during configure
for easier packaging
* Switch from libunistring to glib2 for unicode support
* A new Python wrapper around the murmur hash library has been introduced. It
is only useful to the FreeIPA server at the moment.
* a new binary, called sss_seed is available. The binary is installed to
/usr/sbin/sss_seed by default and includes its own manual page.
* The SSSD uses a new directory to store the DNS domain - Kerberos realm
mappings. The default location is /var/lib/sss/pubconf/krb5.include.d
== Tickets fixes ==
https://fedorahosted.org/sssd/ticket/1331
Off-by-one error in sss_hmac_sha1
https://fedorahosted.org/sssd/ticket/1364
[abrt] sssd-1.8.3-11.fc16: set_server_common_status: Process /usr/libexec/sssd/sssd_be was killed by signal 11 (SIGSEGV)
https://fedorahosted.org/sssd/ticket/1438
SSSD crashes at boot time
https://fedorahosted.org/sssd/ticket/1452
Authentication fails if kpasswd cannot be resolved
https://fedorahosted.org/sssd/ticket/1454
if allocation fails, sss_mmap_cache_init may dereference NULL pointer
https://fedorahosted.org/sssd/ticket/1458
Full sudo refresh is scheduled even if there is no sudo responder
https://fedorahosted.org/sssd/ticket/1466
Proxy: Cannot retrieve an user after a group he is a member of was retrieved
https://fedorahosted.org/sssd/ticket/1467
enumeration is broken in the proxy provider
https://fedorahosted.org/sssd/ticket/1479
Hbac logs show wrong rule name granting access
https://fedorahosted.org/sssd/ticket/1486
[abrt] sssd-1.8.4-14.fc17: sss_ldap_init_send: Process /usr/libexec/sssd/sssd_be was killed by signal 11 (SIGSEGV)
https://fedorahosted.org/sssd/ticket/1496
[abrt] sssd-1.8.4-14.fc17: ldap_pvt_sasl_getmechs: Process /usr/libexec/sssd/sssd_be was killed by signal 11 (SIGSEGV)
https://fedorahosted.org/sssd/ticket/1505
sudo with sss backend should use ipa_hostname
https://fedorahosted.org/sssd/ticket/1509
libsss_sudo is not updated when yum update sssd is called
https://fedorahosted.org/sssd/ticket/1513
Change the processing of the SELinux default map
https://fedorahosted.org/sssd/ticket/1515
pam_sss report System Error on wrong password
https://fedorahosted.org/sssd/ticket/1516
krb5_mod_ccname should cancel the transaction at one place only
https://fedorahosted.org/sssd/ticket/1519
membership of IPA hostgroups is not evaluated when treating them as netgroups
https://fedorahosted.org/sssd/ticket/734
on reconnect we need to detect that a ipa/ds server has been reinitialized
https://fedorahosted.org/sssd/ticket/1156
Do not use "goto" to jump backwards in the proxy code
https://fedorahosted.org/sssd/ticket/1194
when nesting limit is reached, the LDAP provider tries to establish link to members outside the nesting limit
https://fedorahosted.org/sssd/ticket/1345
sssd does not warn into sssd.log for broken configurations
https://fedorahosted.org/sssd/ticket/1365
ipv6 address with square brackets doesn't work for krb5_server
https://fedorahosted.org/sssd/ticket/1388
domain.remove_provider() does not work
https://fedorahosted.org/sssd/ticket/1390
Add support for nested automount maps
https://fedorahosted.org/sssd/ticket/1393
shadow attributes should accept -1
https://fedorahosted.org/sssd/ticket/1396
Kerberos validation algorithm is insufficient for cross-realm trusts
https://fedorahosted.org/sssd/ticket/1415
Group lookups no longer work when fastcache cannot be initialized
https://fedorahosted.org/sssd/ticket/1416
sssd_be crashes on using inappropriate keytab file
https://fedorahosted.org/sssd/ticket/1430
Password change prompt doesn't appear when "User must change password on next logon" is set for a AD user.
https://fedorahosted.org/sssd/ticket/1436
LOCAL domain lookups don't work
https://fedorahosted.org/sssd/ticket/1446
sssd does not try another server when unable to resolve hostname
https://fedorahosted.org/sssd/ticket/1447
Fail over does not work correctly when IPA server is establishing a GSSAPI-encrypted LDAP connection
https://fedorahosted.org/sssd/ticket/1453
proxy provider: value stored to status is never read in get_pw_name
https://fedorahosted.org/sssd/ticket/1455
SELinux code must fall back to default only if there are no rules on the server
https://fedorahosted.org/sssd/ticket/1456
Attempt to close the same file stream twice
https://fedorahosted.org/sssd/ticket/1457
Insecure temporary file in IPA subdomain provider
https://fedorahosted.org/sssd/ticket/1459
SRV servers are always marked as back up
https://fedorahosted.org/sssd/ticket/1460
SSSD thread issue can cause the application to not get any identity information
https://fedorahosted.org/sssd/ticket/1470
FreeIPA HBAC rules ignored when FreeIPA and SSSD are configured to set SELinux user context
https://fedorahosted.org/sssd/ticket/1472
Duplicate detection in fail over does not work
https://fedorahosted.org/sssd/ticket/1478
ldap_autofs_* options missing from /usr/share/sssd/sssd.api.d/sssd-ldap.conf
https://fedorahosted.org/sssd/ticket/1480
1.9.0b6 does not build with SELinux disabled
https://fedorahosted.org/sssd/ticket/1488
Segfault in IPA subdomain provider
https://fedorahosted.org/sssd/ticket/1490
SSSD does not close TCP connections when SSL fails
https://fedorahosted.org/sssd/ticket/1491
Consolidate functions that make a realm upper-case
https://fedorahosted.org/sssd/ticket/1492
There is no /etc/selinux/targeted/logins on RHEL5
https://fedorahosted.org/sssd/ticket/1500
SSSD's default ccache location needs to be updated (again), and the man pages should reflect it
https://fedorahosted.org/sssd/ticket/904
Create tool to seed a user for first-boot
https://fedorahosted.org/sssd/ticket/1087
RFE: Allow Forcing User Shell
https://fedorahosted.org/sssd/ticket/1128
Introduce the concept of a Primary Server in SSSD
https://fedorahosted.org/sssd/ticket/1185
[Feature] AD Extensions
https://fedorahosted.org/sssd/ticket/1318
RFE: make the NSS memory cache timeout configurable
https://fedorahosted.org/sssd/ticket/1368
Missing hostid and subdomains sections in sssd-ipa.conf
https://fedorahosted.org/sssd/ticket/1380
domain_realm mappings manipulation by sssd
https://fedorahosted.org/sssd/ticket/1418
document how sudo works with sssd
https://fedorahosted.org/sssd/ticket/1420
sudo: provide automatic configuration of machine hostnames
https://fedorahosted.org/sssd/ticket/1427
Don't refersh HBAC rules when looking up SELinux rules
https://fedorahosted.org/sssd/ticket/1429
IPA session code returns error when SELinux mapping rule links to an HBAC rule
https://fedorahosted.org/sssd/ticket/1432
Mention AD Provider in manpage of sssd.conf
https://fedorahosted.org/sssd/ticket/1433
Suggested additions to manpage of sssd-ad
https://fedorahosted.org/sssd/ticket/1435
SELinux specifity does not work with HBAC rules
https://fedorahosted.org/sssd/ticket/1439
sss_pam needs to write out SELinux login file during the account phase
https://fedorahosted.org/sssd/ticket/1445
The SELinux login file needs to be created by the responder, not PAM module
https://fedorahosted.org/sssd/ticket/1448
sss_seed tool review issues
https://fedorahosted.org/sssd/ticket/1360
format of file for pam_selinux is incorrect
https://fedorahosted.org/sssd/ticket/1379
Possible use of uninitialized values
https://fedorahosted.org/sssd/ticket/1395
SELinux rule matching ignores specificity requirement
https://fedorahosted.org/sssd/ticket/1417
Several unowned directories
https://fedorahosted.org/sssd/ticket/1419
sssd incorrectly sets shadowLastChange in seconds not days
https://fedorahosted.org/sssd/ticket/1421
selinux rules are never deleted from sysdb
https://fedorahosted.org/sssd/ticket/1422
When ldap_sasl_minssf is assigned large values, appropriate error message should be logged sssd_DOMAIN log
https://fedorahosted.org/sssd/ticket/1431
Set "krb5_canonicalize = False" for password change to work
https://fedorahosted.org/sssd/ticket/1239
[RFE] sudo: send username and uid while requesting default options
https://fedorahosted.org/sssd/ticket/1299
Per domain formats for qualified user names
https://fedorahosted.org/sssd/ticket/1352
[RFE] Add the subdomain functionality to IPA auth provider
https://fedorahosted.org/sssd/ticket/1377
[RFE] Add AD provider
https://fedorahosted.org/sssd/ticket/1382
pac responder interface needs checks
https://fedorahosted.org/sssd/ticket/1385
heimdal: compile time diference
https://fedorahosted.org/sssd/ticket/1398
Dependency issue while "yum update libsss_sudo"
https://fedorahosted.org/sssd/ticket/1403
Combine keytab options for AD provider
https://fedorahosted.org/sssd/ticket/1404
AD provider should default to case-insensitive operation
https://fedorahosted.org/sssd/ticket/1407
Revert sssd patch for limiting enctypes to keytab
https://fedorahosted.org/sssd/ticket/1409
Resource leak in sssdpac_import_authdata
https://fedorahosted.org/sssd/ticket/1410
Dead code in ipa_subdomains_handler_done()
https://fedorahosted.org/sssd/ticket/1412
Starting SSSD with a domain using the LOCAL provider segfaults the responders
https://fedorahosted.org/sssd/ticket/1163
[Feature] SSSD AD Integration Feature (Cross Realm Kerberos Trusts)
https://fedorahosted.org/sssd/ticket/1354
Add support for terminating idle connections in sssd_nss
https://fedorahosted.org/sssd/ticket/1383
sssd_nss segfaults performing netgroup lookups without a specified domain
https://fedorahosted.org/sssd/ticket/974
[RFE] Support DIR: credential caches for multiple TGT support
https://fedorahosted.org/sssd/ticket/984
RFE: sssd should support Netscape LDAP password expiration controls
https://fedorahosted.org/sssd/ticket/1213
Warn to syslog when dereference requests fail
https://fedorahosted.org/sssd/ticket/1240
sudo: contact data provider only once
https://fedorahosted.org/sssd/ticket/1255
RFE: change the way we deal with fake users
https://fedorahosted.org/sssd/ticket/1256
Document the expectations about ghost users showing in the lookups
https://fedorahosted.org/sssd/ticket/1330
Potential NULL dereference in sss_krb5_read_etypes_for_keytab
https://fedorahosted.org/sssd/ticket/1336
Please only use named parameters in translatable strings
https://fedorahosted.org/sssd/ticket/1337
Minor typos in SSSD messages and man pages
https://fedorahosted.org/sssd/ticket/1346
in-memory cache causes nss to segfault if it cannot be initialized properly
https://fedorahosted.org/sssd/ticket/1367
Optimize AD memberOf lookups with LDAP_MATCHING_RULE_IN_CHAIN
https://fedorahosted.org/sssd/ticket/357
SSSD should provide fast in memory cache to provide similar functionality as NSCD currently provides
https://fedorahosted.org/sssd/ticket/783
Support range retrievals
https://fedorahosted.org/sssd/ticket/887
Implement mechanism to fetch and store domain info
https://fedorahosted.org/sssd/ticket/917
Document sss_tools better
https://fedorahosted.org/sssd/ticket/949
Filter out inappropriate IP addresses from IPA dynamic DNS update
https://fedorahosted.org/sssd/ticket/996
RFE: Allow Constructing uid from Active Directory objectSid
https://fedorahosted.org/sssd/ticket/1031
[RFE] Implement "AD friendly" schema mapping
https://fedorahosted.org/sssd/ticket/1064
Sub-Domains: define new get_domains method
https://fedorahosted.org/sssd/ticket/1065
Sub-Domains: implement new get_domains method in IPA provider
https://fedorahosted.org/sssd/ticket/1067
Sub-Domains: add new get_domains method to responders
https://fedorahosted.org/sssd/ticket/1114
get_uid_from_pid() perfoms an improper read
https://fedorahosted.org/sssd/ticket/1119
Monitor SIGKILL time should be configurable
https://fedorahosted.org/sssd/ticket/1140
RFE Request for including pam_pwd_expiration_warning = 0 in sssd.conf
https://fedorahosted.org/sssd/ticket/1170
sss_cache should support invalidating services and autofs maps
https://fedorahosted.org/sssd/ticket/1172
Bad check for id_provider=local and access_provider=permit
https://fedorahosted.org/sssd/ticket/1174
sssd.conf has wrong defaults for the "command" parameter
https://fedorahosted.org/sssd/ticket/1176
SSH: Add dp_get_host_send to common responder code
https://fedorahosted.org/sssd/ticket/1181
Typos in sssd manual
https://fedorahosted.org/sssd/ticket/1203
Hash the hostname/port information in the known_hosts file.
https://fedorahosted.org/sssd/ticket/1209
Convert all read and write loops to use atomic I/O function
https://fedorahosted.org/sssd/ticket/1233
Memory leak in sss_sudo_send_recv_generic
https://fedorahosted.org/sssd/ticket/1250
Add default home directory mapping
https://fedorahosted.org/sssd/ticket/1271
Stop using HTML_FOOTER_DESCRIPTION in doxygen docs
https://fedorahosted.org/sssd/ticket/1281
Add unit test for compatibility of ldap options between schemas
https://fedorahosted.org/sssd/ticket/1289
Create a way to define a default shell for cases when there no shell
https://fedorahosted.org/sssd/ticket/1297
Use keytab to select etypes for krb5_get_init_creds_keytab()
https://fedorahosted.org/sssd/ticket/1298
Invalid cache file created when canoning principals during krb5_get_init_creds_keytab()
https://fedorahosted.org/sssd/ticket/1301
sss_cache does nothing when executed without any options.
https://fedorahosted.org/sssd/ticket/1305
sss_cache should return a warning/error while validating unknown user/group
https://fedorahosted.org/sssd/ticket/1306
sss_cache should return an error, when executed against inactive domains
https://fedorahosted.org/sssd/ticket/1313
exec_child, execv and friends don't return success
https://fedorahosted.org/sssd/ticket/1316
kpasswd server status set to working when Kerberos auth succeeds
== Detailed Changelog ==
Ariel Barria (6):
* Bad check for id_provider=local and access_provider=permit
* Potential NULL dereference in proxy provider
* Warn to syslog when dereference requests fail
* Clarify how comments work in sssd.conf
* SIGUSR2 should force SSSD to reread resolv.conf as well
* Missing resolv.conf should be non-fatal
George McCollister (1):
* libcrypto fully implemented
Jakub Hrozek (205):
* Fix SSH compilation on RHEL5
* AUTOFS: IPA provider
* Two sssd-ldap manual pages fixes
* Fix group enumeration
* Only fetch SELinux string if the user is found
* Remove setent structure when callback is called
* Allocate setent structure on state, not on the client context
* Fix memory hierarchy when processing nested group memberships
* Fix case insensitive service lookups
* Include the fd_limit configuration option
* End request if ldap_parse_result fails
* remove unused function
* Save errno value before calling DEBUG
* libnl: fix the path to phy80211 subdirectory
* AUTOFS: Invoke implicit setautomntent if needed
* AUTOFS: Search all search bases for automounter map entries
* AUTOFS: speed up the client by requesting multiple entries at once
* Use proper errno code
* Only do one cycle when resolving a server
* krb5_child: set debugging sooner
* Search netgroups by alias, too
* Detect cycle in the fail over on subsequent resolve requests only
* Autofs: operate on contents of double-pointer, not address
* Only free returned values on success
* Save original name into the in-memory cache
* Handle errors from lookup_netgr_step gracefully
* Fix nested groups processing
* Fix netgroup error handling
* Handle empty elements in proxy netgroups:
* Fix uninitialized variable
* Free entry found in negative cache
* Make the string_equal() function public
* Save alias of the primary name, too
* NSS: Look for services with correct case when cache is updated
* AUTOFS: fix copy-and-paste bug in the autofs client
* LDAP services: Keep the protocol around
* Silence Coverity warning in the autofs test tool
* Return correct resolv_status on resolver timeout
* Add sss_get_cased_name_list utility function
* LDAP services: Save lowercased protocol names in case-insensitive domains
* Proxy services: Save lowercased protocol names and aliases in case-insensitive domains
* Fix off-by-one error in principal selection
* Catch cases where D-Bus connection is NULL
* Use HTML_TIMESTAMP instead of HTML_FOOTER_DESCRIPTION
* Fix regression in SSSDConfig.py
* netlink integration: ensure that interface name is NULL-terminated
* Remove forgotten DEBUG message
* autofs: load the correct option
* man: document that referral chasing might bring performance penalty
* Prevent printing NULL from DEBUG messages
* Do not call sdap_auth if not needed
* pam_sss: improve error handling in SELinux code
* Remove the "command" option from documentation
* Add sysdb_set_service_attr and sysdb_set_autofsmap_attr
* sss_cache: support invalidating services and autofs maps
* autofs: Raise the maximum key length to PATH_MAX
* sss_cache: Better error reporting
* MAN: timeout can be specified for services, too
* MAN: document the hostid and autofs providers
* proxy: Canonicalize user and group names
* proxy: new option proxy_fast_alias
* Free controls in sdap_rebind_proc
* Make the monitor SIGKILL time configurable
* sdap_check_aliases must not error when detects the same user
* sss_atomic_io: Do not fail reads with EPIPE if there is not enough data to read
* Move atomic io function to a separate module
* Convert read and write operations to sss_atomic_read
* Document sss_tools better
* Warn on 'make update-po' if there are manpages not listed in po4a.cfg
* Test RFC2307bis and RFC2307 option maps
* Get the RootDSE after binding if not successfull before
* Lowercase group members in case-insensitive domains
* NSS: Only return data from initgroups once
* SUDO: Return ret, not EOK
* SYSDB: return EOK if empty message is passed into get_rm_msg
* SYSDB: check return value
* SSH: return NULL on error in ssh_host_pubkeys_format_known_host_plain
* SERVER: use the correct return code of sss_atomic_write_s
* LDAP: check return value of sysdb_attrs_get_el
* RESPONDER: check return value from confdb_get_int
* PYHBAC: Return NULL on failure
* PAM_SSS: report error code if write fails
* NSS: Check return code of sss_mmap_cache_gr_store
* IPA netgroups: return EOK when there are no netgroups to process
* ipa_get_config_send: remove unused assignment
* HBAC: Prevent NULL dereference in hbac_evaluate
* DP: return correct error message when subdomains back end target is not configured
* NSS: fix returning group from cache
* SSS_DEBUGLEVEL: silence analyzer warnings
* PROXY: return correct return codes
* IPA: Check return values
* AUTOFS: remove unused assignments
* Rename split_service_name_filter
* SSH: Add dp_get_host_send to common responder code
* Read sysdb attribute name, not LDAP attribute map name
* Kerberos locator: Include the correct krb5.h header file
* Special-case LDAP_SIZELIMIT_EXCEEDED
* krb5 locator: Do not leak addrinfo
* Only reset kpasswd server status when performing a chpass operation
* Try all KDCs when getting TGT for LDAP
* Send the correct enumeration request
* subdomains: Fix error handling in Data Provider
* Filter out IP addresses inappropriate for DNS forward records
* sysdb: return proper error code from sysdb_sudo_purge_all
* SYSDB: Handle user and group renames better
* NSS: keep a pointer to body after body is reallocated
* Use sized_string correctly in FQDN domains
* Use the sysdb attribute name, not LDAP attribute name
* LDAP nested groups: Do not process callback with _post deep in the nested structure
* Send 16bit protocol numbers from the sss_client
* Revert the client packet length, too, after reverting the packet protocol
* Fix the default sssd.conf path
* Fix the 0.11 sysdb upgrade
* sss_names_init: Report correct error code if allocation failed
* Two small krb5_child fixes
* Provide more debugging in krb5_child and ldap_child
* Allow redefining the KRB5_CHILD path
* Split parse_krb5_child_response so it can be reused
* Add a krb5_child test tool
* Residual util functions
* Handle trailing slash in the ccname template
* Add a credential cache back end structure
* Add support for storing credential caches in the DIR: back end
* Use Kerberos context in KRB5_DEBUG
* Make krb5_ccname_template and krb5_ccachedir configurable
* Print based on pointer contents not address
* Cast uid_t to unsigned long long in DEBUG messages
* Update translations for 1.9.0 beta 4 release
* Bumping version to 1.9.0 beta 5
* Add newline to DEBUG messages
* RPM: Own several directories
* Add missing "%" to specfile
* IPA: Download defaults even if there are no SELinux mappings
* SYSDB: Delete SELinux mappings
* IPA: Return and save all SELinux rules in the provider
* PAM: Fix off-by-one-error in the SELinux session code
* Update translations for 1.9.0 beta 5 release
* Bumping version to 1.9.0 beta 6
* Fix sysdb_search_selinux_usermap_by_username return value
* Fix SSSDConfigTest
* Fix bad check
* Create a domain-realm mapping for krb5.conf to be included
* Update translations for 1.9.0 beta 6 release
* Bumping version for the 1.9.0 release
* Don't call fo_set_{server,port}_status for SRV servers
* Fix the version number
* SYSDB: Check the return value
* SYSDB: Use ldb_msg_add_string for simple string additions
* Failover: Return last tried server if it's still being tried
* Subdomains: Send the DP reply in the correct format
* Always mark SRV servers as primary
* Allocate on top of a talloc context, not NULL
* Abort PAM access phase if HBAC does not return PAM_SUCCESS
* Change default for ldap_idmap_range_min to 200000
* Don't use server after SRV data collapsed
* Document entry_cache_autofs_timeout
* Add autofs-related options to configAPI
* sss_client: Group lookups should work even when fastcache cannot be initialized
* FO: Don't retry the same server if it's not working
* FO: Return EAGAIN if there are more servers to try
* KRB5: Only return PAM error for unreachable kpasswd when performing chpass
* Build SELinux code in responder conditionally
* Do not try to remove the temp login file if already renamed
* Only create the SELinux login file if there are mappings on the server
* Fix compilation error in Python murmurhash bindings
* Process all groups from a single nesting level
* Use PTHREAD_MUTEX_ROBUST to avoid deadlock in the client
* RPM: Switch the default ccache location
* RPM: Always include the patch file
* Check if the SELinux login directory exists
* SYSDB: Commit transaction in sysdb_store_user
* SYSDB: Abort unit test if sysdb_getpwnam fails
* Retry the next server if bind during LDAP auth times out
* Don't terminate the same connection twice
* Update translations for 1.9.0 beta 7 release
* Bumping version for the 1.9.0 beta 7 release
* libsss_sudo should have a versioned dependency on SSSD
* KRB5: cancel the sysdb transaction on one place only
* KRB5: Return PAM_AUTH_ERR on incorrect password
* RPM: BuildRequire selinux-policy-targeted
* SYSDB: NULL-terminate the output of sysdb_get_{ranges,subdomains}
* KRB5: Add a missing string argument
* NSS: Fix off-by-one error in parse_getservbyname
* FO: Check server validity before setting status
* DB: Always write the SELinux object to sysdb
* SELinux: Always use the default if it exists on the server
* Updating the translations for the 1.9.0 RC1 release
* Updating the version for the RC1 release
* KRB5 child: Don't return System Error on empty password
* KRB5 child: handle more error codes gracefully
* DB: Cancel transaction in sysdb_store_user if sysdb_add_user fails
* Mark the fastcache files in the spec file as %ghost
* autofs, sudo, ssh and PAC are not experimental anymore
* AUTOFS: Do not fail if search base is not provided
* AUTOFS: Add sysdb tests
* AUTOFS: Add entry objects below map objects
* AUTOFS: Use both key and value in entry RDN
* AUTOFS: convert the existing autofs entries during a sysdb upgrade
* SYSDB: Remove unnecessary domain parameter from several sysdb calls
* DB: Use TALLOC_CTX for talloc context
* KRB5: Recover gracefully if the ccache file could not be reused
* Detect LDAPDerefRes in configure script
* RPM: Create ghost files during install
* Set the version number to 1.9.0 for the release
* Updating translations for the 1.9.0 release
Jan Cholasta (29):
* Add methods for activating and deactivating services to SSSDConfig
* Add ssh service to sssd.api.conf
* SSH: Verify that names received from client are valid UTF-8 in responder
* SSH: Build man pages conditionally
* SSH: Save SSH host name aliases
* SSH: Refactor responder and client common code
* UTIL: Add function for atomic I/O
* SSH: Continue connecting to SSH server even when SSSD is not running in sss_ssh_knownhostsproxy
* SSH: Manage global known_hosts file in the responder
* SSH: Don't abort known_hosts update when host search fails
* SSH: Add more debugging messages
* SSH: Add missing break statements to sss_ssh_format_pubkey
* SSH: Use fchmod instead of chmod on known_hosts file
* SSH: Replace blocking getaddrinfo call in the responder with asynchronous resolver code
* SSH: Remove unused --file option of sss_ssh_knownhostsproxy
* SSH: Update sss_ssh_knownhostsproxy manual page
* Include missing source files to the list of source files which contain translatable strings
* SSH: Allow clients to explicitly specify host alias
* SSH: Canonicalize host name and do reverse DNS lookup in sss_ssh_knownhostsproxy
* SSH: Fix infinite loop in sss_ssh_knownhostsproxy
* UTIL: Add HMAC-SHA-1 function
* SSH: Add support for hashed known_hosts
* SSH: Update sss_ssh_knownhostsproxy manual page
* SSH: Supress error message output in sss_ssh_knownhostsproxy
* SSH: Don't abort connection in sss_ssh_knownhostsproxy when DNS records are missing
* SSH: Return error code in SSH utility functions
* SSH: Simplify public key formatting function
* SSH: Add support for OpenSSH-style public keys
* SSH: Fix possible infinite loop when updating known_hosts
Jan Engelhardt (1):
* build: resolve link failure
Jan Vcelak (1):
* LDAP: Properly cast type for MINSSF value
Jan Zeleny (87):
* Fixed issue with netgroup update in IPA provider
* Don't give memory context in confdb where not needed
* IPA hosts refactoring
* SELinux related attributes added to config API
* Delete missing attributes from netgroups to be stored
* Modifications to simplify list_missing_attrs
* Fix the script path
* Fixed uninitialized pointer in SSH known host proxy
* Fixed uninitialized pointer in SSH authorized keys client
* Add umask before mkstemp() call in SSH responder
* Fixed resource leak in ssh client code
* Removed a block of dead code in sdap_async_groups.c
* Removed unused block of code is sdap_fill_memberships()
* Removed unused function sysdb_attrs_users_from_ldb_vals()
* Fixed memory context in sdap_fill_memberships()
* Fixed minor memory leak in ldap provider
* Sysdb routines for subdomains
* Add some utility functions for subdomains
* Add conn_name to allow different names for domains and connections
* Responder part of the subdomain retrieval work
* Modified responder_get_domain()
* Retrieve subdomains if there is a request for fully qualified user
* Ask for subdomains in responder in the first request after startup
* New config option for subdomains
* Moved expand_homedir_template() from NSS responder to utility code
* Add ID operations in subdomains
* Send PAM requests for subdomains to the right provider
* Basic support for subdomains in auth provider
* Carry sysdb context and domain info in be_req structure
* Accept be_req instead if be_ctx in LDAP access provider
* Detect subdomain request in IPA access provider
* Utilize sysdb context within be_req in HBAC
* Two fixes in responder subdomain code
* Modify behavior of pam_pwd_expiration_warning
* Fixed two minor memory leaks
* Fixed issue in SELinux user maps
* Ghost members - add the ghost attribute to sysdb
* Ghost members - support in LDAP provider
* Ghost members - support in proxy provider
* Ghost members - modifications in sysdb
* Ghost members - modifications in memberof plugin
* Ghost members - sysdb upgrade routine
* Ghost members - NSS responder changes
* Ghost members - removed sdap_check_aliases()
* Ghost members - modified sss_groupshow
* Ghost members - various small changes
* Add support for filtering atributes
* Utilize attribute exclusion in LDAP initgroups
* Fixed setting of debug level in test suite
* IPA subdomains - ask for information about master domain
* Allow fast memcache timeout to be configurable
* Fix an issue in ghost users
* Provide "service filter" for SELinux context
* Fixed debug message in sdap_save_group()
* Fix possible segfault in sdap_save_group()
* PAC responder: add some utility functions
* PAC responder: test suite
* Fix re_expression matching with subdomains
* SELinux user maps: pick just one map
* Fixed wrong number in shadowLastChange
* Add function sysdb_attrs_copy_values()
* Modify priority evaluation in SELinux user maps
* Added some DEBUG statements into SELinux related code
* Extend category support in SELinux user maps
* Remove ipa_selinux_map_merge()
* Fix linking of HBAC rules and SELinux user maps
* Provide counter of possible matches in SELinux IPA provider
* Always free request in data provider PAM callback
* Renamed session provider to selinux provider
* Move SELinux processing from session to account PAM stack
* Remove unused member of be_req
* Write SELinux config files in responder instead of PAM module
* Modify hbac_get_cached_rules() so it can be used outside of HBAC code
* Support fetching of HBAC rules from sysdb in SELinux code
* Support fetching of host from sysdb in SELinux code
* Primary server support: introduce concept of reconnection
* Primary server support: basic support in failover code
* Primary server support: support for "disconnecting" connections in LDAP
* Primary server support: IPA adaptation
* Primary server support: krb5 adaptation
* Primary server support: LDAP adaptation
* Primary server support: AD adaptation
* Primary server support: man page, failover section
* Primary server support: new option in ldap provider
* Primary server support: new options in krb5 provider
* Primary server support: new option in IPA provider
* Primary server support: new option in AD provider
Joshua Roys (1):
* Simple implementation of Netscape password warning expiration control
Marco Pizzoli (1):
* Two manual pages fixes
Michal Zidek (18):
* Fixed: Unchecked return value from dp_opt_set_int.
* Fixed: Uninitialized value in krb5_child-test if ccname was specified.
* Added unit test for sysdb_ssh.c
* Return value of fread in src/tools/sss_debuglevel.c no longer ignored.
* Change default value of ldap_sasl_string to host/hostname at REALM in man page.
* SRV resolution for backup servers should not be permitted.
* When ldap_group_nesting_level was reached, the LDAP provider tried to link group members with groups outside nesting limit.
* Duplicate detection in fail over did not work.
* Typo in debug message (SSSd -> SSSD).
* Unify usage of sysdb transactions
* Fix: IPv6 address with square brackets doesn't work.
* Adding -std=gnu99 flag.
* Unify usage of sysdb transactions (part 2).
* LDB_ERR_INVALID_ATTRIBUTE_SYNTAX added to sysdb_error_to_errno.
* SSSD fails to store users if any of the requested attribute is empty.
* tools_util.h provides signal_sssd function.
* sss_cache tool invalidates records in memory cache.
* Bad debug message when no dns_discovery_domain specified.
Nick Guay (4):
* added DEBUG messages to krb5_child and ldap_child
* Fix uninitialized values
* First-boot sss_seed tool
* remove duplicate sss_obfuscate reference in seealso manpage section
Ondrej Kos (7):
* Removed unused variable assignment
* Replaced "id_max" & "id_min"
* Backward GOTOs rewritten into do-while loops.
* AD context was set to null due to type mismatch
* Consolidation of functions that make realm upper-case
* Out-of-bounds read fix in hmac-sha-1
* Add more debuginfo into ldap_child
Pavel Březina (96):
* Improve debug messages in sysdb_sudo_check_time()
* SUDO responder: check if the input is a UTF-8 string
* Refactor sss_result into sss_sudo_result
* Redesign purging of the sudo cache
* Honor case_sensitive option in sudo responder
* Move sudo_dom_ctx.user to local variable
* Hide --debug option in sss_debuglevel
* Two memory leaks in sss_sudo_get_values
* Missing debug message if sdap_sudo_refresh_set_timer fails
* Use of unininitialized value in sudosrv_cache_set_entry and sudosrv_cache_lookup_internal
* Use of unininitialized value in sss_sudo_parse_response
* Potential NULL-dereference in sudosrv_cmd_get_sudorules
* sudo api: check sss_status instead of errnop in sss_sudo_send_recv_generic()
* Install and uninstall all documentation
* fix copy and paste error in comment
* Fix typo in debug message
* sudo api: remove EOK
* sudo responder: remove code duplication in commands
* sudo responder: get rid of dctx where possible
* sudo sysdb: make sysdb_get_sudo_user_info more configurable
* sudo api: send uid, username and domainname
* sudo responder: change protocol version to 1
* libsss_sudo: bump version to 2:0:1
* sudo responder: discard in-memory cache
* sudo ldap provider: move async routines to sdap_async_sudo.c
* sudo ldap provider: give sdap_sudo_refresh_send() search and purge filters
* confdb: add entry_cache_sudo_timeout option
* sudo ldap provider: add sysdb ctx in sdap_sudo_refresh_state
* sudo ldap provider: add domain info in sdap_sudo_refresh_state
* sudo ldap provider: add expiration time to each rule
* sysdb: add getter/setter for last sudo full refresh time
* sudo ldap provider: provide API for full refresh
* sudo ldap provider: add support for on demand full refresh
* sudo ldap provider: provide API for refresh of specific rules
* sudo ldap provider: add support for on demand refresh of specific rules
* sudo backend - support only on demand full refresh
* sudo backend - add support for on demand refresh of specific rules
* sudo provider: add ldap_sudo_full_refresh_interval
* sudo provider: remove old timer
* sudo ldap provider: add new timer API
* sysdb: remove sudo_set/get_refreshed
* sudo ldap provider: support periodical full refresh
* ldap provider: add sudo usn value
* sudo ldap provider: find highest USN
* sudo ldap provider: add sdap_sudo_set_usn()
* sudo ldap provider: remember highest usn after full refresh
* sudo ldap provider: add smart refresh API
* sudo ldap provider: when sysdb filter is NULL remove downloaded rules
* sudo provider: add ldap_sudo_smart_refresh_interval
* sudo ldap provider: add periodical smart refresh API
* sudo ldap provider: support periodical smart refresh
* sudo responder: new request enum type
* sudo sysdb: add expiration time to the filter
* sudo responder: allow fetching only expired rules in sudosrv_get_sudorules_query_cache()
* sudo responder: update dp interface
* sudo responder: refresh expired rules
* sudo ldap provider: return number of downloaded rules in sdap_sudo_refresh_recv()
* sudo ldap provider: notify responder when an expired rule has been deleted
* sudo responder: schedule OOB full refresh when expired rule is deleted
* sudo: clean up
* sudo ldap provider: modify highest USN in sdap_sudo_rules_refresh_done()
* sdap_sudo.c: move _recv after _done
* sudo ldap provider: pass sudo_ctx instead of id_ctx
* sudo: add host info options
* sudo ldap provider: load host filter configuration on init
* sudo ldap provider: mark sdap_sudo_setup_periodical_refresh() as static
* sudo ldap provider: do per-host updates
* sudo ldap provider: support autoconfiguration of IP addresses
* sudo: manpage updated
* resolv_gethostbyname_send: strdup hostname to work properly when hostname is allocated on stack
* sudo test client: avoid SIGSEGV when run without arguments
* sdap_sudo.c: add missing end of line in few debug messages
* add hostid and subdomains sections in sssd-ipa.conf
* manpage: seealso - include ssh conditionally
* tests: allow changing cwd in all tests
* manpage: sssd-sudo - documents how sudo works with sssd
* sudo ldap provider: support autoconfiguration of hostnames
* Unbreak SASL
* tests: build sysdb ssh tests conditionally
* shadow attributes can contain -1
* Add end of line to debug message
* monitor: set debug level when unable to load configuration
* Remove redefinition of some SYSDB_* macros
* Rename SYSDB_SUDO_CACHE_AT_OC to SYSDB_SUDO_CACHE_OC
* Remove SYSDB_SUDO_CACHE_OC from attribute lists
* Fix LOCAL domain lookups
* Close LDAP connection when unable to install TLS
* Unbreak build on RHEL5: replace ldap_destroy() with ldap_unbind_ext()
* Remove compilation warning: ret may be uninitialized
* Clean up cache on server reinitialization
* netgroup: resolve hostgroup membership correctly
* be_process_init(): free ctx on error
* backend: initialize sudo only when it is enabled in services
* Failover: use _srv_ when no primary server is defined
* rpm: put localized sssd_krb5_locator_plugin manpages into client
* sdap_add_incomplete_groups(): fix ret may be uninitialized warning
Rambaldi (2):
* heimdal: fix compile error in krb5-child-test
* heimdal: use sss_krb5_princ_realm to access realm
Shantanu Goel (4):
* Set return errno to the value prior to calling close().
* Log message if close() fails in destructor.
* Do not send SIGPIPE on disconnection
* Add support for terminating idle connections
Simo Sorce (31):
* nss_group: Cache the result from sssd when the glibc provided buffer is too small.
* pam_sss: keep selinux optional
* Use the correct hash table for pending requests
* util: Helper headers for shared memory cache
* nsssrv: shared memory cache server initialization
* nsssrv: Add memory cache record handling utils
* nsssrv: add handling of memory cache passwd map
* sss_client: Add common shared memory cache utils
* sss_client: shared memory cache passwd map support
* nsssrv: add handling of memory cache group map
* sss_client: shared memory cache group map support
* Do not leak file descriptors in client libs.
* Add close on exec support for old platforms
* Fix segfault when sudo is not configured.
* Change subdomain_info
* tests: Remove useless consts
* 80 columns police
* Fix double semi-colons
* Fix wrong elements used in comparison
* Use ldb_msg_add_string with bare strings
* Fix return error and debug message
* Make structure initializer more readable
* 80 col and style fixes
* Use a more tractable name for subdomain request
* Add realm paramter to subdomain list
* Expose an initializer function from subdomain
* Change refreshing of subdomains
* Limit refreshes keeping track of last refresh time
* Add online callback to enumerate subdomains
* Add automatic periodic retrieval of subdomains
* Remove obsolete comment
Stef Walter (10):
* Fix erronous reference to the 'allow' access_provider
* execv, excvp and exec_child never return EOK
* If canon'ing principals, write ccache with updated default principal
* Remove erroneous failure message in find_principal_in_keytab
* Limit krb5_get_init_creds_keytab() to etypes in keytab
* Clearer documentation for use_fully_qualified_names
* Make re_expression and full_name_format per domain options
* Move some debug lines to new debug log levels
* Fix crash when interface doesn't have an address
* Revert commit 4c157ecedd52602f75574605ef48d0c48e9bfbe8
Stephen Gallagher (178):
* Set version to 1.9dev
* Updating translatable strings for string freeze
* Updating translations
* Remove dead code
* Fix missing NULL check after malloc
* Avoid uninitialized value comparison
* Add missing breaks to switch statements
* Fix uninitialized in_transaction
* Fix bad failure handling in be_sudo_handler()
* Check for failure in sss_packet_grow()
* Fix uninitialized value error in proxy provider
* Ensure NULL-termination in get_uid_from_pid()
* Move sss_ssh_* binaries to the main 'sssd' package
* Always include all manpage XML files in the distribution tarball
* Fix missing %endif in sssd.spec.in
* NSS: Always return the same protocol that was requested
* LDAP: Ignore group member users that do not have name attributes
* RESPONDERS: Allow increasing the file-descriptor limit
* RESPONDERS: Make the fd_limit setting configurable
* Add tool to convert debug levels
* IPA: Add ipa_parse_search_base()
* LDAP: Properly assign orig_dn
* LDAP: Only use paging control on requests for multiple entries
* LDAP: Remove unnecessary filter sanitize
* Eliminate build-time requirement for nscd
* PAM: Don't send PAM_SYSTEM_INFO message if module unset
* Fix typo in autofs option description
* Include the debug_level upgrade tool in the tarball
* Include new manpages in translations
* Fix typo in script name
* Handle cases where UID is -1
* IPA: Set the DNS discovery domain to match ipa_domain
* IPA: Fix segfault with srchost functionality enabled
* DP: Reorganize memory hierarchy of requests
* Prune python provides correctly
* Make RPM spec more explicit
* Build experimental features by default in RPMs
* Properly terminate GIT_CHECKOUT
* LDAP: Make sdap_access_send/recv public
* IPA: Check nsAccountLock during PAM_ACCT_MGMT
* PROXY: Create fake user entries for group lookups
* SSH: Fix missing semicolon
* IPA: Initialize hbac_ctx to NULL
* i18n: Remove empty translations
* LDAP: Add AD 2008r2 schema
* IPA: Allow service lookups
* SYSDB: Save only lowercased aliases in case-insensitive domains
* LDAP: Errors retrieving the RootDSE should not be fatal
* NSS: Fix debug message
* Start SSSD earlier and stop it later
* LDAP: Add better error logging when ldap_result() fails
* LDAP: Fix memory leaks in synchronous_tls_setup
* BUILDSYS: Create common libs for LDAP and KRB5 sources
* Put dp_option maps in their own file
* Add terminator for dp_option
* Add better dp_option tests
* Add terminator for sdap_attr_map
* Add better tests for sdap_attr compability
* Remove old compatibility tests
* Fix building manpages in parallel build dirs
* Clean up log messages about keytab_name
* MAN: Improve ldap_disable_paging documentation
* MAN: Add ldap_sasl_minssf to the manpage
* Fix linker issue with pam_sss
* murmurhash: Relax inline requirement
* Handle endianness issues on older systems
* SYSDB: Handle upgrade script failures better
* LDAP: Add objectSID config option
* LDAP: Add id-mapping option
* SYSDB: Add sysdb routines for ID-mapping
* LDAP: Add helper routines for ID-mapping
* LDAP: Add ID mapping range settings
* LDAP: Initialize ID mapping when configured
* LDAP: Enable looking up ID-mapped users by name
* LDAP: Add autorid compatibility mode
* LDAP: Allow setting a default domain for id-mapping slice 0
* LDAP: Add routine to extract domain SID from an object SID
* LDAP: Allow automatically-provisioning a domain and range
* LDAP: Enable looking up id-mapped users by UID
* LDAP: Allow looking up ID-mapped groups by name
* LDAP: Enable looking up id-mapped groups by GID
* LDAP: Map the user's primaryGroupID
* LDAP: Add helper routine to convert LDAP blob to SID string
* LDAP: Do not remove uidNumber and gidNumber attributes when saving id-mapped entries
* LDAP: Add helper function to map IDs
* LDAP: Treat groups with unmappable SIDs as non-POSIX groups
* MAN: Add manpage for ID mapping
* LDAP: Add support for enumeration of ID-mapped users and groups
* SSSDConfigAPI: Fix missing option in tests
* NSS: Add fallback_homedir option
* NSS: Add default_shell option
* SYSDB: Add better error logging to sysdb_set_entry_attr()
* LDAP: Add attr_count return value to build_attrs_from_map()
* LDAP: Handle very large Active Directory groups
* Updating translations for 1.9.0 beta 1 release
* Bumping version to 1.8.91 for 1.9.0 beta 1 release
* Bumping version ton 1.8.92 for beta 2 development
* RPM: Allow running 'make rpms' on RHEL 5 machines
* NSS: Expire in-memory netgroup cache before the nowait timeout
* Always use positional arguments in translatable strings
* KRB5: Avoid NULL-dereference with empty keytab
* Update translation sources
* NSS: Fix segfault when mmap cache cannot be initialized
* NSS: Restore original protocol for getservbyport
* SSSDConfig: Make SSSDConfig a package
* SSSDConfig: Make default config and schema file locations configurable
* PAM: Better pam_reply message
* SYSDB: Reduce noise level of debug messages in lookups
* LDAP: Remove redundant check
* LDAP: Fix incorrect switch statement in sdap_get_initgr_done()
* LDAP: Add helper function to get list of a user's groups from sysdb
* LDAP: Make sdap_initgr_common_store() non-static
* LDAP: Add ldap_*_use_matching_rule_in_chain options
* LDAP: Add support for AD chain matching extension in group lookups
* LDAP: Add support for AD chain matching extension in initgroups
* LDAP: Auto-detect support for the ldap match rule
* LDAP: Fix missing variable in debug message
* SSS_CLIENT: Fix uninitialized value error
* Fix compilation on older little-endian systems
* KRB5: Update DEBUG macros for create_ccache_dir and find_ccdir_parent_data
* KRB5: Auto-detect DIR cache support in configure
* KRB5: Avoid shadowing dirname
* Updating translations for 1.9.0 beta 2 release
* Bumping version to 1.9.0 beta 3
* Fix typo breaking DIR cache detection
* Make the client idle timeout configurable
* UTILS: Fix segfault due to sss_parse_name_for_domains
* BUILD: Change default unicode library to glib2
* Update translations for 1.9.0 beta 3 release
* Bumping version to 1.9.0 beta 4
* TESTS: Print messages when LDAP options do not match
* DEBUG: Log to syslog if we are unable to open a debug fd
* KRB5: Initialize the credential cache type properly
* IPA: Don't hang onto memory longer than necessary
* LDAP: Print extended failure message for SASL bind
* MAN: Unify "SEE ALSO" sections
* KRB5: Some logging enhancements for krb5_child
* KRB5_LOCATOR: Print the filename that couldn't be opened
* KRB5: Drop memctx parameter of krb5_try_kdcip
* KRB5: Create a common init routine for krb5_child options
* LDAP: Rename user and group maps for AD
* AD: Add AD identity provider
* AD: Add AD auth and chpass providers
* AD: Add AD access-control provider
* AD: Add AD provider to the spec file
* AD: use krb5_keytab for validation and GSSAPI
* AD: Add manpages and SSSDConfig entries
* CONFDB: Add the ability to set a boolean value in the confdb
* AD: Force case-insensitive operation in AD provider
* Fix use-after-free
* Fix uninitialized variable
* Fix potential NULL-dereference
* Fix potential NULL-dereference
* Fix incorrect return value in tests
* Fix potential NULL-dereference
* Fix uninitialized value return
* Fix uninitialized memcpy error
* Avoid NULL-dereference in error-handling
* Add missing return value check
* Check for errors from krb5_unparse_name
* Fix incorrect error-check
* Fix segfault when using local provider
* AD: Add missing DP option terminator
* AD: Fix defaults for krb5_canonicalize
* MAN: List all available backends for provider options
* MAN: Improvements to the AD provider manpage
* NSS: Add override_shell option
* SYSDB: Add log message for unexpected LDB errors
* SSSDConfig: Fix nonfunctional SSSDDomain.remove_provider()
* IPA: Do not attempt to close the same file twice
* IPA: Securely set umask for mkstemp in subdomain provider
* MAN: Fix minor typo in ldap_search_base section
* MAN: Improve description of ldap_*_search_base options
* SYSDB: Make sysdb_attrs_get_el_int() public
* AD: autorid compatibility should recommend the use of default domain
* AD: Detect domain controller compatibility version
* AD: Optimize initgroups lookups with tokenGroups
* AD: Handle sysdb lookup failure during tokenGroups processing
Sumit Bose (40):
* Use curly braces in pkgconfig metadata file
* Keep sysdb context in domain info struct
* Remove sysdb_get_ctx_from_list()
* Always initialize the returned data in sss_krb5_princ_realm()
* Add idmap library
* Check sub-domains in nss_cmd_get{pwuid|grgid}_search()
* data provider: added subdomains
* IPA: Add get-domains target
* Add domain name to get_account_info request
* Add s2n extended operation
* Allow different SID representations in libidmap
* Fix typo in spec file
* Fix endian issue in SID conversion
* Rename struct dom_sid to struct sss_dom_sid
* Fix libsss_hbac library version
* sss_idmap: add support for samba struct dom_sid
* sss_idmap: fix typo which prevents sub auth larger then 2^31
* PAC responder: add basic infrastructure
* PAC responder: add the core functionality
* PAC responder: support in spec file
* PAC client: add basic support in common client code
* PAC client: add krb5 authdata plugin
* Add support for ID ranges
* Add range support to PAC responder
* Try to build PAC responder only if all dependencies are available
* Build pac responder tests only if pac responder is build
* Add man page section for the PAC responder
* Set default for subdomain_homedir
* Fix SSSDConfigTest for separate build directories
* Set file descriptor limits in pac responder
* Remove resource leak in sssdpac_import_authdata
* Remove dead code in ipa_subdomains_handler_done()
* pac responder: limit access by checking UIDs
* Add python bindings for murmurhash3
* accept_fd_handler: add missing return
* Fix fallback in validate_tgt()
* Use new debug levels in validate_tgt()
* Check flat names when searching for sub-domains as well
* Add provider specific default regular expressions
* Make subdomain discovery less noisy
Ville Skyttä (1):
* Require and call ldconfig from subpackages if appropriate
Yuri Chornoivan (5):
* fix typos in manual
* Fix typo: retreiving->retrieving
* Fix typos in message and man pages.
* Fix typo: exhasution->exhaustion.
* Fix various typos in documentation.
More information about the Freeipa-interest
mailing list