[Freeipa-interest] Announcing SSSD 1.10.0
Jakub Hrozek
jhrozek at redhat.com
Thu Jun 27 21:05:35 UTC 2013
=== SSSD 1.10.0 ===
The SSSD team is proud to announce the final release of version 1.10 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd.
RPM packages will be made available for Fedora 19 and rawhide shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel or
sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* The main focus of the 1.10 release was improving the Active Directory
integration.
- The Active Directory provider now includes support for Site-based
discovery. This feature allows the Active Directory clients to find
the most suitable Domain Controller to connect to.
- Support for dynamic DNS updates in the Active Directory provider. This
feature enables the clients to automatically update or refresh their
DNS records stored in the AD server.
- The Active Directory provider now includes support for retrieving
identity information and authentication as users from trusted domains
in the same forest. The SSSD looks up the information using the Global
Catalog.
- The group memberships for Active Directory users can optionally be
read from the PAC during login. If the PAC is not available (such as
when group membership is requested for a user who has never logged in),
the SSSD falls back to using tokenGroups. To enable this feature, add
"pac" to the list of configured services in the "[sssd]" section of the
"sssd.conf" config file.
- The Active Directory provider is able to autodiscover the NetBIOS
(flat) name of the domain it connects to. The NetBIOS name is discovered
automatically on startup.
- The support for Enterprise Kerberos principals was added. Currently
the enterprise principals are only enabled by default in the Active
Directory provider
* A new library, called libsss_nss_idmap was introduced. This library
allows the user to convert Windows Security Identifiers (SIDs) to names
and vice versa. The library also includes Python bindings.
* A new option "ipa_dyndns_ttl" was added, allowing the client to set a
custom TTL on IPA dynamic DNS updates
* A new "ignore_group_members option" was added. This option can be
used to suppress downloading group members on group lookups, making the
group lookups much faster for environments that do not need to know the
group members.
* A new option "ldap_rfc2307_fallback_to_local_users" was added. If this
option is set to true, SSSD is able to resolve local group members of
LDAP groups.
* The "subdomain_homedir" configuration option gained a new template
expansion "%F" that expands to the flat name (NetBIOS name) of the trusted
AD domain
* The "full_name_format" option now accepts a new parameter that expands
to the NetBIOS name of the domain
* The new "krb5_use_kdcinfo" option allows the administrator to disable
the Kerberos locator plugin and rely on information read from the krb5.conf
file completely.
* A new option "ldap_disable_range_retrieval" was added. Switching this
option to True skips large Active Directory groups that might otherwise
take a long time to download and process.
* A new option "refresh_expired_interval" was added. This option allows
to configure a background task that would automatically refresh entries
that are nearing their expiration time. In this release, only refreshing
netgroups is implemented.
* Setting the SELinux context on the IPA server now also works for users
coming from a trusted Active Directory domain
* Many internal interfaces were refactored, making the code more readable
and maintainable in the long term. This refactoring includes the subdomains
code, the sysdb interface as a whole, internal error code reporting,
SELinux login context processing and processing of nested LDAP groups.
== Packaging changes ==
* The shared components of the SSSD are now built as a shared library to
reduce amount of duplicated code being linked into multiple SSSD binaries
and lower the disk usage of SSSD installation.
* The check that ensured that SSSD is running with the same ldb version it
was built against was made optional, defaulting to false. You can enable the
strict check again by selecting --enable-ldb-version-check during configure
* The SSSD python ConfigAPI was moved to its own noarch subpackage to
make the SSSD packaging more compliant with the Fedora packaging guidelines
* The libsss_nss_idmap library and its Python bindings are packaged in
separate subpackages
* The upstream RPM specfile now packages each provider separately. The SSSD
deamon and the responders are now included in the sssd-common package,
while the sssd package has become a "meta package" that Requires all the
existing providers for backwards compatibility.
* The libsss_sudo and libsss_autofs libraries are now part of the
sssd-common package
== Tickets fixed ==
https://fedorahosted.org/sssd/ticket/1199
[RFE] Prune idle connections from responders
https://fedorahosted.org/sssd/ticket/1693
sudoHost mismatch response is incorrect sometimes
https://fedorahosted.org/sssd/ticket/1806
sssd_be goes to 99% CPU and causes significant login delays when client
is under load
https://fedorahosted.org/sssd/ticket/1815
"touch" krb5.conf file after installing new domain-realm mappings
https://fedorahosted.org/sssd/ticket/1847
if there is no blank line at the end of /etc/sssd/sssd.conf, sssd
wont start and you get an error in /var/log/messages about "sssd:
Cannot load configuration database".
https://fedorahosted.org/sssd/ticket/1849
improper use of negative value
https://fedorahosted.org/sssd/ticket/1863
Dereference after a NULL check in krb5_child.c
https://fedorahosted.org/sssd/ticket/1871
krb5 validation code always picks the first matching principal
https://fedorahosted.org/sssd/ticket/1873
password migration is not working using sssd
https://fedorahosted.org/sssd/ticket/1886
If previous SRV query failed, the next try might not be retried in
some cases
https://fedorahosted.org/sssd/ticket/1894
sssd_be crashes while processing ASQ dereference request
https://fedorahosted.org/sssd/ticket/1931
cannot login to the 1st domain when 2 domains are configured in sssd
https://fedorahosted.org/sssd/ticket/1936
GSSAPI working only on first login
https://fedorahosted.org/sssd/ticket/1947
[abrt] sssd-1.10.0-4.fc19.beta1: get_server_status: Process
/usr/libexec/sssd/sssd_be was killed by signal 11 (SIGSEGV)
https://fedorahosted.org/sssd/ticket/1949
SSH host keys are not removed from cache when host is deleted in IPA
https://fedorahosted.org/sssd/ticket/1953
System error while trying to auth as an expired user
https://fedorahosted.org/sssd/ticket/1959
Enhance sssd init script so that it would source a configuration
https://fedorahosted.org/sssd/ticket/1969
dead code in SRV resolution
https://fedorahosted.org/sssd/ticket/1973
Improve global catalog DNS SRV lookups
https://fedorahosted.org/sssd/ticket/1980
SSSD service randomly dies
https://fedorahosted.org/sssd/ticket/1986
SYSV init script should use @sbindir@
https://fedorahosted.org/sssd/ticket/1989
Fix core dump in the PAC responder
https://fedorahosted.org/sssd/ticket/1995
The PAC responder is contacted even for local IPA users.
https://fedorahosted.org/sssd/ticket/364
[RFE] Recognize trusted domains in AD provider
https://fedorahosted.org/sssd/ticket/453
Replace pam status codes with sssd specific codes
https://fedorahosted.org/sssd/ticket/812
Support libnl 3.x
https://fedorahosted.org/sssd/ticket/902
[RFE] Allow setting krb5_renew_interval with a delimiter
https://fedorahosted.org/sssd/ticket/1032
[RFE] sssd should support DNS sites
https://fedorahosted.org/sssd/ticket/1033
[RFE] implement a script/tool joining to the Active Directory domain
https://fedorahosted.org/sssd/ticket/1287
compilation warnings with -O2
https://fedorahosted.org/sssd/ticket/1327
When multiple values are assigned, sss_debuglevel should display a
usage message
https://fedorahosted.org/sssd/ticket/1371
Missing resolv.conf should be non-fatal
https://fedorahosted.org/sssd/ticket/1376
[RFE] Add support for suppressing group members
https://fedorahosted.org/sssd/ticket/1405
[RFE] Kerberos canonicalization should be skipped on password-changes
in AD provider
https://fedorahosted.org/sssd/ticket/1414
[RFE] Improve syslog message when configuration cannot be loaded
https://fedorahosted.org/sssd/ticket/1468
[RFE] AD: Should be able to log in as long or short domains
https://fedorahosted.org/sssd/ticket/1476
SSSD has a much longer TTL when updating a DNS record than IPA client
install placed in the beginning
https://fedorahosted.org/sssd/ticket/1481
Move sss_cache to the main subpackage
https://fedorahosted.org/sssd/ticket/1484
failover should protect against empty host names
https://fedorahosted.org/sssd/ticket/1495
include talloc log in our debug facility
https://fedorahosted.org/sssd/ticket/1504
[RFE] AD dyndns updates
https://fedorahosted.org/sssd/ticket/1510
Split providers into their own subpackages
https://fedorahosted.org/sssd/ticket/1557
[RFE] Use the Global Catalog in SSSD for the AD provider
https://fedorahosted.org/sssd/ticket/1558
[RFE] Use MS-PAC to retrieve user's group list
https://fedorahosted.org/sssd/ticket/1559
[RFE] Use the getpwnam()/getgrnam() interface as a gateway to resolve
SID to Names
https://fedorahosted.org/sssd/ticket/1575
Change responder contexts hierarchy
https://fedorahosted.org/sssd/ticket/1586
Make authtoken opaque objects
https://fedorahosted.org/sssd/ticket/1603
[RFE] Send user principal together with the PAC to the pac responder
https://fedorahosted.org/sssd/ticket/1609
[RFE] Subdomain homedir template should be configurable/use flatname
by default
https://fedorahosted.org/sssd/ticket/1625
Confusing error messages for invalid sssd.conf
https://fedorahosted.org/sssd/ticket/1643
Refactor sysdb interface
https://fedorahosted.org/sssd/ticket/1648
Fully qualified account names form should be able to use flatname in
the fq format
https://fedorahosted.org/sssd/ticket/1660
LDAP_CONTROL_X_DEREF: sssd should fallback if server returns
LDAP_UNAVAILABLE_CRITICAL_EXTENSION error
https://fedorahosted.org/sssd/ticket/1712
sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin
https://fedorahosted.org/sssd/ticket/1713
[RFE] Add a task to the SSSD to periodically refresh cached entries
https://fedorahosted.org/sssd/ticket/1733
[RFE] support autoconfiguring SUDO with ipa provider and compat tree
https://fedorahosted.org/sssd/ticket/1738
Decrease the krb5_auth_timeout default value of 15
https://fedorahosted.org/sssd/ticket/1741
sss_cache doesn't support subdomains
https://fedorahosted.org/sssd/ticket/1743
selinux: move all logic to responder, provider should only update db
https://fedorahosted.org/sssd/ticket/1744
selinux: reuse IPA_HBAC_REFRESH or provide an alternative
https://fedorahosted.org/sssd/ticket/1745
Unnecessary output is seen when invalid option is passed to sss_cache
https://fedorahosted.org/sssd/ticket/1746
sss_* tools with use_fully_qualified_names should require fqdn
https://fedorahosted.org/sssd/ticket/1747
Refactor subdomain interfaces
https://fedorahosted.org/sssd/ticket/1756
append new line to error string from poptStrerror()
https://fedorahosted.org/sssd/ticket/1763
check the return values of sysdb_transaction_commit in sysdb tests
https://fedorahosted.org/sssd/ticket/1765
remove the alt_db_path parameter of sysdb_init
https://fedorahosted.org/sssd/ticket/1766
use an explanatory macro for checking if a domain is a subdomain
https://fedorahosted.org/sssd/ticket/1767
unify sss_mc_set_recycled
https://fedorahosted.org/sssd/ticket/1771
Negative cache messages are displayed at too low of a DEBUG level
https://fedorahosted.org/sssd/ticket/1772
Rename or alias the SAFEALIGN macros
https://fedorahosted.org/sssd/ticket/1774
move processing of password expiration back to PAM provider only
https://fedorahosted.org/sssd/ticket/1784
rewrite nested group processing to follow the tevent_req coding style
https://fedorahosted.org/sssd/ticket/1785
NSCD warning is irritating
https://fedorahosted.org/sssd/ticket/1786
Use new interface from ding-libs ini interface
https://fedorahosted.org/sssd/ticket/1789
ldap_access_order improvements (man page fix)
https://fedorahosted.org/sssd/ticket/1790
Possible null derefence in ipa_subdomains.c
https://fedorahosted.org/sssd/ticket/1794
reuse open_cloexec elsewhere in the code
https://fedorahosted.org/sssd/ticket/1797
Use hardened flags for building RPMs
https://fedorahosted.org/sssd/ticket/1802
[abrt] sssd-1.9.3-1.fc18: talloc_abort: Process /usr/libexec/sssd/sssd_be
was killed by signal 6 (SIGABRT)
https://fedorahosted.org/sssd/ticket/1803
SSSD returns System Error if the ccachedir is not writable
https://fedorahosted.org/sssd/ticket/1804
Filter out inappropriate multicast and subnet broadcast addresses from
IPA dynamic DNS update
https://fedorahosted.org/sssd/ticket/1805
[RFE] Add a new override_homedir expansion for the "original value"
https://fedorahosted.org/sssd/ticket/1809
Document that SSSD domains should only be named using ASCII characters
https://fedorahosted.org/sssd/ticket/1810
Uninitialized scalar variable in responder_get_domain
https://fedorahosted.org/sssd/ticket/1811
Unchecked return value in tests
https://fedorahosted.org/sssd/ticket/1812
[RFE] make the get_next_domain() function a little more readable
https://fedorahosted.org/sssd/ticket/1813
make the ldb check configurable
https://fedorahosted.org/sssd/ticket/1816
Non-fatal errors looking up trusted domains with IPA back end
https://fedorahosted.org/sssd/ticket/1819
Refresh doxygen template files
https://fedorahosted.org/sssd/ticket/1820
sysdb unit tests uses system memberof
https://fedorahosted.org/sssd/ticket/1823
getgrnam / getgrgid for large user groups is too slow due to range
retrieval functionality
https://fedorahosted.org/sssd/ticket/1825
Invalid assignment to enum
https://fedorahosted.org/sssd/ticket/1830
make the authtok structure really opaque
https://fedorahosted.org/sssd/ticket/1831
use the -v flag with nsupdate to force TCP transmission for better security
https://fedorahosted.org/sssd/ticket/1832
[RFE] Provide a new option to update the reverse DNS zone in IPA domain
https://fedorahosted.org/sssd/ticket/1833
segmentation fault in cmocka unit tests with raised optization level
https://fedorahosted.org/sssd/ticket/1834
Support for libini 1.0
https://fedorahosted.org/sssd/ticket/1838
nss and pam clients broken in master
https://fedorahosted.org/sssd/ticket/1839
Incorrect *.py[co] files placement
https://fedorahosted.org/sssd/ticket/1840
Add --with-test-dir=/dev/shm to DISTCHECK_CONFIGURE_FLAGS
https://fedorahosted.org/sssd/ticket/1842
Allow usage of enterprise principals
https://fedorahosted.org/sssd/ticket/1843
Add exit value section to sss_ssh_* man page pages
https://fedorahosted.org/sssd/ticket/1844
add a call to calculated the range for a given domain SID to libsss_idmap
https://fedorahosted.org/sssd/ticket/1845
move libsss_sudo and libsss_autofs back into the main sssd package
https://fedorahosted.org/sssd/ticket/1848
unused parameter in ipa_selinux handler
https://fedorahosted.org/sssd/ticket/1860
pidfile() may leak memory on error
https://fedorahosted.org/sssd/ticket/1861
potential out-of-bounds-write in sss_idmap_sid_to_dom_sid
https://fedorahosted.org/sssd/ticket/1862
negative return in files.c
https://fedorahosted.org/sssd/ticket/1864
Bad comparisons in checks found by new Coverity instance
https://fedorahosted.org/sssd/ticket/1865
Logically dead code in tools_util.c
https://fedorahosted.org/sssd/ticket/1867
document that AD provider is always case insensitive
https://fedorahosted.org/sssd/ticket/1870
wrong failure handler in sdap_get_map
https://fedorahosted.org/sssd/ticket/1877
ding-libs.dhash: uninitialized pointer read
https://fedorahosted.org/sssd/ticket/1883
Add a new option to disable the Kerberos locator plugin completely
https://fedorahosted.org/sssd/ticket/1888
freeipa 3.2 trusted ad user not listed in external group
https://fedorahosted.org/sssd/ticket/1889
coverity: dead code in sudo client
https://fedorahosted.org/sssd/ticket/1890
SSSD doesn't display warning for last grace login.
https://fedorahosted.org/sssd/ticket/1891
unite periodic refresh API
https://fedorahosted.org/sssd/ticket/1892
In IPA AD trust setup, the sssd logs throws 'sysdb_search_user_by_name
failed' error when AD user tries to login via ipa client.
https://fedorahosted.org/sssd/ticket/1897
Autenticity of ipa server can't be established
https://fedorahosted.org/sssd/ticket/1900
Uninitialized scalar variable in idmap.c
https://fedorahosted.org/sssd/ticket/1901
confdb: possible double free in new ini module
https://fedorahosted.org/sssd/ticket/1905
pysss_nss_idmap improvements
https://fedorahosted.org/sssd/ticket/1909
Clarify the AD site discovery in sssd-ad man page
https://fedorahosted.org/sssd/ticket/1910
Clarify that AD DNS updates are performed using GSS-TSIG
https://fedorahosted.org/sssd/ticket/1912
SUDO is not working for users from trusted AD domain
https://fedorahosted.org/sssd/ticket/1913
SSSD crashes during nsupdate if the client hostname can't be resolved
https://fedorahosted.org/sssd/ticket/1914
pysss_nss_idmap: Support also Unicode strings and return them by default
https://fedorahosted.org/sssd/ticket/1915
Turn on dyndns updates by default in the AD provider
https://fedorahosted.org/sssd/ticket/1921
Login failure: Enterprise Principal enabled by default for AD Provider
https://fedorahosted.org/sssd/ticket/1922
sssd_be crashes when looking up users in the LDAP provider with ID mapping
https://fedorahosted.org/sssd/ticket/1924
MAN: Make it clear which address is used to update DNS records
https://fedorahosted.org/sssd/ticket/1927
Provide a script to create a SRPM without having to run configure
https://fedorahosted.org/sssd/ticket/1928
Libtool fails to find dependent libraries
https://fedorahosted.org/sssd/ticket/1929
Junk character in sssd_domain.log for domain string when sssd tries
to go online from offline mode
https://fedorahosted.org/sssd/ticket/1930
Crash with negative values in ldap_idmap_range_size
https://fedorahosted.org/sssd/ticket/1934
sssd crashes if junk is present in sssd.conf
https://fedorahosted.org/sssd/ticket/1950
segfault while processing ASQ request
https://fedorahosted.org/sssd/ticket/1951
NetBIOS domain name should be read at startup
https://fedorahosted.org/sssd/ticket/1971
Dereference before NULL check in nscd.c
https://fedorahosted.org/sssd/ticket/1972
Dereference after a NULL check in tests/common_dom.c
https://fedorahosted.org/sssd/ticket/1976
Copy-n-paste error in AD provider
== Detailed Changelog ==
Abhishek Singh (4):
* filename in comment is corrected
* cmocka unittest for find_uid added
* cmocka unittest for io added
* Fix segmentation fault in test_io.
Ariel Barria (4):
* Improve syslog message when configuration cannot be loaded
* Allow setting krb5_renew_interval with a delimiter
* Confusing error messages for invalid sssd.conf
* Removing BUILD.txt content
Jakub Hrozek (144):
* Bump version to 1.10dev
* Require ar in configure.ac
* TESTS: Fix a couple of debug-level setters
* SYSDB: Remove unused macros
* LDAP: Remove double break
* Indentation fix
* Bump the version and reset release back to 0
* tests: add a unit test for sysdb_netgroup_base_dn
* tests: unit test for test_sysdb_search_users
* tests: adda a unit test for test_sysdb_search_groups
* tests: test sysdb_initgroups
* tests: add unit test for sysdb_get_new_id
* tests: unit test for sysdb_remove_attrs
* TOOLS: set domain in check_group_names
* Fix code style
* Don't use srcdir with tests
* krb5: include backwards compatible declaration of krb5_trace_info
* LDAP: Check for authtok validity
* Filter out multicast addresses from IPA DNS updates
* Lower the DEBUG level if an entry cannot be deleted from memcache
* Fix the krb5 password expiration warning
* Remove enumerate=true from man sssd-ldap
* Do not process success case in an else
* Revert "Add debug message to autofs client"
* Don't treat 0 as default for pam_pwd_expiration warning
* Remove unused functions
* Use the correct memory context in be_req_create
* Check the return value of sysdb_search_services
* Detect the presence of libcmocka during configure
* Add utility functions for tests that use sysdb or tevent.
* Move sss_cmd_execute from client to responder code.
* CMocka based test for the NSS responder
* Retry the correct service on krb5 child timeout
* Remove duplicate remake from bashrc_sssd
* Provide a be_get_account_info_send function
* Add unit tests for simple access test by groups
* Do not compile main() in DP if UNIT_TESTING is defined
* Resolve GIDs in the simple access provider
* Return error code from ipa_subdom_store
* Move signal.m4 from src/util to external
* Document what does access_provider=ad do
* Include config.h to build io.c on RHEL5
* selinux: Remove unused parameter
* Updating the translations for the 1.10 alpha release
* Updating the version for the 1.10 beta1 release
* krb5 child: Use the correct type when processing OTP
* pidfile(): Do not leak fd on error
* Fix potential out-of-bounds write in sss_idmap_sid_to_dom_sid
* Return errno, not -1 on failure in files.c
* Check for correct variable name
* Init failover with be_res options
* Centralize resolv_init, remove resolv context list
* dyndns: Fix initializing sdap_id_ctx
* Check for the correct variables
* Allocate PAM DP request data on responder context
* LDAP: Always fail if a map can't be found
* Put the override_homedir into an included xml file
* Allow using flatname for subdomain home dir template
* Fix simple access group control in case-insensitive domains
* Make leak checks usable in tests that do not utilize check
* tests: Fix the order of key/values
* LDAP: do not invalidate pointer with realloc while processing ghost users
* Convert the simple access check to new error codes
* tests: Link the simple access tests with -ldl
* Do not keep growing event context
* Document the naming convention for SSSD domains
* Document that the AD provider is case-insensitive
* selinux: if no domain matches, make the debug message louder
* Only try to relink ghost users if we're not enumerating
* Display the last grace warning, too
* Refactor dynamic DNS updates
* Convert IPA-specific options to be back-end agnostic
* dyndns: new option dyndns_refresh_interval
* resolver: Return PTR record as string
* dyndns: New option dyndns_update_ptr
* dyndns: new option dyndns_force_tcp
* dyndns: new option dyndns_auth
* Split out the common code from timed DNS updates
* Active Directory dynamic DNS updates
* AD: Always initialize ID mapping
* Only check UPN if enterprise principals are not used
* Updating the translations for the 1.10 beta1 release
* Update the version for the 1.10 beta2 release
* Actually use the index parameter in resolv_get_sockaddr_address_index
* Fix a typo in sssd-ad man page
* tests: Do not set cwd twice
* Enable the AD dynamic DNS updates by default
* man: Clarify that AD dyndns updates are secured using GSS-TSIG
* LDAP: Always initialize idmap object
* Re-add a useful DEBUG message
* man: Clarify the AD site discovery documentation
* man: Note that IPA updates are secured with GSS-TSIG
* Remove unneeded parameter of setup_child and namespace it
* Fix dyndns timer initialization
* IPA: Check for ENOMEM
* Remove unneeded comment
* FO: Fix setting status of duplicates
* AD dyndns: extract the host name from URI
* Add utility functions for formatting fully-qualified names
* Check the validity of FQname format prior to using it
* Allow flat name in the FQname format
* Remove branching to improve readability
* tests: Link fqnames_tests with libsss_test_common.la
* Do not obfuscate calls with booleans
* LDAP: sdap_id_ctx might contain several connections
* LDAP: Refactor account info handler into a tevent request
* LDAP: Pass in a connection to ID functions
* LDAP: new SDAP domain structure
* LDAP: return sdap search return code to ID
* Move domain_to_basedn outside IPA subtree
* New utility function sss_get_domain_name
* LDAP: split a function to create search bases
* LDAP: store FQDNs for trusted users and groups
* Split generating primary GID for ID mapped users into a separate function
* LDAP: Do not store separate GID for subdomain users
* AD: Add additional service to support Global Catalog lookups
* AD ID lookups - choose GC or LDAP as appropriate
* AD: Store trusted AD domains as subdomains
* rpm: Fold libsss_sudo and libsss_autofs back into the main SSSD package
* dyndns: Fix NULL check
* man: document the need to set ldap_access_order
* A new option krb5_use_kdcinfo
* Fix allocation check in the AD provider
* rpm: Use hardened flags for RPM build
* rpm: Split providers into separate subpackages
* Update transifex URL to transifex.com
* Updating translations for the 1.10 beta2 release
* Bumping the version for the 1.10 final release
* Use the correct talloc context when creating AD subdomains
* AD: Fix segfault in DEBUG message
* AD: Remove ad_options->auth options reference
* rpm: couple of small fixes
* Fix allocation check
* Fix dp_copy_options
* FO: Check the return value of send_fn
* LDAP: Retry SID search based on result of LDAP search, not the return code
* IPA: Do not download or store the member attribute of host groups
* AD: kinit with the local DC even when talking to a GC
* KRB5: guess UPN for subdomain users
* AD: Write out domain-realm mappings
* Fix compilation warning
* Update the translations for the 1.10.0 release
* Update the version for the 1.10.0 release
* Updating the version for the 1.10.1 release
James Hogarth (1):
* Make TTL configurable for dynamic dns updates
Jan Cholasta (8):
* LDAP: If deref search fails, try again without deref
* Add exit status section to sss_ssh_* man pages
* UTIL: Add function sss_names_init_from_args
* SSH: Fix parsing of names from client requests
* SSH: Use separate field for domain name in client requests
* SSH: Do not skip domains with use_fully_qualified_names in host key requests
* SSH: When host is removed from LDAP, remove it from the cache as well
* SSH: Update known_hosts file after unsuccessful requests as well.
Jan Engelhardt (1):
* sysdb: try dealing with binary-content attributes
John Hodrien (1):
* Correct sss_ssh_knowhostsproxy typo in man pages
Kamil Dudka (1):
* sssd-1.8.0: work around a bug in cov-build from Coverity
Lukas Slebodnik (37):
* Improved readability of get_next_domain()
* Fixed typo in debug message.
* Removing unused parameter type from sudosrv_get_sudorules_query_cache()
* Reuse sss_open_cloexec at other places in code.
* More generalized function open_debug_file_ex()
* Removing unused header file providers.h
* Fix sss_client breakage.
* Removing unused declaration of functions and variable.
* Making the ldb check configurable
* Fixing duplicate const
* Reusing create_pam_data() on the other places.
* Making the authtok structure really opaque.
* LDAP: Fix value initialization warnings
* Incorrect *.py[co] files placement
* Fix krbcc dir creation issue with MIT krb5 1.11
* Default TEST_DIR to cwd, not empty string if not set explicitly
* SUDO: IPA provider
* Fixes compilation without selinux.
* Fix broken build with selinux.
* Fix segfault in AD Subdomains Module
* Fixing critical format string issues.
* Adding script to create a SRPM
* Removing unused functions.
* Adding option to disable retrieving large AD groups.
* Making order in tests.
* Remove empty directories after tests run.
* Prevent segfault while processing ASQ request
* Fix compilation with disabled link_all_deplibs.
* Use deep copy for dns_domain and discovery_domain
* Fix dereference after a NULL check in tests.
* Change order of libraries in linking process.
* Fix wrong detection of krb5 ccname
* Every time return directory for krb5 cache collection.
* Do not switch to credentials everytime.
* Add missing argument to DEBUG message
* Handle too many results from getnetgr.
* Do not call sss_cmd_done in function check_cache.
Michal Zidek (22):
* sss_debuglevel: Multiple arguments are treated as error.
* Include talloc log in our debug facility
* failover: Protect against empty host names
* sss_cache: Call DEBUG_INIT sooner
* tools: Respect use_fully_qualified_names
* Possible null derefence in ipa_subdomains.c.
* Unchecked return value in files.c
* Use the same dbg level for all ncache hits.
* Remove the alt_db_path parameter of sysdb_init
* File descriptor leak in nss responder.
* Debug message in sss_mc_create_file.
* Move SELinux processing to provider.
* Reuse cached SELinux mappings.
* Make the SELinux refresh time configurable.
* tests: Print warning if LDB_MODULES_PATH is not set
* Check for waitpid failure at wrong place.
* Wrong condition after waitpid.
* sss_cache: support for subdomains
* sss_cache: Remove annoying messages
* Inform about function duplication.
* libsss_idmap: function to calculate range
* Rename SAFEALIGN macros.
Milan Cejnar (1):
* tools: append new line to string from poptStrerror()
Nathaniel McCallum (1):
* Add support for krb5 1.11's responder callback.
Ondrej Kos (25):
* MAN: quotation fix
* Display more information on DB version mismatch
* SYSDB: split sysdb_add_user
* TESTS: Fix coverity issues 13126, 13127
* TESTS: include error message on fail
* Fix uninitialized time_t var in responder
* krb5_child: fix value type and initialization
* Fix initialization of multiple variables
* Fix coverity issue 13136
* Decrease krb5_auth_timeout default
* Update README file
* LDAP: Fix value initialization
* Provide libnl3 support
* DB: Switch to new libini_config API
* CONFDB: prevent double free
* IDMAP: Fix variable initialization
* Fix segfault in DYNDNS
* DB: Fix segfault when configuration file cannot be parsed
* Move nscd.c from tools to util
* Check NSCD configuration file
* Fail with misconfigured id-mapping ranges
* MAN: state default dyndns interface
* DB: Don't add invalid ranges
* Don't test for NULL in nscd config check
* KRB: Handle preauthentication error correctly
Paul B. Henson (1):
* Add ignore_group_members option.
Pavel Březina (63):
* sudo: do not hardcode protocol version
* fix -O3 variable may be uninitialized warnings
* sudo: print message if old protocol is used
* sudo manpage: clarify that sudoHost may contain wildcards and not regular expression
* use talloc_zfree when freeing rhostent in resolver
* set ret to EOK after for loop in sdap_sudo_purge_sudoers
* Fix LDAP authentication - invalid password length
* set struct bet_info->bet_type
* krb: recreate ccache if it was deleted
* dp: check whether hostid backend is configured before filing be request
* get_next_domain() test dom->parent->next for NULL
* subdomains: replace invalid characters with underscore in krb5 mapping file name
* if selinux is disabled, ignore that selogin dir is missing
* sdap_fill_memberships: continue if a member is not foud in sysdb
* Add debug message to autofs client
* autofs: fix invalid header 'number of entries' in packet
* build: require libcmocka on fedora 18+
* fix segfault in nss responder unit test
* krb5-utils-tests: remove invalid condition
* correct order in error_to_str table
* do not leak memory on failure in *_process_init()
* change responder contexts hierarchy
* coding style fix
* refactor nested group processing: add new code
* refactor nested group processing: replace old code
* resolv: add resolv_get_domain request to resolv utils
* resolv: add resolv_discover_srv request to resolv utils
* DNS sites support - SRV lookup plugin interface
* DNS sites support - SRV DNS lookup plugin
* fail over - add function to insert multiple servers to the list
* DNS sites support - replace SRV lookup code with a plugin call
* DNS sites support - use SRV DNS lookup plugin in all providers
* DNS sites support - add IPA SRV plugin
* sudo client: remove dead code
* add fo_discover_servers request
* IPA SRV plugin: use fo_discover_servers request
* IPA SRV plugin: improve debugging
* sdap: add sdap_connect_host request
* add sss_ldap_encode_ndr_uint32
* DNS sites support - add AD SRV plugin
* dns srv plugin: compare domain names case insensitive
* AD SRV plugin: check if site name is empty
* fo_discover_servers_send: don't crash when backup_domain is NULL
* sudo responder: search rules for subdomains in parent domain subtree
* back end: periodic task API
* back end: periodical refresh of expired records API
* back end: add refresh expired records periodic task
* providers: refresh expired netgroups
* be_ptask: send and recv shadow a global declaration
* be_refresh: send and recv shadow a global declaration
* failover: set state->out when meta server remains in SRV_RESOLVE_ERROR
* subdomains: touch krb5.conf when creating new domain-realm mappings
* nested groups: allocate more space if deref returns more members
* handle ERR_ACCOUNT_EXPIRED properly
* nested groups: do not return ENOMEM if num_groups is 0
* nested groups: do not expect any particular number of groups
* failover: do not return invalid pointer when server is already present
* failover: return error when SRV lookup returned only duplicates
* collapse_srv_lookup may free the server, make it clear from the API
* failover: if expanded server is marked as neutral, invoke srv collapse
* init script: source /etc/sysconfig/sssd
* fix dead code in fail_over_srv.c
* sudo responder: use different callback for oob refresh
Simo Sorce (132):
* Add helpers to set common mc record fields
* Save errno before it might be modified.
* Revert "Avoid accessing half-deallocated memory when using talloc_zfree macro."
* Avoid duplicating macros
* Avoid const warnings when deallocating memory
* Fix tevent_req style for krb5_auth
* Fix ipa_subdomain_id names and tevent_req style
* Fix tevent_req style for get_netgroup in ipa_id
* Streamline ipa_account_info handler
* Use an entry type mask macro to filter entry types
* Fix comment on wrong line
* Remove redundant definition.
* Fix tevent_req style for sdap_async_sudo.
* Remove unhelpful vtable from sss_cache
* Remove dead netgroup functions
* Revert "Add a default section to a switch-statement"
* Add sysdb_search_service() helper function
* Use sysdb_search_service() for all svc queries
* Fix sdap reinit.
* Code can only check for cached passwords
* Add function to safely wipe memory.
* Add authtok utility functions.
* Change pam data auth tokens.
* Use new sysdb_search_service() in sss_cache
* The Big sysdb/domain split-up!
* Refactor sysdb initialization
* Refactor single domain initialization
* Remove the sysdb_ctx_get_domain() function.
* Make sysdb_user_dn() require a domain explictly.
* Make sysdb_group_dn() require a domain explictly.
* Make sysdb_netgroup_dn() require a domain explictly.
* Make sysdb_netgroup_base_dn() require a domain.
* Make sysdb_domain_dn() require a domain.
* Make sysdb_custom_dn() require a domain.
* Make sysdb_custom_subtree_dn() require a domain.
* Move range objects into their own top-level tree.
* Upgrade DB and move ranges into top level object
* Pass domain to sysdb_get<pw/gr>nam() functions
* Pass domain to sysdb_get<pwu/grg><id() functions
* Pass domain to sysdb_enum<pw/gr>ebt() functions
* Add domain option to sysdb_get/netgr/attrs() fns
* Add domain argument to sysdb_initgroups()
* Add domain argument to sysdb_get_user_attr()
* Add domain to sysdb_search_user_by_name()
* Add domain to sysdb_search_user_by_uid()
* Add domain to sysdb_search_group_by_name()
* Add domain to sysdb_search_group_by_gid()
* Add domain arg to sysdb_search_netgroup_by_name()
* Add domain argument to sysdb_set_user_attr()
* Add domain argument to sysdb_set_group_attr()
* Add domain argument to sysdb_set_netgroup_attr()
* Add domain argument to sysdb_get_new_id()
* Add domain argument to sysdb_add_basic_user()
* Add domain argument to sysdb_add_user()
* Add domain arguments to sysdb_add_group functions.
* Add domain arguments to sysdb_add_inetgroup fns.
* Add domain argument to sysdb_store_user()
* Add domain argument to sysdb_store_group()
* Add domain arg to sysdb group member functions
* Add domain argument to sysdb_cache_password()
* Add domain argument to sysdb_cache_auth()
* Add domain argument to sysdb_store_custom()
* Add domain argument to sysdb_search_custom()
* Add domain to sysdb_delete_custom
* Add domain arg to sysdb_search_users()
* Add domain argument to sysdb_delete_user()
* Add domain argument to sysdb_search_groups()
* Add domain argument to sysdb_delete_group()
* Add domain arg to sysdb_search/delete_netgroup()
* Add domain argument to sysdb_has/set_enumerated()
* Add domain argument to sysdb_remove_attrs()
* Add domain argument to sysdb_idmap_ funcitons
* Add domain arguemnt to sysdb_get_real_name()
* Add domain argument to sysdb autofs functions
* Add domain argument to sysdb selinux functions
* Add domain arguments to sysdb services functions
* Add domain arguments to sysdb ssh functions
* Add domain arguments to sysdb sudo functions
* Add domain to some subdomain functions
* Pass the domain to upgrade functions
* Move mpg flag to the domain where it belongs
* Kill sysdb->domain
* Stop creating fake sysdb contexts
* Tidy up BASE dn macros
* Remove outdated code.
* Move ldap provider access functions
* Remove sysdb as a be context structure member
* Remove sysdb as a be request structure member
* Remove sysdb argument from ipa_host_info_send()
* Remove unused structure
* Remove sysdb argument from hbac_user_attrs_to_rule()
* Remove sysdb arg from hbac_service_attrs_to_rule()
* Remove sysdb arg from hbac_*host_attrs_to_rule()
* Remove sysdb arg from ipa_hbac_service_info_send()
* Remove sysdb arg from [ipa_]hbac_sysdb_save()
* Remove sysdb argument from hbac_get_cached_rules()
* Remove hbac_ctx_sysdb()
* Remove hbac_ctx_be()
* Remove hbac_ctx_ev()
* Remove hbac_ctx_sdap_id_[ctx|op]()
* Move hbac_ctx_is_offline()
* Do not pass NULL to ipa_subdomain_retrieve()
* Split simple_access_check function out
* Pass domain not be_req to access check functions
* Remove domain from be_req structure
* Introduce be_req_terminate() helper
* Add be_req_create() helper
* Add be_req_get_be_ctx() helper.
* Add be_req_get_data() helper funciton.
* Make struct be_req opaque
* Add realm info to sss_domain_info
* Avoid sysdb_subdom in sysdb_get_subdomains()
* Update main domain info in place
* Refactor sysdb_master_domain_add_info()
* Add sysdb_subdomain_store() function
* Remove sysdb_subdom completely
* Add function get_next_domain()
* Add ability to disable domains
* Change the way domains are linked.
* Parent and subdomains use the same sysdb
* Introduce IS_SUBDOMAIN() macro
* krb5_child style fix
* Refactor krb5 child
* Add SSSD specific error codes and definitions
* Use SSSD specific errors for offline auth
* Return ERR_INTERNAL instead of EIO
* Cleanup error message handling for krb5 child
* Improve IS_SSSD_ERROR() macro
* Use common error facility instead of sdap_result
* Convert sdap_access to new error codes
* ldap: Fallback option for rfc2307 schema
* Further restrict become_user drop of privileges.
Stef Walter (1):
* Add a domain config attribute for realmd
Stephen Gallagher (13):
* LDAP: Better debug logging when saving groups
* Correct format security for talloc_named of auth tokens
* Fix minor grammar error in log
* NSS: Add original homedir to home directory template options
* BUILD: Build shared components as an internal shared library
* BUILD: Add contributed macros and aliases to simplify building
* BUILD: Include build aliases in the tarball
* BUILD: Fix cmocka detection
* BUILD: Fix up whitespace in Makefile.am
* BUILD: Always run distcheck and RPM tests in /dev/shm
* Remove old hash support from example spec
* Add 'description' attribute to SSSDConfig API
* Configure SYSV init scripts properly
Sumit Bose (54):
* Add a default section to a switch-statement
* Fix and rename get_my_domain_data()
* Refactoring: remove duplicated code in nss responder
* Allow usage of enterprise principals
* Make IPA SELinux provider aware of subdomain users
* Add override_homedir.xml to po4a.cfg
* Remove unused TALLOC_CTX from responder_get_domain()
* responder_get_domain: do not return disabled domains
* responder_get_domain(): remove timeout calculation
* LDAP: always store SID if available
* Add secid filter to responder-dp protocol
* Add two new request types to the data-provider interface
* Add idmap context to nss context
* Add responder_get_domain_by_id()
* sysdb: add sysdb_search_object_by_sid()
* Add sss_ncache_set_sid() and sss_ncache_check_sid()
* Remove unused attribute list
* Use struct to hold different types of request parameters
* Add SID related lookups to IPA subdomains
* Add SID related calls to the NSS responder
* Add client library for SID related lookups
* Add python interface to libsss_nss_idmap
* AD: read flat name and SID of the AD domain
* Add missing \n to debug string
* Fix missing initialization in Python bindings for libsss_nss_idmap
* Add support for tuples and unicode pysss_nss_idmap.so
* Always update cached upn if enterprise principals are used
* Fix return code for AD subdomain request
* pysss_nss_idmap: do not treat strings as sequences
* IPA: Always initialize ID mapping
* Handle SID strings in sdap_attrs_get_sid_str() as well
* IPA: read user and group SID
* Add SID related requests to the LDAP provider
* Set canonicalize flag if enterprise principals are used
* Lookup domains at startup
* Add be request queue
* Use queue for get_subdomains
* Read SIDs of groups with sysdb_initgroups() as well
* Enhance PAC responder for AD users
* Intermittent fix for get_user_and_group_users_done
* Always send the PAC to the PAC responder
* Implicitly activate the PAC responder for AD provider
* Fix some doxygen warnings
* Use principal from the ticket to find validation entry
* Set default realm for enterprise principals
* PAC: do not expect that sysdb_search_object_by_sid() return ENOENT
* PAC: do not delete originalDN or cached password if present
* KRB5: use the right authtok type for renewals
* Fix typo in pack_authtok()
* Revert "Always send the PAC to the PAC responder"
* krb5: do not send pac for IPA users from the local domain
* krb5: do not use enterprise principals for renewals
* Revert "Implicitly activate the PAC responder for AD provider"
* Use forest for GC SRV lookups
Thorsten Scherf (1):
* Updated Doxygen configuration to 1.8.1
Yuri Chornoivan (3):
* Fix typos in man pages
* Fix minor typos
* Fix minor typos
More information about the Freeipa-interest
mailing list