[Freeipa-interest] Announcing SSSD 1.11.2
Jakub Hrozek
jhrozek at redhat.com
Wed Oct 30 23:25:38 UTC 2013
=== SSSD 1.11.2 ===
The SSSD team is proud to announce the release of version 1.11.2 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora 19, 20 and rawhide shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* A new option ad_access_filter was added. This option allows the
administrator to easily configure LDAP search filter that the users logging
in must match in order to be granted access
* Group resolution now supports resolving group members from different
trusted AD domains in a single forest
* A bug that prevented a configuration file with trailing spaces to be
loaded was fixed
* SSSD no longer crashes if the LDAP connection is terminated while LDAP
requests are still in progress
* Several important bugs related to the Global Catalog support were fixed:
* SSSD now correctly falls back to LDAP lookups in case Global Catalog
is not reachable
* If the AD servers were specified using the ad_server option and not
autodiscovered, server fail over did not work correctly with 1.11.1
== Feature removal ==
* The Kerberos provider is no longer able to create public directories
when evaluating the krb5_ccachedir option. This is a backwards-incompatible
change. Creating public directories is something the system administrator
should perform in order for the directories to have the correct permissions
and allow the authentication daemon to create user directories as private
only.
== Documentation Changes ==
* The decimal debug levels are now recommended instead of the advanced
hexadecimal levels which are more suitable for developers
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1968
Memory grows if subdomain goes away in the AD provider
https://fedorahosted.org/sssd/ticket/2030
getent response requires sssd restart after trust add
https://fedorahosted.org/sssd/ticket/2064
ad: unable to resolve membership when user is from different domain than group
https://fedorahosted.org/sssd/ticket/2071
Ccache directory creation leads to unexpected results
https://fedorahosted.org/sssd/ticket/2082
[RFE] Add a new option ad_access_filter
https://fedorahosted.org/sssd/ticket/2092
Group lookup is not returned immediately after service startup
https://fedorahosted.org/sssd/ticket/2100
sudo responder does not support specifying just one of sudoNotBefore/sudoNotAfter
https://fedorahosted.org/sssd/ticket/2101
Use idrange of forest root if there is none for a member domain and type is ipa-ad-trust-posix
https://fedorahosted.org/sssd/ticket/2104
AD provider should fall back the LDAP if Global Catalog is not reachable
https://fedorahosted.org/sssd/ticket/2105
Do not show 'Could not add new domain' error messages if ldap_id_mapping=false
https://fedorahosted.org/sssd/ticket/2112
Coverity reported potential NULL dereference
https://fedorahosted.org/sssd/ticket/2116
SID looksups are not handled if noexist_delete flag is set
https://fedorahosted.org/sssd/ticket/2121
ipa ad trusted user lookups failed with sssd_be crash
https://fedorahosted.org/sssd/ticket/2123
Creating system accounts on a IdM client takes up to 10 minutes when AD trust is configured in the IdM.
https://fedorahosted.org/sssd/ticket/2124
sssd_nss exited abnormally and generated core files.
https://fedorahosted.org/sssd/ticket/2126
sssd_be segfault when authenticating against active directory
https://fedorahosted.org/sssd/ticket/2131
NSS responder doesn't qualify memberuid and ghost users of groups that contain members from different domains
== Detailed Changelog ==
Jakub Hrozek (23):
* Updating the version for the 1.11.2 release
* krb5: Fix unit tests
* INI: Disable line-wrapping functionality
* KRB5: Return PAM_ACCT_EXPIRED when logging in as expired AD user
* PROXY: Fix memory hierarchy when enumerating services
* Inherit ID limits of parent domains if set
* SYSDB: Add sysdb_delete_by_sid
* LDAP: Delete entry by SID if not found
* LDAP: Amend sdap_access_check to allow any connection
* LDAP: Parse FQDN into name/domain for subdomain users
* AD: Add a new option ad_access_filter
* AD: Use the ad_access_filter if it's set
* AD: Search GC by default during access control, fall back to LDAP
* AD: Add extended access filter
* TEST: Test getgrnam with emphasis on members
* NSS: Print FQDN for groups with mixed domain membership
* KRB5: Handle ERR_CHPASS_FAILED
* NSS: Fix service enumeration
* MAN: Document that krb5 directories can only be created as private
* LDAP: Check all search bases during nested group processing
* NSS: Fix parenthesis
* AD: Fix ad_access_filter parsing with empty filter
* Updating translation for the 1.11.2 release
Lukas Slebodnik (9):
* LDAP: Set default value for dyndns update to false
* krb5: Remove warning dereference of a null pointer
* krb5: Use right function to free data.
* AD: Prefer GC port from SRV record
* AD: fall back to LDAP if GC is not available.
* tests: Use right format string for type size_t
* Makefile: Add missing libraries
* Makefile: Remove unused variable TEST_MOCK_OBJ
* LDAP: Return correct error code
Pavel Březina (23):
* sudo: allow specifying only one time restriction
* sudo: improve time restrictions debug messages
* nss: wait for initial subdomains request to finish
* subdomains: first destroy ptask then remove sdom
* dp: make subdomains refresh interval configurable
* dp: store list of ongoing requests
* utils: add ERR_DOMAIN_NOT_FOUND error code
* dp: set request domain
* dp: add function to terminate request of specific domain
* dp: free sdap domain if subdomain is removed
* be_ptask: add be_ptask_create_sync()
* dp: convert cleanup task to be_ptask
* ipa: destroy cleanup task when subdomain is removed
* ad: destroy ptasks when subdomain is removed
* sdap_save_user: try to determine domain by SID
* sdap_save_group: try to determine domain by SID
* free sid obtained from sss_idmap_unix_to_sid()
* ad: shortcut if possible during get object by ID or SID
* sdap: store base dn in sdap_domain
* sdap: add sdap_domain_get_by_dn()
* ghosts: pick correct domain for every member
* sdap_fill_memberships: pick correct domain for every member
* nested groups: pick correct domain for cache lookups
Simo Sorce (1):
* krb5: Remove ability to create public directories
Stephen Gallagher (4):
* SYSDB: Fix incorrect DEBUG message
* MAN: Clarify debug level documentation
* MAN: Reflow debug_levels.xml
* BUILD: Update bashrc macros
Sumit Bose (17):
* AD: properly intitialize GC from ad_server option
* LDAP: handle SID requests if noexist_delete is set
* IPA server mode: properly initialize ext_groups
* idmap: add internal function to free a domain struct
* idmap: fix a memory leak if a collision is detected
* idmap: allow ranges with external mapping to overlap
* sdap_idmap: add sdap_idmap_get_configured_external_range()
* sdap_idmap: properly handle ranges for external mappings
* Add unconditional online callbacks
* IPA: add callback to reset subdomain timeouts
* sdap_get_generic_ext_send: check if we a re still connected
* find_subdomain_by_sid: skip domains with missing domain_id
* idmap: add sss_idmap_domain_by_name_has_algorithmic_mapping()
* sdap_idmap_domain_has_algorithmic_mapping: add domain name argument
* IPA: add trusted domains with missing idrange
* ad_subdom_store: check ID mapping of the domain not of the parent
* be_spy_create: free be_req and not the long living data
More information about the Freeipa-interest
mailing list