[Freeipa-interest] Announcing SSSD 1.11.4
Jakub Hrozek
jhrozek at redhat.com
Mon Feb 17 19:47:19 UTC 2014
=== SSSD 1.11.4 ===
The SSSD team is proud to announce the release of version 1.11.4 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora 19, 20 and rawhide shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* This release focuses primarily on bug fixes, especially for use cases
where SSSD is acting as an Active Directory client
* The simple access provider supports specifying users and groups using
their NetBIOS domain name (such as `DOMAIN\username`)
* Support for enumerating users and groups from trusted AD domains was
added to the AD provider
* The Active Directory site discovery was made more robust for configurations
which use multiple trusted domains
* Several bugs in the LDAP provider that affected setups which mapped
Windows SIDs to POSIX IDs were fixed
* The SSSD is now able to use One Time Password (OTP) authentication
configured on an IPA server. Please note that this functionality is not
present in the released FreeIPA versions yet
== Documentation Changes ==
* The `krb5_use_fast` option changes its default from `never` to `try` in the
IPA provider. The config option value did not change in the other providers.
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/2142
AD Enumeration reads data from LDAP while regular lookups connect to GC
https://fedorahosted.org/sssd/ticket/2152
Implement heuristics to detect if POSIX attributes have been replicated
to the Global Catalog or not
https://fedorahosted.org/sssd/ticket/2160
sssd_be crashes when ad_access_filter uses FOREST keyword.
https://fedorahosted.org/sssd/ticket/2164
"System Error" when invalid ad_access_filter is used
https://fedorahosted.org/sssd/ticket/2169
RHEL7 sssd not setting IPA AD trusted user homedir
https://fedorahosted.org/sssd/ticket/2172
Enabling ldap_id_mapping doesn't exclude uidNumber in filter
https://fedorahosted.org/sssd/ticket/2186
FAST does not work in SSSD 1.11.2 in Fedora 20
https://fedorahosted.org/sssd/ticket/2189
Access denied for users from gc domain when using format DOMAIN\user
https://fedorahosted.org/sssd/ticket/2190
Group membership lookup issue
https://fedorahosted.org/sssd/ticket/2191
Group lookup does not return member with multiple names after user lookup
https://fedorahosted.org/sssd/ticket/2196
sssd ad trusted sub domain do not inherit fallbacks and overrides settings
https://fedorahosted.org/sssd/ticket/2199
sssd_be crashes when ldap_search_base cannot be parsed.
https://fedorahosted.org/sssd/ticket/2200
sssd_be aborts a request if it doesn't match any configured idmap domain
https://fedorahosted.org/sssd/ticket/2202
sssd_be should hint about increasing the krb5_auth_timeout if krb5 auth
times out
https://fedorahosted.org/sssd/ticket/2208
Warn with a user-friendly error message when permissions on sssd.conf
are incorrect
https://fedorahosted.org/sssd/ticket/2213
sudo rules time filter is nondeterministic
https://fedorahosted.org/sssd/ticket/2215
Man page states default_shell option supersedes other shell options
but in fact override_shell does.
== Detailed Changelog ==
Alexander Bokovoy (1):
* FAST: when parsing krb5_child response, make sure to not miss OTP message if it was last one
Benjamin Franzke (1):
* dlopen-tests: Check the result of asprintf
Jakub Hrozek (27):
* Updating the version for the 1.11.4 release
* LDAP: Fix typo and use the right attribute map
* LDAP: Add a new error code for malformed access control filter
* tests: Remove tests that check creating public directories
* UTIL: Inherit parent domain's default_shell
* NSS: Use plain user name when expanding homedir
* AD: Don't fail the request if ad_account_can_shortcut fails
* MAN: Fix a typo
* LDAP: Fix error check
* LDAP: Don't abort request if no id mapping domain matches
* AD: Don't mark domain as enumerated twice
* AD: Store info on whether a subdomain is set to enumerate
* LDAP: Pass a private context to enumeration ptask instead of hardcoded connection
* LDAP: Add enum request with custom connection
* AD: Enumerate users from GC, other entities from LDAP
* LDAP: Don't clobber original_member during enumeration
* DB: Add sss_ldb_el_to_string_list
* AD: Establish cross-domain memberships after enumeration finishes
* MAN: clarify which shell option takes precedence
* LDAP: Detect the presence of POSIX attributes
* AD: Only download domains that are set to enumerate
* AD: Remove dead code
* LDAP: Handle errors from sdap_id_op properly in enum code
* SSS_CACHE: Reset the initgroups attribute when resetting users
* IPA: Default to krb5_use_fast=try
* MAN: Clarify the new krb5_use_fast IPA default
* Updating translations for the 1.11.4 release
Lukas Slebodnik (7):
* AD: Return right error code from netlogon_get_flat_name
* LDAP: Don't fail if subdomain cannot be found by sid
* LDAP: update id mapping detection for ldap provider
* sdap_idamp: Fall back to another method if sid is wrong
* krb5: fix warning may be used uninitialized
* LDAP: store group if subdomain cannot be found by sid
* LDAP: require attribute groupType for AD groups
Pavel Březina (2):
* sudo: memset tm when converting time attributes
* IPA: default krb5_fast_principal to host/$client@$realm
Pavel Reichl (10):
* responder: Set forest attribute in AD domains
* simple access: match objects using flat name
* simple access: refresh master domain info
* NSS: add support for subdomain_homedir
* krb5: hint to increase krb5_auth_timeout
* MONITOR: Incorrect permissions on sssd.conf
* Revert "NSS: add support for subdomain_homedir"
* AD: support for subdomain_homedir
* MAN: update of subdomain_homedir usage
* utils: handling NULL params in sss_parse_name
Sumit Bose (2):
* IPA: fix for recent AD group membership changes
* AD SRV: use right domain name for CLDAP ping
More information about the Freeipa-interest
mailing list