[Freeipa-interest] Announcing SSSD 1.12.2

Mon Oct 20 15:17:56 UTC 2014

                       === SSSD 1.12.2 ===

The SSSD team is proud to announce the release of version 1.12.2 of
the System Security Services Daemon.

As always, the source is available from https://fedorahosted.org/sssd

RPM packages will be made available for Fedora 21 and rawhide shortly.

== Feedback ==

Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
    https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
    https://lists.fedorahosted.org/mailman/listinfo/sssd-users

== Highlights ==

* Fixed a regression where the IPA provider didn't fetch User Private
  Groups correctly
* An important bug in the GPO access control which resulted in a wrong
  principal being used was fixed
* Several new options are available for deployments that
  need to restrict a certain PAM service from connecting to a
  certain SSSD domain. For more details, see the description of
  pam_trusted_users and pam_public_domains options in the
  sssd.conf(5) man page and the domains option in the
  pam_sss(8) man page.
* When SSSD is acting as an IPA client in setup with trusted AD domains,
  it is able to return group members or full group memberships for users
  from trusted AD domains. Please note that this feature requires a recent
  (4.1 Alpha or newer) release of FreeIPA server
* Suport for the 'views' feature of IPA. Please note that this
  feature requires a recent (4.1 Alpha or newer) release of FreeIPA
  server. Additionally, this feature will be improved in future versions
  of SSSD.

== Packaging Changes ==

* Some unit tests depend on nss_wrapper and uid_wrapper libraries. These
  dependencies are optional, if the libraries are not detected during build,
  the tests are skipped

== Documentation Changes ==

* New PAM responder options pam_trusted_users and pam_public_domains
  options
* New pam_sss module option called domains
* A new template expansion %U that expands into the user's User Principal Name
* The default value of ldap_user_objectsid and ldap_group_objectsid changed
  from "Not set" to objectSID in the LDAP provider

== Tickets Fixed ==

https://fedorahosted.org/sssd/ticket/1021
    [RFE] Add domains= option to pam_sss
https://fedorahosted.org/sssd/ticket/1644
    [RFE] Make SSSD capable of downloading GPO policies
https://fedorahosted.org/sssd/ticket/1645
    [RFE] Leverage GPO policies to define HBAC
https://fedorahosted.org/sssd/ticket/2041
    [RFE] User's home directories and shells are not taken from AD when there is an IPA trust with AD
https://fedorahosted.org/sssd/ticket/2159
    [RFE] Support initgroups for unauthenticated AD users
https://fedorahosted.org/sssd/ticket/2340
    [RFE] User Principal Name as a template expansion for homedir mappings
https://fedorahosted.org/sssd/ticket/2375
    [RFE] SSSD side of IPA user-views
https://fedorahosted.org/sssd/ticket/2412
    Error processing universal groups with cross-domain membership in SSSD server mode
https://fedorahosted.org/sssd/ticket/2435
    SSSD connection terminated after failing anonymous bind to IBM Tivoli Directory Server
https://fedorahosted.org/sssd/ticket/2437
    conflicting gpo policy settings not being resolved correctly
https://fedorahosted.org/sssd/ticket/2442
    sssd.conf man page missing subdomains_provider ad support
https://fedorahosted.org/sssd/ticket/2443
    Password expiration policies are not being enforced by SSSD
https://fedorahosted.org/sssd/ticket/2447
    AD Provider crashes when looking up the "Domain Users" group
https://fedorahosted.org/sssd/ticket/2452
    authconfig crashes if case_sensitive=preserving in sssd.conf
https://fedorahosted.org/sssd/ticket/2453
    group members returned in lowercase with case_sensitive=preserving

== Detailed Changelog ==

Daniel Gollub (2):
      * sysdb: Write additional attrs in sysdb_add_user
      * PAM: Add domains= option to pam_sss

Jakub Hrozek (22):
      * Updating version for the 1.12.2 release
      * LDAP: Always free talloc_req
      * LDAP: Do not clobber return value when multiple controls are returned
      * TESTS: Add a case-insensitive group search sysdb test
      * MAN: AD is allowed value of subdomains_provider
      * tests: Add a test for storing custom attrs with automatic ID
      * TESTS: Add a unit test for matching the secondary objectclass
      * IPA: Use GC for group lookups in server mode
      * AD: Add a missing break statement to the GPO code
      * LDAP: Do not require a dereference control to be retuned in a reply
      * MAN: Document the domains option of pam_sss
      * MONITOR: Make internal functions static
      * SYSDB: move sysdb_get_real_name() from sysdb.c to sysdb_search.c
      * BUILD: Use $(MKDIR_P) in Makefile.am
      * MAN: Build the sss_rpcidmapd man page conditionally
      * UTIL: Do not depend on monitor code
      * MONITOR: Remove useless memory contexts
      * UTIL: Move become_user outside krb5 tree
      * BUILD: Detect nss_wrapper and uid_wrapper during configure
      * TESTS: Add a test to change user IDs
      * UTIL: Always write capaths
      * Updating the translations for the 1.12.2 release

Jan Engelhardt (1):
      * build: call AC_BUILD_AUX_DIR before anything else

Lukas Slebodnik (14):
      * CI: Add missing debian dependency
      * CI: Use default config for mock build
      * GPO: Use argument ndg_flags instead of constant
      * GPO: remove unused talloc contexts
      * DP: Print a type as hexadecimal number in debug message.
      * SDAP: Suppress warning maybe-uninitialized
      * TOOLS: Fix warning Value stored to is never read
      * SDAP: Fix warning Value stored to is never read
      * SDAP: test return value of sysdb_search_services
      * PAC: Check return value of function hash_entries
      * IPA: Fix error handling after talloc_ber_flatten
      * GPO: fail if there is problem with storing gpo into sysdb
      * GPO: Fail if we cannot retrieve gpo from cache.
      * GPO: Do not use output argument if function failed

Michal Zidek (5):
      * Add alternative objectClass to group attribute maps
      * Use the alternative objectclass in group maps.
      * sssd.api.conf: Declare case_sensitive as string
      * nss: Preserve case of group members
      * LDAP: Change defaults for ldap_user/group_objectsid

Nikolai Kondrashov (11):
      * TESTS: Free hbac_info
      * TESTS: Free compiled regexes in krb5_utils-tests
      * TESTS: Free link paths in symlink tests
      * TESTS: Free retrieved sid in test_getsidbyname
      * CI: Preserve mock config timestamps
      * CI: Don't run dlopen-tests under Valgrind
      * CI: Add Valgrind suppression support
      * CI: Suppress all detected Valgrind issues
      * CI: Enforce Valgrind check
      * CI: Remove disabling of Valgrind gdb invocation
      * CI: Don't say Valgrind is ignored in README.md

Pavel Březina (8):
      * sysdb_get_user_attr: use fqn for subdomain users
      * tests: add test for sysdb_get_user_attr with subdomain user
      * sss_get_domain_name: check for fq name first
      * tests: add test for sss_get_domain_name
      * Add sysdb_search_[user|group]_override_attrs_by_name
      * Add sysdb_get_user_attr_with_views
      * IFP: support views
      * sudo: support views

Pavel Reichl (5):
      * Fix debug messages - trailing '.'
      * PAM: new options pam_trusted_users & pam_public_domains
      * SDAP: move deciding of tls usage into new function
      * SDAP: check that connection is open before bind
      * NSS: UPN as a template expansion for homedir mappings

Stephen Gallagher (4):
      * UTIL: Do not change SSSD domains in get_domains_head
      * krb5: make get_primary() a public call
      * AD GPO: Fix incorrect sAMAccountName selection
      * AD GPO: Fix incorrect return of EACCES

Sumit Bose (32):
      * name2sid: Check negative cache for users and groups
      * sysdb: sysdb_search_group_by_name should work like sysdb_search_user_by_name
      * IPA: add support for new extdom plugin version
      * pam: sub-domain authentication fix
      * add_v1_group_data: fix for empty members list
      * nss: add SSS_NSS_GETORIGBYNAME request
      * sss_nss_idmap: add sss_nss_getorigbyname()
      * sysdb: add sysdb_update_view_name()
      * Add sdap_deref_search_with_filter_send()
      * IPA: make IPA ID context available to extdom client code
      * IPA: add view support and get view name
      * views: add ipa_get_ad_override_send()
      * sysdb: add sysdb_store_override
      * sysdb: add sysdb_attrs_add_val_safe() and sysdb_attrs_add_string_safe()
      * sysdb: sysdb_apply_default_override
      * views: get overrides during user and group lookups
      * views: search overrides for user and group requests
      * confdb: add has_views and view_name to sss_domain_info
      * new_subdomain: copy view data from parent
      * sysdb: add view data to domains
      * sysdb: add overide lookup calls
      * sysdb: add sysdb_getpwnam/uid_with_views()
      * sysdb: add sss_view_ldb_msg_find_element/attr_as_string/uint64
      * nss: add view support for getpwnam/getpwuid requests
      * sysdb: add sysdb_initgroups_with_views()
      * nss: add view support to initgroups request
      * sysdb: add sysdb_getgrnam_with_views and sysdb_getgrgid_with_views
      * nss: add view support for getgr* requests
      * sid2name: return name without views applied
      * pam: make pam responder aware if views
      * sysdb: add sysdb_enumpw/grent_with_views()
      * nss: make enumeration requests aware of views

Yassir Elley (1):
      * AD-GPO resolve conflicting policy settings correctly