[Freeipa-interest] Announcing SSSD 1.12.5
Jakub Hrozek
jhrozek at redhat.com
Fri Jun 12 14:45:29 UTC 2015
=== SSSD 1.12.5 ===
The SSSD team is proud to announce the release of version 1.12.5 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora 21, 22 and rawhide shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* This release adds several new enhancements and fixes many bugs
* Notable new enhancements:
* The background refresh tasks now supports refreshing users and groups
as well. Please see the description of the `refresh_expired_interval`
parameter in the `sssd.conf` man page.
* A new option subdomain_inherit was added. Options included in
the subdomain_inherit option also apply for trusted domains, if
supported. This release supports inheriting ignore_group_members,
ldap_purge_cache_timeout, ldap_use_tokengroups and
ldap_user_principal.
* When an expired account attempts to log in, a configurable error
message can be displayed with sufficient pam_verbosity setting. Please
see the description of the pam_account_expired_message option for
more information.
* OpenLDAP ppolicy can be honored even when an alternate login method
(such as SSH key) is used. Please see the description of the new
ppolicy value of the ldap_access_order option.
* A new option krb5_map_user was added. This option allows the admin
to map UNIX usernames to Kerberos principals. The option would be
mostly useful for setups that wish to continue using UNIX file-based
identities together with SSSD Kerberos authentication
* The important bug fixes include:
* Several AD-specific bugs that resulted in the incorrect set of groups
being displayed after the initgroups operation were fixed
* Many fixes related to the IPA ID views feature are included. Setups
using the ID views feature should update the SSSD instance on both
IPA servers and clients.
* The AD provider now handles binary GUIDs correctly. This bug was
manifested with an error message saying ldb_modify failed: Invalid
attribute syntax.
* The AD provider no longer downloads full group objects during
initgroups request if POSIX attributes are used. This fix may speed
up the login times significantly.
* A bug that prevented the `ignore_group_members` parameter to be used
with the AD provider was fixed
* The fail over code now reads and honors TTL value for SRV queries
as well. Previously, SRV queries used a hardcoded timeout
* The SELinux context set up during login with an IPA provider is only
called if the context had changed. This fixes a performance regression
with the IPA provider.
* Race condition between setting the timeout in the back ends and
reading it in the front end during initgroup operation was fixed. This
bug affected applications that perform the `initgroups(3)` operation
in multiple processes simultaneously.
* Setups that only want to use the domain SSSD is connected to, but not
the autodiscovered trusted domains by setting `subdomains_provider=none`
now work correctly as long as the domain SID is set manually in the
config file
* In case only allow rules are used, the simple access provider is
now able to skip unresolvable groups.
* The GPO access control code now handles situations where user and
computer objects were in different domains. Previously, an attempt to
log in as user from a different domain than computer always resulted
in login failure.
== Packaging Changes ==
* The cmocka unit tests now require cmocka version 1.0 or later
* The libsss_krb5_common.so library had been moved to the sssd-common
subpackage to avoid ordering issues between libsss_krb5_common and
libsss_ldap_common
* The proxy_child helper binary was marked as setuid in order for the
proxy provider to work without root privileges.
== Documentation Changes ==
* A new option subdomain_inherit was added. See the highlights section
for more details.
* A new option krb5_map_user was added. See the highlights section for
more details.
* The ldap_access_order option accepts new value ppolicy.
* Account expiration message can be customized using a new option
pam_account_expired_message
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1884
[RFE] Read and use the TTL value when resolving a SRV query
https://fedorahosted.org/sssd/ticket/2050
ssh login reject is abrupt
https://fedorahosted.org/sssd/ticket/2167
[RFE] Allow SSSD to issue shadow expiration warning even if alternate
authentication method is used
https://fedorahosted.org/sssd/ticket/2346
[RFE] Implement background refresh for users and groups
https://fedorahosted.org/sssd/ticket/2444
extop request marks dp_req as failed when an entry is not found
https://fedorahosted.org/sssd/ticket/2507
Cyclic dependencies between sssd-ldap and krb5-common
https://fedorahosted.org/sssd/ticket/2509
RFE: Handle setups with id_provider=proxy and auth_provider=krb5 better
https://fedorahosted.org/sssd/ticket/2513
Add a hint on using DEBUG levels to the troubleshooting page
https://fedorahosted.org/sssd/ticket/2528
Document that that libkrb5 and sssd use different expansion templates
for principals
https://fedorahosted.org/sssd/ticket/2534
[RFE] Lock out ssh keys when account naturally expires
https://fedorahosted.org/sssd/ticket/2587
With empty ipaselinuxusermapdefault security context on client is staff_u
https://fedorahosted.org/sssd/ticket/2588
Properly handle AD's binary objectGUID
https://fedorahosted.org/sssd/ticket/2591
sssd nss bug update vs create cache
https://fedorahosted.org/sssd/ticket/2592
ccname_file_dummy is not unlinked on error
https://fedorahosted.org/sssd/ticket/2598
sssd_nss segfaults if initgroups request is by UPN and doesn't find
anything
https://fedorahosted.org/sssd/ticket/2601
SSSD downloads too much information when fetching information about groups
https://fedorahosted.org/sssd/ticket/2604
sssd_be segfault on IPA(when auth with AD trusted domain) client at
src/providers/ipa/ipa_s2n_exop.c:1605
https://fedorahosted.org/sssd/ticket/2606
GPO access control looks for computer object in user's domain only
https://fedorahosted.org/sssd/ticket/2608
sssd crashes intermittently
https://fedorahosted.org/sssd/ticket/2611
sssd_be dumping core if enumeration times out
https://fedorahosted.org/sssd/ticket/2612
ldap_access_order=ppolicy: Explicitly mention in manpage that unsupported
time specification will lead to sssd denying access
https://fedorahosted.org/sssd/ticket/2613
sysdb sudo search doesn't escape special characters
https://fedorahosted.org/sssd/ticket/2614
id lookup resolves "Domain Local" group and errors appear in domain log
https://fedorahosted.org/sssd/ticket/2624
Only set the selinux context if the context differs from the local one
https://fedorahosted.org/sssd/ticket/2629
sssd_be segfault id_provider = ad src/providers/ad/ad_gpo.c:843
https://fedorahosted.org/sssd/ticket/2630
Overrides with --login work in second attempt
https://fedorahosted.org/sssd/ticket/2631
idoverridegroup for ipa group with --group-name does not work
https://fedorahosted.org/sssd/ticket/2632
Overridde with --login fails trusted adusers group membership resolution
https://fedorahosted.org/sssd/ticket/2633
Group resolution is inconsistent with group overrides
https://fedorahosted.org/sssd/ticket/2634
sssd nss responder gets wrong number of secondary groups
https://fedorahosted.org/sssd/ticket/2635
ID mapping does not wotk with disabled subdomains
https://fedorahosted.org/sssd/ticket/2642
Override for IPA users with login does not list user all groups
https://fedorahosted.org/sssd/ticket/2643
autofs provider fails when default_domain_suffix and
use_fully_qualified_names set
https://fedorahosted.org/sssd/ticket/2644
ignore_group_members doesn't work for subdomains
https://fedorahosted.org/sssd/ticket/2646
Disapeared groups with ad providers and enabled ignore_group_members
https://fedorahosted.org/sssd/ticket/2647
external users do not resolve with "default_domain_suffix" set in IPA
server sssd.conf
https://fedorahosted.org/sssd/ticket/2649
/usr/libexec/sssd/selinux_child crashes and gets avc denial when ssh
https://fedorahosted.org/sssd/ticket/2650
Unable to resolve group memberships for AD users when using
sssd-1.12.2-58.el7_1.6.x86_64 client in combination with
ipa-server-3.0.0-42.el6.x86_64 with AD Trust
https://fedorahosted.org/sssd/ticket/2654
sssd_be crashed if initialisation of proxy_child failed
https://fedorahosted.org/sssd/ticket/2655
proxy provider does not work in non-root mode
https://fedorahosted.org/sssd/ticket/2659
IPA enumeration provider crashes
https://fedorahosted.org/sssd/ticket/2663
id lookup for non-root domain users doesn't return all groups on
first attempt
== Detailed changelog ==
Adam Tkac (1):
* Option filter_users had no effect for retrieving sudo rules
Aron Parsons (2):
* IPA: fix segfault in ipa_s2n_exop
* autofs: fix 'Cannot allocate memory' with FQDNs
Daniel Hjorth (1):
* LDAP: unlink ccname_file_dummy if there is an error
Jakub Hrozek (34):
* Updating the version for the 1.12.5 release
* resolv: Use the same default timeout for SRV queries as previously
* FO: Use SRV TTL in fail over code
* selinux: Delete existing user mapping on empty default
* NSS: Handle ENOENT when doing initgroups by UPN
* selinux: Handle setup with empty default and no configured rules
* tests: convert all unit tests to cmocka 1.0 or later
* RPM: BuildRequire libcmocka >= 1.0
* build: Only run cmocka tests if cmocka 1.0 or newer is available
* Resolv: re-read SRV query every time if its TTL is 0
* IPA: Use custom error codes when validating HBAC rules
* IPA: Drop useless sysdb parameter
* IPA: Only treat malformed HBAC rules as fatal if deny rules are enabled
* IPA: Deprecate the ipa_hbac_treat_deny_as option
* selinux: Disconnect before closing the handle
* selinux: Begin and end the transaction on the same nesting level
* selinux: Only call semanage if the context actually changes
* tests: Use cmocka-1.0+ API in test_sysdb_utils
* sysdb: Add cache_expire to the default
sysdb_search_object_by_str_attr set
* SELINUX: Avoid disconnecting disconnected handle
* LDAP: return after tevent_req_error
* MAN: refresh_expired_interval also supports users and groups
* tests: ncache_hit must be an int to test UPNs
* tests: Add a getpwnam-by-UPN test
* Add unit tests for initgroups
* Download complete groups if ignore_group_members is set with
tokengroups
* DP: Set extra_value to NULL for enum requests
* Skip enumeration requests in IPA and AD providers as well
* confdb: Add new option subdomain_inherit
* DP: Add a function to inherit DP options, if set
* SDAP: Add sdap_copy_map_entry
* UTIL: Inherit ignore_group_members
* subdomains: Inherit cleanup period and tokengroup settings from
parent domain
* Updating translations for the 1.12.5 release
Lukas Slebodnik (19):
* Log reason in debug message why ldb_modify failed
* ipa_selinux: Fix warning may be used uninitialized
* memberof: Do not create request with 0 attribute values
* CLIENT: Clear errno with enabled sss-default-nss-plugin
* GPO: Check return value of ad_gpo_store_policy_settings
* SDAP: Do not set gid 0 twice
* SDAP: Extract filtering AD group to function
* SDAP: Filter ad groups in initgroups
* GPO: Do not ignore missing attrs for GPOs
* sss_nss_idmap-tests: Use different prepared buffers for big endian
* SDAP: Fix id mapping with disabled subdomains
* SPEC: Fix cyclic dependencies between sssd-{krb5,}-common
* negcache: Soften condition for expired entries
* test_nss_srv: Use right function for storing time_t
* nss: Do not ignore default vaue of SYSDB_INITGR_EXPIRE
* SDAP: Set initgroups expire attribute at the end
* SDAP: Remove unnecessary argument from sdap_save_user
* PROXY: proxy_child should work in non-root mode
* PROXY: Do not register signal with SA_SIGINFO
Michal Zidek (2):
* DEBUG: Add missing strings for error messages
* test: Check ERR_LAST
Pavel Březina (8):
* be_refresh: refresh all domains in backend
* sdap_handle_acct_req_send: remove be_req
* be_refresh: refactor netgroups refresh
* be_refresh: add sdap_refresh_init
* be_refresh: support users
* be_refresh: support groups
* enumeration: fix talloc context
* sudo: sanitize filter values
Pavel Reichl (18):
* PAM: do not reject abruptly
* PAM: new option pam_account_expired_message
* PAM: warn all services about account expiration
* PAM: check return value of confdb_get_string
* SDAP: refactor pwexpire policy
* SDAP: enable change phase of pw expire policy check
* UTIL: convert GeneralizedTime to unix time
* SDAP: Lock out ssh keys when account naturally expires
* SDAP: fix minor neglect in is_account_locked()
* ldap_child: fix coverity warning
* MAN: libkrb5 and SSSD use different expansions
* IPA: set EINVAL if dn can't be linearized
* LDAP: remove unused code
* LDAP: fix a typo in debug message
* MAN: Update ppolicy description
* simple-access-provider: make user grp res more robust
* LDAP: warn about lockout option being deprecated
* krb5: new option krb5_map_user
Stephen Gallagher (3):
* AD: Clean up ad_access_gpo
* AD: Always get domain-specific ID connection
* AD GPO: Always look up GPOs from machine domain
Sumit Bose (25):
* ldap_child: initialized ccname_file_dummy
* PAM: use the logon_name as the key for the PAM initgr cache
* pam_initgr_check_timeout: add debug output
* ipa: do not treat missing sub-domain users as error
* ipa: make sure extdom expo data is available
* LDAP/AD: do not resolve group members during tokenGroups request
* IPA idviews: check if view name is set
* IPA: make sure output variable is set
* GPO: error out instead of leaving array element uninitialized
* sdap: properly handle binary objectGuid attribute
* IPA: do not try to save override data for the default view
* IPA: use sysdb_attrs_add_string_safe to add group member
* IPA: check ghosts in groups found by uuid as well
* IPA: allow initgroups by SID for AD users
* IPA: do initgroups if extdom exop supports it
* IPA: update initgr expire timestamp conditionally
* IPA: enhance ipa_initgr_get_overrides_send()
* IPA: search for overrides during initgroups in sever mode
* IPA: do not add domain name unconditionally
* NSS: check for overrides before calling backend
* IPA: allow initgroups by UUID for FreeIPA users
* SDAP: use DN to update entry
* IPA: do not fail if view name lookup failed on older versions
* libwbclient-sssd: update interface to version 0.12
* ldap: use proper sysdb name in groups_by_user_done()
More information about the Freeipa-interest
mailing list