[Freeipa-interest] Announcing SSSD 1.14.1
Jakub Hrozek
jhrozek at redhat.com
Fri Aug 19 14:37:35 UTC 2016
=== SSSD 1.14.1 ===
The SSSD team is proud to announce the release of version 1.14.1 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* The IPA provider now supports logins with enterprise principals (also
known as additional UPN suffixes). This functionality also enabled Active
Directory users from trusted AD domains who use an additional UPN suffix
to log in. Please note that this feature requires a recent IPA server.
* When a user name is overriden in an IPA domain, resolving a group these
users are a member of now returns the overriden user names
* Users can be looked up by and log in with their e-mail address as an
identifier. In order to do so, an attribute that represents the user's
e-mail address is fetched by default. This attribute can by customized
by setting the ldap_user_email configuration option.
* A new ad_enabled_domains option was added. This option lets the
administrator select domains that SSSD should attempt to reach in the
AD forest SSSD is joined to. This option is useful for deployments where
not all domains are reachable on the network level, yet the administrator
needs to access some trusted domains and therefore disabling the subdomains
provider completely is not desirable.
* The sssctl tool has two new commands active-server and servers that
allow the administrator to observe the server that SSSD is bound to and
the servers that SSSD autodiscovered
* SSSD used to fail to start when an attribute name is present in both
the default SSSD attribute map and the custom ldap_user_extra_attrs map
* GPO policy procesing no longer fails if the gPCMachineExtensionNames
attribute only contains whitespaces
* Several commits fix regressions related to switching all user and group
names to fully qualified format, such as running initgroups for a user
who is only a member of a primary group
* Several patches fix regressions caused by splitting the database into
two ldb files, such as when user attributes change without increasing
the modifyTimestamp attribute value
* systemd unit files are now shipped for the sssd-secrets responder,
allowing the responder to be socket-activated. To do so, administrators
should enable the sssd-secrets.socket and sssd-secrets.service systemd
units.
* The sssd binary has a new switch --disable-netlink that lets sssd skip
messages from the kernel's netlink interface.
* A crash when entries with special characters such as '(' were requested
was fixed
* The ldap_rfc_2307_fallback_to_local_users option was broken in the
previous version. This release fixes the functionality.
== Packaging Changes ==
* The NFS ID-mapping plugin was moved to its own subpackage
== Documentation Changes ==
* A new option ad_enabled_domains was added
* A new LDAP attribute mapping for e-mail addresses called ldap_user_email
was added
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/2789
Warn if ad_server contains IP address
https://fedorahosted.org/sssd/ticket/2828
Add an option to disable checking for trusted domains in the subdomains provider
https://fedorahosted.org/sssd/ticket/2856
[RFE] Allow users to authenticate with alternative names
https://fedorahosted.org/sssd/ticket/2860
Add support for disabling netlink use
https://fedorahosted.org/sssd/ticket/2948
Handle overriden name of members in the memberUid attribute
https://fedorahosted.org/sssd/ticket/2958
Support multiple principals for IPA users
https://fedorahosted.org/sssd/ticket/2978
pid file name decalration is duplicated
https://fedorahosted.org/sssd/ticket/2987
Improve information about krb5_keytab & ldap_krb5_keytab option in sssd man pages
https://fedorahosted.org/sssd/ticket/3009
sssd fails to mark a connection as bad on searches that time out
https://fedorahosted.org/sssd/ticket/3018
Detect of IPA server can handle enterprise principals
https://fedorahosted.org/sssd/ticket/3024
sssd-common brings in nfs-utils
https://fedorahosted.org/sssd/ticket/3064
incorrect dataExpireTimestamp setting in the timestamps cache
https://fedorahosted.org/sssd/ticket/3068
fixes to the initial config schema implementation
https://fedorahosted.org/sssd/ticket/3069
The sssctl tool should provide information about active and available servers
https://fedorahosted.org/sssd/ticket/3072
task: Add a 1.14 upstream repo
https://fedorahosted.org/sssd/ticket/3077
sssd does not work under non-root user
https://fedorahosted.org/sssd/ticket/3084
DP: Don't pass empty string, but NULL to providers
https://fedorahosted.org/sssd/ticket/3086
tools: sssctl config-check and sssctl cache ignore --help
https://fedorahosted.org/sssd/ticket/3087
tools: make sssctl command names consistent
https://fedorahosted.org/sssd/ticket/3088
Review and update SSSD's wiki pages for 1.14.1 release
https://fedorahosted.org/sssd/ticket/3089
Error message "Failed to retrieve users" is sometimes misleading
https://fedorahosted.org/sssd/ticket/3090
Don't print message about trust direction on clients
https://fedorahosted.org/sssd/ticket/3091
remove DEBUG(SSSDBG_TRACE_INTERNAL, "Trace: ldap_result found nothing!\n");
https://fedorahosted.org/sssd/ticket/3093
Missing nested groups in user groups
https://fedorahosted.org/sssd/ticket/3094
SELINUX_getpeercon failed [-1][Unknown error -1].
https://fedorahosted.org/sssd/ticket/3096
sssctl: Time stamps without time zone information
https://fedorahosted.org/sssd/ticket/3101
sssd does not start if sub-domain user is used with simple access provider
https://fedorahosted.org/sssd/ticket/3109
Wrong pam error code returned for password change in offline mode
https://fedorahosted.org/sssd/ticket/3110
Access denied after activating user in 389ds
https://fedorahosted.org/sssd/ticket/3111
sssd doesn't start on IPA client if IPA server VM is paused
https://fedorahosted.org/sssd/ticket/3120
SSSD fails to start when ldap_user_extra_attrs contains mail
https://fedorahosted.org/sssd/ticket/3121
[abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_nss killed by 11
https://fedorahosted.org/sssd/ticket/3122
Do not check local users with disabled local_negative_timeout
https://fedorahosted.org/sssd/ticket/3130
Better error message if sssctl is ran w/o activating the IFP responder
https://fedorahosted.org/sssd/ticket/3132
check return value of sysdb_search_user_by_upn()
== Detailed Changelog ==
Dan Lavu (1):
* MAN: Update description of sssctl
Fabiano Fidêncio (5):
* sssctl: Use localtime for time stamps
* RESPONDERS: Decrease debug level for failures in SELINUX_getpeercon()
* RESPONDERS: Show a bit more info in case of SELINUX_getpeercon() failure
* RESPONDERS: Pass errno to strerror() when SELINUX_getpeercon() fails
* SDAP: Don't log an op failure when no users are found
Jakub Hrozek (18):
* Updating the version for the 1.14.1 release
* FO: Set port to NOT_WORKING when trying a next server
* LDAP: Fix storing initgroups for users with no supplementary groups
* LDAP: Use FQDN when linking parent LDAP groups
* SYSDB: Fix setting dataExpireTimestamp if sysdb is supposed to set the current time
* PAM: Do not act on ldb_message in case of a failure
* IPA: Check the return value of sss_parse_internal_fqname
* SIMPLE: Do not parse names on startup
* SIMPLE: Fail on any error parsing the access control list
* SIMPLE: Make the DP handlers testable
* TESTS: Use the DP handlers in simple provider tests, add more tests
* CONFIG: full_name_format is an allowed option for all domains
* CONFIG: re_expression is an allowed option for all domains
* SPEC: Own the secrets DB path
* UTIL: Use sss_atomic_read_s in generate_csprng_buffer
* SECRETS: Use sss_atomic_read/write for better readability
* BUILD: Ship systemd service file for sssd-secrets
* Updating the translations for the 1.14.1 release
Justin Stephenson (4):
* Make resolv_is_address() function public and create some basic tests
* Warn if IP address is used as option for ipa_server/ad_server
* Monitor: Add support for disabling netlink
* SSSCTL: More helpful error message when InfoPipe? is disabled
Lukas Slebodnik (37):
* sssctl: Fix error handling after memory allocation failure
* sssctl: Fix format string for size_t
* doxygen: Fix path to header file ipa_hbac.h
* ipa_hbac: Fix documentation for hbac_enable_debug
* sssctl: Fix warning maybe-uninitialized
* nss-srv-tests: Fix prototype of wrapped ncache functions
* TOOLS: Prevent dereference of null pointer
* sysdb-tests: Fix cast from pointer to integer
* SPEC: Move nfsidmap plugin to separate package
* test_utils: Clean files after sss_write_krb5_conf_snippet
* CI: Use /bin/sh as a CONFIG SHELL
* SECRETS: Log message for failures with removing file
* Amend debug messages after failure of unlink
* SYSDB: Do not try to modify ts cache for unsupported DNs
* SDAP: sanitize member name before using in filter
* SDAP: sysdb_search_users does not set users_count for failures
* SYSDB: Sanitize dn in sysdb_get_user_members_recursively
* LDAP: Fix Dereference after NULL check
* NSS: Do not check local users with disabled local_negative_timeout
* config_schema: Add ldap_user_email to schema
* intg: Make location of sssd nss module configurable
* intg: Allow to test netgroups
* NSS: Use correct name for invalidating memory cache
* SYSDB: Avoid optimisation with modifyTimestamp for users
* dyndns-tests: Fix false positive failures
* LDAP: Log autofs rfc2307 config changes only with enabled responder
* DP: Add log message for get account info
* ds.py: Do not call teardown in destructor
* test_local_domain: Restore correct env variable
* intg: rename test with enumeration
* test_enumeration: Remove test without enumeration
* intg: create ldap test without enumeration
* sssd_id.py: Primary group should be returned for initgroups
* intg: Fix pep8 warnings
* test_ldap: test nested membership with rfc2307bis
* test_ldap: test resolving of names with special characters
* intg: Test extra attributes duplicate
Michal Židek (13):
* sssctl: config-check access check report
* config: override_space is monitor's option
* config: Fix user_attributes
* config: Allow timeout for all sevices
* config: Add config_file_version to schema
* dyndns: Add checks for NULL
* sdap: Fix ldap_rfc_2307_fallback_to_local_users
* sss_ini: Change debug level of config error msgs
* sssctl: Consistent commands naming
* tools: Add missing gettext macro
* sssctl: Generic help for cache-upgrade and config-check
* gpo: gPCMachineExtensionNames with just whitespaces
* sdap: Skip exact duplicates when extending maps
Pavel Březina (17):
* sssctl: move filter creation to separate function
* sssctl: improve readability of a condition
* DP: rename be_acct_req to dp_id_data
* DP: Initialize D-Bus as soon as possible
* utils: add remove_subtree
* sssctl: use internal API to remove files
* rdp: add ability to forward reply to the client request
* sbus: add sbus_request_reply_error()
* sbus: add utility function to simplify message and reply handling
* sssctl: use talloc with sifp
* failover: mark subdomain service with sd_ prefix
* sssctl: print active server and server list
* sifp: fix coverity warning
* sbus: allow freeing msg through dbus api when using talloc
* PROXY: Do not abuse data provider interface
* DP: Remove old data provider interface
* NSS: Remove unused functions
Petr Cech (18):
* SYSDB: Fixing DB update
* PROVIDERS: Setting right {u,g}id if unprivileged
* SYSDB: Removing of duplication of sysdb_ts_cache_attrs
* test_utils: Fixing assignment discards 'const' qualifier
* LDAP: Changing of confusing debug message
* IPA: Changing of confusing debug message
* Revert "LDAP: Lookup services by all protocols unless a protocol is specified"
* PROVIDER: Conversion empty string from D-Bus to NULL
* LDAP: Fixing wrong pam error code for passwd
* UTILS: Fixing duplication of pid file declaration
* AD_PROVIDER: Add ad_enabled_domains option
* AD_PROVIDER: Initializing of ad_enabled_domains
* AD_PROVIDER: ad_enabled_domains - only master
* AD_PROVIDER: ad_enabled_domains - other then master
* TESTS: Adding tests for ad_enabled_domains option
* LDAP: Adding support for SIGTERM signal
* LDAP: Adding SIGTERM signal before SIGKILL
* LDAP: Adding SIGCHLD callback
Sumit Bose (33):
* views: allow override added for non-default views at runtime
* IPA: read ipaNTAdditionalSuffixes for master and trusted domains
* sysdb: add UPN suffix support for the master domain
* sysdb: make subdomain calls aware of upn_suffixes
* DP: add dp_get_module_data()
* IPA: add ipa_init_get_krb5_auth_ctx()
* IPA: enable enterprise principals if server supports them
* IPA: fix [capaths] output
* UTIL: make domain mapping content testable
* tests: add tests for sss_get_domain_mappings_content()
* AD: avoid memory leak in netlogon_get_domain_info() and make it public
* AD: netlogon_get_domain_info() allow missing arguments and empty results
* tests: add tests for netlogon_get_domain_info
* AD: replace ad_get_client_site_parse_ndr() with netlogon_get_domain_info()
* sysdb_master_domain_add_info: properly set do_update
* IPA: make ipa_resolve_user_list_{send|recv} public and allow AD users
* IPA: expand ghost members of AD groups in server-mode
* sysdb: add sysdb_get_user_members_recursively()
* views: properly override group member names
* IPA: fix lookup by UPN for subdomains
* LDAP: allow multiple user principals
* LDAP: new attribute option ldap_user_email
* sysdb: include email in UPN searches
* LDAP: include email in UPN searches
* NSS: add user email to fill_orig()
* utils: add is_email_from_domain()
* LDAP/IPA: add local email address to aliases
* NSS: continue with UPN/email search if name was not found
* PAM: continue with UPN/email search if name was not found
* NSS: use different neg cache name for UPN searches
* PAM: Fix domain for UPN based lookups
* SDAP: add special handling for IPA Kerberos enterprise principal strings
* SDAP: add enterprise principal strings for user searches
Thorsten Scherf (1):
* Fixed some typos in man pages
More information about the Freeipa-interest
mailing list