[Freeipa-interest] Announcing SSSD 1.14 Alpha
Jakub Hrozek
jhrozek at redhat.com
Mon Jun 20 20:36:22 UTC 2016
== SSSD 1.14 Alpha ===
The SSSD team is proud to announce the release of version 1.14 Alpha of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* Several internal interfaces were refactored, providing cleaner
code and better memory hierarchy. This change will allow the code to
be easier to maintain and extend and get rid of sssd_be crashes on
service restarts while active requests are running.
* The IPA provider allows looking up users from trusted Active Directory
domains by certificates that are included in the IPA ID-views. Please
note that this functionality requires a recent IPA server.
* The AD provider is now able to look up users from Active Directory
domains by certificate. This change enables logins for Active Directory
users with the help of a smart card.
* The sss_override tool is now able to add certificates as local
overrides in the SSSD cache. Please note that the certificate overrides
are stored in the local cache, so removing the cache also removes all
the certificates!
* Invalid certificates are skipped instead of aborting the whole
operation when logging in with a smart card using SSH.
* A new option local_negative_timeout was added. This option allows
the admin to specify the time during which lookups for users that
are not handled by SSSD but are present on the system (typically in
/etc/passwd and /etc/group) and prevents repeated lookups of local
users on the remote server during initgroups operation.
* This version allows several OCSP-related options such as the OCSP
responder to be configured during smart card authentication
* SSSD is now able to determine the name of the user who logs in from
the inserted smart card without having to type in the username. Please
note that this functionality must be enabled with the allow_missing_name
pam_sss option.
* The sss_cache command line tool is now able to invalidate SUDO rules
with its new -r/-R switches. Please note that the sudo rules are not
refreshed with the sss_cache tool immediately. Refer to the sssd-sudo
man page for the existing refresh timeouts.
* The AD provider as well as the IPA provider part that handles AD
users is able to use the PAC blob attached to the Kerberos ticket to
resolve group memberships for a user if available. If the PAC blob is
not available, other methods such as tokenGroups are used instead.
* The libipa_hbac library was decorated with debug statements, allowing
the administrator to see individual parts of the HBAC rules as well
as the request passed to the evaluator
* Several systemtap probes were added across the SSSD codebase as well
as example systemtap scripts that use these probes. The scripts allow
the administrator to observe the performance of some operations such
as saving a group or the 'id' command with systemtap.
== Packaging Changes ==
* The libsss_sudo.so and libsss_autofs.so libraries were moved to
individual subpackage. This change allows the sudo and autofs libraries
to be installed in containers when the SSSD deamon is running on the
host or in another container.
* The PolicyKit rules used by the p11 child during smartcard
authentication were moved into their own subpackage to prevent conflict
in ownership with the polkit package
* The upstream RPMs no longer run as an unprivileged user, because
there are several known issues related to running SSSD completely
unprivileged. It it still possible to switch to a non-privileged user
in the sssd.conf file.
* If no configuration file exists on SSSD startup, the SSSD is now able
to read a default sssd.conf on first start. Downstreams are encouraged
to ship a default sssd.conf to allow SSSD to be enabled by default.
== Documentation Changes ==
* It is possible to configure SSSD debugging with the debug option
which is an alias to the existing debug_level option.
* A new local_negative_timeout option was added to configure the time
during which lookups for users that exist on the system but are not
handled by SSSD are negatively cached.
* The PAC responder allows the time during which data read from the
PAC bloc is considered valid with a new pac_lifetime option.
* Several PAM services were added to the default list of Group
Policy mappings. These include adding the unity login manager to
the ad_gpo_map_interactive list and the polkit-1 service to the
ad_gpo_map_allow list.
* The p11 responder allows configuring the default OCSP responder with
its new option ocsp_default_responder and the certificate expected to
sign the OCSP response with the new ocsp_default_responder_signing_cert
option.
* The pam_sss.so PAM module has a new option allow_missing_name that
allows looking up the user (typically with the help of a certificate
on a smartcard) during login.
* The sss_override tool gained a new option -x/--certificate that can
be used to specify a local (as in the local cache) certificate for a
particular user.
* The sss_cache tool gained new options -r/-R that allow the
administrator to invalidate the sudo rules in the cache.
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1656
Name-space add_string and make it clear it can also remove string
https://fedorahosted.org/sssd/ticket/2081
[RFE] sss_cache: invalidate sudo rules
https://fedorahosted.org/sssd/ticket/2151
[RFE] Integrate SSSD with containers
https://fedorahosted.org/sssd/ticket/2158
PAC responder needs much time to process large group lists
https://fedorahosted.org/sssd/ticket/2317
make the negcache timeout part of nc_ctx
https://fedorahosted.org/sssd/ticket/2369
check correct usage of talloc_realloc
https://fedorahosted.org/sssd/ticket/2424
review the use of umask() in sssd code
https://fedorahosted.org/sssd/ticket/2683
man sssd.conf should clarify details about subdomain_inherit option.
https://fedorahosted.org/sssd/ticket/2703
Need better libhbac debuging added to sssd
https://fedorahosted.org/sssd/ticket/2715
Make it possible to lookup user via UPN / Kerberos principal
https://fedorahosted.org/sssd/ticket/2816
CI: whitespace_test FAILED without any output
https://fedorahosted.org/sssd/ticket/2848
cache_req: add SID lookups
https://fedorahosted.org/sssd/ticket/2855
Move libsss_sudo.so outside sssd-common
https://fedorahosted.org/sssd/ticket/2866
Cannot authenticate AD trust users after disconnecting network
https://fedorahosted.org/sssd/ticket/2869
cache_req tests don't use leak_check_push/leak_check_pop in fixtures
https://fedorahosted.org/sssd/ticket/2870
AD GPO fails if the machine account belongs to a domain controller
https://fedorahosted.org/sssd/ticket/2897
Smart Cards: Certificate in the ID View
https://fedorahosted.org/sssd/ticket/2903
Review and update wiki pages for 1.14 Alpha
https://fedorahosted.org/sssd/ticket/2924
Incorrect mapping for locked vs expired accounts with the krb provider
https://fedorahosted.org/sssd/ticket/2928
NSS responder should negatively cache local users for a longer time
https://fedorahosted.org/sssd/ticket/2941
Screen locks and smart card is removed - must show a message to insert the correct smartcard
https://fedorahosted.org/sssd/ticket/2968
Abstract async connect functions from sss_ldap
https://fedorahosted.org/sssd/ticket/2973
Common responder code closes socket to early on client shutdown
https://fedorahosted.org/sssd/ticket/2977
ssh with Smartcards - skip invalid certificates
https://fedorahosted.org/sssd/ticket/2999
RFE - alias log_level to debug_level
https://fedorahosted.org/sssd/ticket/3005
[Patch] Vague error message: [sss_ldap_init_sys_connect_done] (0x0020): ldap_install_tls failed: Connect error
https://fedorahosted.org/sssd/ticket/3010
SSSD doesn't fail over to next GC if authentication fails
== Detailed Changelog ==
Alexander Bokovoy (1):
* SPEC: Move polkit rules into sssd-polkit-rules subpackage
Dan Lavu (5):
* sss_override: Add restart requirements to man page
* MAN: Clarify that subdomain_inherit only works for IPA and AD
* URL in BUILD.txt is incorrect
* Clarify that subdomains always use service discovery
* PAM: Fix man for pam_account_{expired,locked}_message
David Disseldorp (1):
* build: detect endianness at configure time
Fabiano Fidêncio (4):
* sysdb: move add_string() convenience to sysdb.c
* sysdb: add sysdb_{add,replace,delete}_string()
* sysdb: move add_ulong() convenience to sysdb.c
* sysdb: add sysdb_{add,replace,delete}_ulong()
Graham Leggett (1):
* Add underlying diagnostic message for SSL errors.
Jakub Hrozek (72):
* Updating the version to track 1.14 development
* MAN: Clarify pam_trusted_users option description
* MAN: proxy and krb5 are valid access control modules
* contrib: Add a pre-push hook to warn about commits without Reviewed-By
* AD: Provide common connection list construction functions
* AD: Consolidate connection list construction on ad_common.c
* tests: Fix compilation warning
* FO: Don't free rc-allocated structure
* tests: Reduce failover code duplication
* FO: Use refcount to keep track of servers returned to callers
* tools: Don't shadow 'exit'
* IFP: Skip non-POSIX groups properly
* SSSD: Add a new option diag_cmd
* DP: Drop dp_pam_err_to_string
* DP: Check callback messages for valid UTF-8
* sbus: Check string arguments for valid UTF-8 strings
* DP: Do not confuse static analysers with dead code
* CONTRIB: Add a gdb pretty-printer for ldb and sysdb_attrs
* BUILD: Only install polkit rules if the directory is available
* AD: Add autofs provider
* KRB5: Handle preauth request timeout more gracefully
* KRB5: Handle KRB5_REALM_UNKNOWN as ERR_NETWORK_IO
* FO: Use tevent_req_defer_callback() when notifying callers
* IPA: Use search timeout, not enum timeout for searching overrides
* DP: Reduce code duplication in the callback handlers
* DP: Reduce code duplication in Data Provider handlers
* MAN: Clarify when should TGs be disabled for group nesting restriction
* DP: Print warning when the handler is not configured
* tests: use unittest.TestCase?.assertCountEqual if possible
* Fix pep8 warnings in pyhbac-test.py
* SDAP: Make it possible to silence errors from dereference
* Add a new option ldap_group_external_member
* IPA: Add interface to call into IPA provider from LDAP provider
* LDAP: Use the IPA provider interface to resolve external group members
* IPA: Use the common if-else coding style
* tests: Extend test_child_common.c to include tests for the only_extra_args functionality
* NSS: Move a DEBUG message so that it's less confusing
* MAN: Move subdomain_inherit to the correct man section
* MAN: Move proxy_fast_alias to the correct man section
* memberof: Don't allocate on a NULL context
* tests: Add a unit test for the external groups resolution
* libipa_hbac: Do not use C99
* libipa_hbac: Add more debug messages
* libipa_hbac: Fix typo in constant name
* libipa_hbac: Move the library to src/lib/ipa_hbac
* MAN: Remove duplicate description of the pam_account_locked_message option
* AD: Recognize Windows Server 2016
* memberof: Fix a memory leak when removing ghost users
* memberof: Don't allocate on NULL when deleting memberUids
* tests: Check NULL context in sysdb-tests when removing group members
* MAN: Drop the reference to IPAv2 in the man page
* Make sdap_process_group_send() static
* MAN: Remove references to the obsolete PubkeyAgent? ssh option
* UTIL: Add ERR_SBUS_REQUEST_HANDLED
* IFP: Do not crash on invalid arguments to GetUserAttr?
* UTIL: exit() the forked process if exec()-ing a child process fails
* AD: Do not schedule the machine renewal task if adcli is not executable
* AD: Do not leak file descriptors during machine password renewal
* Do not leak fds in case of failures setting up a child process
* LDAP: Try also the AD access control for IPA users
* RESPONDER: Fix error check in cache_req.c
* UTIL: Add a PROBE macro into probes.h
* BUILD: Add build infrastructure for systemtap scripts
* SYSDB: Track transaction nesting in sysdb_ctx
* SYSDB: Add systemtap probes to track sysdb transactions
* STAP: Add helper functions to for human-readable account request representation
* LDAP: Decorate the hot paths in the LDAP provider with systemtap probes
* CONTRIB: Add a systemtap script to analyze the performance of the 'id' command
* CONTRIB: Add a systemstap script to measure nested group code performance
* BUILD: Enable systemtap during RPM build and CI
* Updating the translations for the 1.14 alpha release
* Updating the version for the 1.14 beta release
Lukas Slebodnik (107):
* CONTRIB: pre-push hook could work with python3
* BUILD: Link just libsss_crypto with crypto libraries
* BUILD: Link crypto_tests with existing library
* BUILD: Remove unused variable TEST_MOCK_OBJ
* BUILD: Avoid symlinks with python modules
* SSSDConfigTest: Try load saved config
* SSSDConfigTest: Test real config without config_file_version
* intg_tests: Fix PEP8 warnings
* responder_common_tests: Removed unused libraries
* BUILD: Remove unused variables
* BUILD: Remove SSS_CRYPTO_LIBS from common libraries
* BUILD: Accept krb5 1.14 for building the PAC plugin
* BUILD: Fix detection of pthread with strict CFLAGS
* sbus_codegen_tests: Suppress warning Wmaybe-uninitialized
* BUILD: Fix cleanup without NLS
* SDAP: Remove unused sdap_id_ctx from sdap_id_conn_cache_create
* BUILD: Fix doc directory for sss_simpleifp
* LDAP: Fix leak of file descriptors
* BUILD: Remove sudo doxygen file
* CI: Workaroung for code coverage with old gcc
* FAIL_OVER: Fix warning value computed is not used
* cache_req: Fix warning -Wshadow
* SBUS: Fix warnings -Wshadow
* TESTS: Fix warnings -Wshadow
* INIT: Drop syslog.target from service file
* AD: Remove unused memory context from ad_user_conn_list
* DP_PTASK: Fix warning may be used uninitialized
* UTIL: Fix memory leak in switch_creds
* TESTS: Initialize leak check
* TESTS: Check return value of check_leaks_pop
* TESTS: Make check_leaks static function
* TESTS: Add warning for unused result of leak check functions
* sss_client: Fix underflow of active_threads
* sssd_client: Do not use removed memory cache
* test_memory_cache: Test removing mc without invalidation
* Revert "intg: Invalidate memory cache before removing files"
* CONFIGURE: Bump AM_GNU_GETTEXT_VERSION
* test_sysdb_subdomains: Do not use assignment in assertions
* ldap_local_override_test: Fix failure with python2.6
* sbus_codegen_tests: Use portable definition of large constants
* CI: Update suppression file for 32bit el6
* DEBUG: Add missing new lines
* AD: Log SID in debug message
* SPEC: Change package ownership of %{pubconfpath}/krb5.include.d
* SPEC: Move libsss_sudo.so outside sssd-common
* SPEC: Fix unowned directories
* SPEC: Use systemd macros
* pam-srv-tests: Reuse test directory for IO tests
* FAILOVER: Improve reporting of errors
* TOOLS: Fix warning Wsign-compare
* pysss_murmur: Fix warning Wsign-compare
* pyhbac: Fix warning Wsign-compare
* SPEC: Remove unnecessary clean-up of buildroot
* SPEC: Fix packaging of libsss_simpleifp
* CONFIGURE: Replace obsoleted macro AC_PROG_LIBTOOL
* TESTS: Fix race condition in python test
* server-tests: Fix clean-up after successful test
* PYTHON: sss_obfuscate should work with python3
* PYTHON: Fix pep8 errors in sss_obfuscate
* intg: Change preference of openldap module path
* SPEC: Move libsss_autofs.so outside sssd-common
* SPEC: Remove unnecessary requirements
* sss_idmap-tests: Fix segmentation fault
* krb5_child: Warn if user cannot read krb5.conf
* Fix typos reported by lintian
* UTIL: Use prefix for debug function
* UTIL: Provide varargs version of debug_fn
* IPA: Use sss_vdebug_fn in hbac_debug_messages
* IPA: log real hbac function
* HBAC: Check format string in hbac log function
* UTIL: Use sss_vdebug_fn for callbacks
* Revert "DEBUG: Preventing chown_debug_file if journald on"
* DEBUG: Ignore ENOENT for change owner of log files
* TOOLS: Fix minor memory leak in sss_colondb_writeline
* CI: Use yum-deprecated instead of dnf
* BUILD: Remove unused include directories
* BUILD: Simplify build of cwrap tests
* UTIL: Fix indentation in dlinklist.h
* UTIL: Fix warning misleading-indentation
* CLIENT: Reduce code duplication
* CLIENT: Retry request after EPIPE
* libipa_hbac: Ensure we always build with C90
* UTIL: Do not call stderr with negative number
* UTIL: Move debug part from util.h -> new debug.h
* UTIL: Allow to append new line in sss_vdebug_fn
* AUTOMAKE: Force usage of parallel test harness
* CI: Use make check instead of make-check-wrap
* IPA: Remove unused parameter from ipa_ext_group_member_check
* SDAP: Remove unused parameter talloc context
* test_ipa_subdom_server: Workaround for slow krb5 + SELinux
* SPEC: Run extra unit tests with epel
* GPO: Soften umask in gpo_child
* GPO_CHILD: Create directories in gpo_cache with right permissions
* GPO: Process GPOS in offline mode if ldap search failed
* IPA: Check RDN in ipa_add_ad_memberships_get_next
* dp_ptask: Fix memory leak in synchronous ptask
* test_be_ptask: Check leaks in tests
* test_ad_common: Include missing header if building with NSS
* SYSDB_SUDO: Remove useless test
* IPA_SUDO: Prevent dereference of NULL pointer
* intg: Use different uid range for add_remove tests
* LDAP: Print port in sdap_print_server
* TOOLS: Fix warning maybe-uninitialized
* pam-srv-tests: Increase cached_auth_timeout
* CI: Exclude files in /tmp during coverage runs
* pam-srv-tests: Fix warning unused-function
* SPEC: Run sssd as privileged user
Mathieu Deaudelin-Lemay (1):
* Changes to allow SSSD to be used for access control with a machine
account belonging to a domain controller.
Michal Židek (15):
* SSSDConfig: Do not raise exception if config_file_version is missing
* spec: Missing initgroups mmap file
* util: Update get_next_domain's interface
* tests: Add get_next_domain_flags test
* sysdb: Include disabled domains in link_forest_roots
* sysdb: Use get_next_domain instead of dom->next
* Refactor some conditions
* util: Continue if setlocale fails
* server_setup: Log failed attempt to set locale
* tests: Run intgcheck without libsemanage
* tests: Regression test with wrong LC_ALL
* ldap_local_override_test: Remove sss_cache from teardown
* MAN: sssd.conf should mention SSS_NSS_USE_MEMCACHE
* NSS: do not skip cache check for netgoups
* GPO: log specific ini parse error messages
Nikolai Kondrashov (15):
* CI: Exclude whitespace_test from Valgrind checks
* TESTS: Make whitespace_test pass without whitespace
* man: Mention groups in filter_groups description
* man: Note filter_groups are not affecting nesting
* intg: Get base DN from LDAP connection object
* intg: Add support for specifying all user attrs
* intg: Split LDAP test fixtures for flexibility
* intg: Reduce sssd.conf duplication in test_ldap.py
* intg: Fix RFC2307bis group member creation
* intg: Do not use non-existent pre-increment
* CI: Do not skip tests not checked with Valgrind
* CI: Handle dashes in valgrind-condense
* intg: Fix all PEP8 issues
* CI: Enforce coverage make check failures
* intg: Add more LDAP tests
Pavel Březina (131):
* sbus codegen tests: free ctx
* sss tools: improve option handling
* cache_req: provide extra flag for oob request
* cache_req: add support for UPN
* cache_req tests: reduce code duplication
* cache_req: remove raw_name and do not touch orig_name
* intg: fix typos
* sss_override: fix comment describing format
* sss_override: explicitly set ret = EOK
* sss_override: steal msgs string to objs
* nss: send original name and id with local views if possible
* sudo: search with view even if user is found
* sudo: send original name and id with local views if possible
* sss_tools: always show common and help options
* sss_override: fix exporting multiple domains
* sss_override: add user-find
* sss_override: add group-find
* sss_override: add user-show
* sss_override: add group-show
* sss_override: do not free ldb_dn in get_object_dn()
* sss_override: use more generic help text
* sss_tools: do not allow unexpected free argument
* BE: Add IFP to known clients
* AD: remove annoying debug message
* man sssd-ad: fix typo
* SYSDB: Add missing include to sysdb_services.h
* LDAP: Mark globals in ldap_opts.h as extern
* AD: Mark globals in ad_opts.h as extern
* IPA: Mark globals in ipa_opts.h as extern
* KRB5: Mark globals in krb5_opts.h as extern
* SUDO: convert periodical refreshes to be_ptask
* SUDO: move refreshes from sdap_sudo.c to sdap_sudo_refresh.c
* SUDO: move offline check to handler
* SUDO: simplify error handling
* SUDO: fix sdap_id_op logic
* SUDO: fix tevent style
* SUDO: fix sdap_sudo_smart_refresh_recv()
* SUDO: sdap_sudo_load_sudoers improve iterator
* SUDO: set USN inside sdap_sudo_refresh request
* SUDO: built host filter inside sdap_sudo_refresh request
* SUDO: do not imitate full refresh if usn is unknown in smart refresh
* SUDO: fix potential memory leak in sdap_sudo_init
* SUDO: obtain host information when going online
* SUDO: remove finalizer
* SUDO: make sdap_sudo_handler static
* SUDO: use size_t instead of int in for cycles
* SUDO: get srv_opts after we are connected
* AD SRV: prefer site-local DCs in LDAP ping
* SDAP: handle ret properly in ldap_get_options()
* SDAP: do not fail if refs are found but not processed
* SDAP: Add request that iterates over all search bases
* SDAP: rename sdap_get_id_specific_filter
* SDAP: support empty filters in sdap_combine_filters()
* SUDO: use sdap_search_bases instead custom sb iterator
* SUDO: make sudo sysdb interface more reusable
* SUDO: move code shared between ldap and ipa to separate module
* SUDO: allow to disable ptask
* SUDO: fail on failed request that cannot be retry
* IPA: add ipa_get_rdn and ipa_check_rdn
* SDAP: use ipa_get_rdn() in nested groups
* IPA SUDO: choose between IPA and LDAP schema
* IPA SUDO: Add ipasudorule mapping
* IPA SUDO: Add ipasudocmdgrp mapping
* IPA SUDO: Add ipasudocmd mapping
* IPA SUDO: Implement sudo handler
* IPA SUDO: Implement full refresh
* IPA SUDO: Implement rules refresh
* IPA SUDO: Remember USN
* SDAP: Add sdap_or_filters
* IPA SUDO: Implement smart refresh
* SUDO: sdap_sudo_set_usn() do not steal usn
* SUDO: remove full_refresh_in_progress
* SUDO: assume zero if usn is unknown
* SUDO: allow disabling full refresh
* SUDO: remember usn as number instead of string
* SUDO: simplify usn filter
* IPA SUDO: Add support for ipaSudoRunAsExt* attributes
* sdap_connect_send: fail if uri or sockaddr is NULL
* MAKE: Do not compile generated header files
* cache_req: simplify cache_req_cache_check()
* cache_req: do not lookup views if possible
* remove user certificate if not found on the server
* IPA SUDO: download externalUser attribute
* cache_req: bring together search parameters
* cache_req: fix typo in debug message
* cache_req: break cache_req_input_create into more functions
* cache_req: rename debug_fqn to debugobj
* cache_req: improve debugging
* cache_req tests: remove unused users and groups
* mock domain: reset ldb errors
* cache_req tests: use leak check in test fixtures
* cache_req tests: improve user and group creation
* utils: return const char from dup_string_list
* cache_req: add SID lookups
* cache_req test: add lookup by sid
* cache_req: hide input and pass parameters in struct
* cache_req: rename cache_req_input to cache_req
* cache_req: remove old comment
* IPA SUDO: fix typo
* IPA SUDO: support old ipasudocmd rdn
* SUDO: be able to parse modifyTimestamp correctly
* sudo: remove unused structure sudo_dp_request
* sudo: use cache_req for initgroups
* sudo: do not use tevent when parsing query
* sudo: convert get_sudorules to tevent
* Inform about (un)successful connection
* Failover to next server if authentication fails
* Remove braces from DEBUG statements
* Rename dp_ptask to be_ptask
* Rename dp_refresh.h to be_refresh.h
* Rename dp_refresh.c to be_refresh.c
* Rename dp_dyndns.h to be_dyndns.h
* Rename dp_dyndns.c to be_dyndns.c
* Rename dp_backend.h to backend.h
* SBUS: Add sbus_conn_register_iface_map
* SBUS: Add data provider errors
* SBUS: Print debug message when handler fails
* ERRORS: Add ERR_OFFLINE
* ERRORS: Add ERR_TERMINATED
* ERRORS: Add ERR_INVALID_DATA_TYPE
* ERRORS: Add ERR_MISSING_DP_TARGET
* sdap_search_bases: allow map to be NULL
* sdap_search_bases: allow returning only the first reply
* sdap ops: add support for deref
* DP: Introduce new interface for backend
* DP: Add callback for backward compatibility
* DP TESTS: Mock data_provider
* DP TESTS: Add unit tests for dp_request_table.c
* DP: Switch to new interface
* RESPONDER: New interface for client registration
* DP: Move be_req_acct and remove discard_const
Pavel Reichl (39):
* SDAP: Relax POSIX check
* AD: fix minor memory leak
* IPA: fix minor memory leak
* SDAP: fix minor memory leak
* PROXY: fix minor memory leak
* sss_override: amend man page - overrides do not stack
* DYNDNS: use realm and server commands only as fallback
* DYNDNS: improve nsupdate_msg_add_fwd()
* intg: fix assert messages in test_memory_cache
* HBAC: remove misleading comment about deny rules
* sudo: remove unused param. in ldap_get_sudo_options
* autofs: remove unused params in del_autofs_entries
* LDAP: remove unused param. in sdap_fallback_local_user
* PAM: remove unused parameter cdb
* sss_override: Remove unused parameter tool_ctx
* SDAP: optional warning - sizelimit exceeded in POSIX check
* SDAP: allow_paging in sdap_get_generic_ext_send()
* SDAP: change type of attrsonly in sdap_get_generic_ext_state
* SDAP: pass params in sdap_get_and_parse_generic_send
* sss_override: Removed overrides might be in memcache
* sudo: remove unused param name in sdap_sudo_get_usn()
* pam-srv-tests: split pam_test_setup() so it can be reused
* pam-srv-tests: Add UT for cached 'online' auth.
* intg: Add test for user and group local overrides
* sysdb-tests: Fix warning - incompatible pointer type
* IDMAP: Fix computing max id for slice range
* IDMAP: New structure for domain range params
* IDMAP: Add support for automatic adding of ranges
* IDMAP: Fix minor memory leak
* IDMAP: Man change for ldap_idmap_range_size option
* NSS: Fix memory leak netgroup
* SDAP: Add error code to debug message
* IDMAP: Add test to validate off by one bug
* SDAP: Add return code ERR_ACCOUNT_LOCKED
* PAM: Pass account lockout status and display message
* IDMAP: Add minor performance improvements
* IDMAP: Make parameter names more descriptive
* DP TESTS: Add unit tests for dp_request.c
* DP TESTS: Add unit tests for dp_builtin.c
Petr Cech (56):
* TESTS: Fixing of uninitialized pointer.
* HBAC: Better libhbac debugging
* REFACTOR: umask(0177) --> umask(SSS_DFL_UMASK)
* REFACTOR: DFL_RSP_UMASK constant in responder code
* REFACTOR: umask(077) --> umask(SSS_DFL_X_UMASK)
* REFACTOR: SCKT_RSP_UMASK constant in responder code
* P11_CHILD_NSS: More restrictive permissions
* UTILS: More restrictive permissions in domain_info
* UTIL-TESTS: More restrictive permissions
* TESTS: More restrictive permissions in debug_tests
* TESTS: Restrictive permissions in check_and_open
* DEBUG: Preventing chown_debug_file if journald on
* KRB5_CHILD: More restrictive umask
* UTIL: More restrictive umask on sss_unique_file()
* TOOLS: DFL_UMASK --> SSS_DFL_UMASK
* TEST: Add test_user_by_recent_filter_valid
* TEST: Refactor of test_responder_cache_req.c
* TEST: Refactor of test_responder_cache_req.c
* TEST: Add common function are_values_in_array()
* TEST: Add test_users_by_recent_filter_valid
* TEST: Add test_group_by_recent_filter_valid
* TEST: Refactor of test_responder_cache_req.c
* TEST: Add test_groups_by_recent_filter_valid
* IPA_PROVIDER: Explicit no handle of services
* KRB5_CHILD: Debug logs for PAC timeout
* KRB5: Adding DNS SRV lookup for krb5 provider
* TOOLS: Fix memory leak after getline() failed
* TOOLS: Add comments on functions in colondb
* TEST_TOOLS_COLONDB: Add tests for sss_colondb_*
* TESTS: global_talloc_context push/pop remove
* NEGCACHE: Fixing typo in test_sss_ncache_gid()
* NEGCACHE: Removing of condition for ttl = -1
* SYSDB: Add new funtions into sysdb_sudo
* TESTS: Test of sysdb_search_sudo_rules
* SSS_CACHE: Refactor
* TOOL: Invalidation of sudo rules at sss_cache
* AUTOFS: Removing of redudant debug message
* TEST: Removing duplication of mock_rctx
* NEGCACHE: Adding timeout to struct sss_nc_ctx
* NEGCACHE: Removing timeout from sss_ncache_check_*
* NEGCACHE: Adding getter for timeout
* RESPONDER: Removing neg_timeout from pam responder
* RESPONDER: Removing neg_timeout from pac_ctx
* RESPONDER: Removing neg_timeout from sudo resp.
* RESPONDER: Removing neg_timeout from ifp repsonder
* RESPONDER: Removing neg_timeout from nss responder
* RESPONDERS: Negcache in resp_ctx preparing
* RESPONDER: Removing ncache from nss_ctx
* RESPONDER: Removing ncache from ifp_ctx
* RESPONDER: Removing ncache from pac_ctx
* RESPONDER: Removing ncache from pam_ctx
* RESPONDER: Removing ncache from sudo_ctx
* RESPONDER: Removing of redudant function
* AD_PROVIDER: Fix constant char *
* RESPONDERS: Negative caching of local users
* TEST: New tests for negative caching of locals
Robert Antoni Buj Gelonch (1):
* Add Catalan translation to LINGUAS
Simo Sorce (6):
* Krb5/PAM: Fix account lockout error handling
* Util: Improve code to get connection credentials
* Util: Move socket setup in a common utility file
* Util: Set socket options and flags separately
* Util Sockets: Tidy up connect() handling
* Responders: Fix client destructor
Stephen Gallagher (11):
* LDAP: Inform about small range size
* Monitor: Show service pings at debug level 8
* GPO: Add Cockpit to the Remote Interactive defaults
* GPO: Add other display managers to interactive logon
* Netlink: Ignore RTM_NEWADDR signals from link-local
* GPO: Add "unity" to ad_gpo_map_interactive
* UTIL: Add secure copy function
* Internal: Rename CONFDB_DEFAULT_CONFIG_FILE
* CONFIG: Use default config when none provided
* GPO: Add "polkit-1" to ad_gpo_map_allow
* DEBUG: Add debug alias for debug_level
Sumit Bose (69):
* PAM: only allow missing user name for certificate authentication
* fix ldb_search usage
* fix upn cache_req for sub-domain users
* nss: fix UPN lookups for sub-domain users
* DP: successful authentication sets explicitly PAM_SUCCESSS
* NSS: fix a use-after-free issue
* pam-srv-tests: Change service name
* cache_req: check all domains for lookups by certificate
* IPA: fix override with the same name
* p11: allow p11_child to run completely unprivileged
* p11: check if cert is valid before selecting it
* p11: enable ocsp checks
* ldap: skip sdap_save_grpmem() if ignore_group_members is set
* initgr: only search for primary group if it is not already cached
* LDAP: check early for missing SID in mapping check
* nfs idmap: fix infinite loop
* ipa_s2n_save_objects(): use configured user and group timeout
* Use right domain for user lookups
* sdap_save_grpmem: determine domain by SID if possible
* ldap: remove originalMeberOf if there is no memberOf
* UTIL: allow to skip default options for child processes
* DP_TASK: add be_ptask_get_timeout()
* AD: add task to renew the machine account password if needed
* FO: add fo_get_active_server()
* FO: add be_fo_get_active_server_name()
* AD: try to use current server in the renewal task
* p11: add gnome-screensaver to list of allowed services
* Just return NULL if tevent_req_create() fails
* subdomains: inherit ldap_krb5_keytab
* IPA: lookup idview name even if there is no master domain record
* IPA: invalidate override data if original view is missing
* sdap: improve filtering of multiple results in GC lookups
* pam_sss: reorder pam_message array
* SDAP: make some AD specific calls public
* LDAP: refactor sdap_ad_tokengroups_initgr_mapping_done()
* util: make concatenate_string_array() reusable
* AD: process PAC during initgroups request
* IPA: rename ipa_s2n_get_fqlist* to ipa_s2n_get_list*
* IPA: ipa_s2n_get_list_send() allow other list types
* IPA: resolve PAC for trusted users on IPA clients
* PAC: only save PAC blob into the cache
* sss_override: do not generate DN, search object
* tools: read additional data of the master domain
* sss_override: only add domain if name is not fully qualified
* intg: local override for user with mixed case name
* krb5_auth_store_creds: silence spurious debug message
* build: move ndr_krb5pac check to the other Samba checks
* IPA: terminate properly if view name lookup fails
* IPA: use forest name when looking up the Global Catalog
* libwbclient: wbcSidsToUnixIds() don't fail on errors
* AD: use krb5_keytab for subdomain initialization
* p11: add missing man page entry and config API
* p11: add no_verification option
* p11: add OCSP default responder options
* PAM: add pam_sss option allow_missing_name
* p11: add PKCS11_LOGIN_TOKEN_NAME environment variable
* sysdb: add sysdb_attrs_add_base64_blob()
* sysdb: add searches by certificate with overrides
* cache_req: use overide aware call for lookup by certificate
* ipa: add support for certificate overrides
* nss: include certificates in full result list
* ipa: save cert as blob in the cache
* AD: read user certificate if available
* nss: return user certificate base64 encoded
* sss_override: add certificate support
* IPA: allow lookups by cert in sub-domains on the client
* NSS: add SSS_NSS_GETNAMEBYCERT request
* nss-idmap: add sss_nss_getnamebycert()
* ssh: skip invalid certificates
More information about the Freeipa-interest
mailing list