[Freeipa-users] Announcing SSSD 1.13.0 Alpha
Jakub Hrozek
jhrozek at redhat.com
Mon Jul 6 20:57:15 UTC 2015
=== SSSD 1.13.0 ===
The SSSD team is proud to announce the release of version 1.13.0 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora rawhide shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* Support for separate prompts when using two-factor authentication was added
* Added support for one-way trusts between an IPA and Active Directory
environment. Please note that this SSSD functionality depends on IPA code
that is not released at the moment.
* The fast memory cache now also supports the initgroups operation.
* The PAM responder is now capable of caching authentication for configurable
period, which might reduce server load in cases where accounts authenticate
very frequently. Please refer to the cached_auth_timeout option in the
sssd.conf manual page.
* The Active Directory provider has changed the default value of the
ad_gpo_access_control option from permissive to enforcing. As a consequence,
the GPO access control now affects all clients that set access_provider to
ad. In order to restore the previous behaviour, set ad_gpo_access_control
to permissive or use a different access_provider type.
* Group Policy objects defined in a different AD domain that the computer
object is defined in are now supported.
* Credential caching and Offline authentication are also available when
using two-factor authentication
* Many enhancements to the InfoPipe D-Bus API. Notably, the SSSD users
and groups are now exposed as first-class objects. The users and groups
can also be marked as cached and would subsequently show up in the
Introspection output
* The DBus interface is now also able to look up User objects by
certificate. This is a first part of work that will eventually allow
smart-card authentication in SSSD.
* The LDAP cleanup task is now disabled by default, unless enumeration is
enabled. Please refer to the ldap_purge_cache_timeout option in case your
environment requires the cleanup task
* The Python bindings are now built for both Python2 and Python3
* The LDAP bind timeout, StartTLS timeout and password change timeout are
now configurable using the ldap_opt_timeout option
== Packaging Changes ==
* A new directory /var/lib/sss/keytabs is present and owned by the sssd-ipa
subpackage. The SSSD stores keytabs for one-way trust relationships in
this directory. Downstreams should make sure that the directory is only
readable to the user who runs the SSSD service.
* Several packaging changes are present in this release to support the
Python3 bindings, notably new python-sss and python-sss-murmur subpackages
are introduced in upstream RPM packaging
* All python bindings now have a Python3 and a Python2 version in the
upstream RPM packaging scheme
* The OpenSSL development library such as openssl-devel on RHEL/Fedora or
Debian/Ubuntu? libssl-dev is now required to support certificate operations
* A new internal library libsss_cert.so is present in this release.
* The fast initgroups memcache is represented by a new file
/var/lib/sss/mc/initgroups
== Documentation Changes ==
* The ad_gpo_access_control option default has changed from permissive
to enforcing
* The default value of ldap_purge_cache_timeout changed to 0, thus
effectivelly disabling the cleanup task.
* A new option cache_credentials_minimal_first_factor_length was added. This
option sets constraints on the password length if One-Time passwords
are used and credentials are to be cached. Please see the sssd.conf(5)
man page for more details
* The cached authentication is controlled by new option
cached_auth_timeout. By default the cached authentication is disabled.
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/897
sssd should pass -d to nsupdate when running with high log level
https://fedorahosted.org/sssd/ticket/1501
Make the LDAP bind operation timeout configurable
https://fedorahosted.org/sssd/ticket/2150
[RFE] Expose listing calls over D-BUS
https://fedorahosted.org/sssd/ticket/2224
nsupdate stderr is not captured
https://fedorahosted.org/sssd/ticket/2236
The cleanup task has no DEBUG statements
https://fedorahosted.org/sssd/ticket/2326
SBUS: Flush the UID cache when we receive NameOwnerChanged
https://fedorahosted.org/sssd/ticket/2338
[RFE] Implement object caching on the bus
https://fedorahosted.org/sssd/ticket/2339
IFP: support multiple interfaces for object
https://fedorahosted.org/sssd/ticket/2540
SSSD does not update Dynamic DNS records if the IPA domain differs
from machine hostname's domain
https://fedorahosted.org/sssd/ticket/2569
In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA
user are not able to log unless use_fully_qualified_names is set
https://fedorahosted.org/sssd/ticket/2574
SSSD should be able to build python2 and python3 bindings in a one build
https://fedorahosted.org/sssd/ticket/2583
[RFE] Homedir is always overwritten with subdomain_homedir value in
server mode
https://fedorahosted.org/sssd/ticket/2593
Does sssd-ad use the most suitable attribute for group name?
https://fedorahosted.org/sssd/ticket/2603
Make SSSD's HBAC validation more permissive if deny rules are not used
https://fedorahosted.org/sssd/ticket/2609
[bug] sssd always appends default_domain_suffix when checking for host keys
https://fedorahosted.org/sssd/ticket/2618
Man sssd-ad(5) lists Group Policy Management Editor naming for some
policies but not for all
https://fedorahosted.org/sssd/ticket/2620
id_provider=proxy with auth_provider=ldap does not work reliably
https://fedorahosted.org/sssd/ticket/2625
Sudo responder does not respect filter_users and filter_groups
https://fedorahosted.org/sssd/ticket/2627
Disable the cleanup task by default
https://fedorahosted.org/sssd/ticket/2636
RFE: Fetch keytabs for one-way trusts in IPA subdomain code
https://fedorahosted.org/sssd/ticket/2638
RFE: Change ad_id_ctx instantiation in the IPA subdomain code to
support one-way trusts
https://fedorahosted.org/sssd/ticket/2645
[RFE] Support GPOs from different domain controllers
https://fedorahosted.org/sssd/ticket/2661
RFE: Change AD GPO default to enforcing
https://fedorahosted.org/sssd/ticket/2666
sssd with ldap backend throws error domain log
https://fedorahosted.org/sssd/ticket/1807
[RFE] authenticate against cache in SSSD
https://fedorahosted.org/sssd/ticket/2485
[RFE] The fast memory cache should cache initgroups
https://fedorahosted.org/sssd/ticket/2590
SSSD doesn't re-read resolv.conf if the file doesn't exist during boot
https://fedorahosted.org/sssd/ticket/2641
Add a IS_DEFAULT_VIEW macro
https://fedorahosted.org/sssd/ticket/2701
Kerberos-based providers other than krb5 do not queue requests
== Detailed Changelog ==
Jakub Hrozek (73):
* MAN: Fix a typo
* SYSDB: Reduce code duplication in sysdb_gpo.c
* UTIL: Make two child_common.c functions static
* TESTS: Cover child_common.c with unit tests
* LDAP: Use child_io_destructor instead of child_cleanup in a custom desctructor
* UTIL: Remove child_cleanup
* UTIL: Unify the fd_nonblocking implementation
* RESOLV: Remove obsolete in-tree implementation of SRV and TXT parsing
* PAM: print the pam status as string, too
* KRB5: More debugging for create_ccache()
* SDAP: Make simple bind timeout configurable
* SDAP: Make password change timeout configurable with ldap_opt_timeout
* SDAP: Make StartTLS bind configurable with ldap_opt_timeout
* SDAP: Decorate the sdap_op functions with DEBUG messages
* IPA: Remove the ipa_hbac_treat_deny_as option
* MAN: Clarify debug_level a bit
* SSH: Ignore the default_domain_suffix
* LDAP: Set sdap handle as explicitly connected in LDAP auth
* tests: Revert strcmp condition
* ncache: Fix sss_ncache_reset_permanent
* ncache: Silence critical error from filter_users when default_domain_suffix is set
* ncache: Add sss_ncache_reset_repopulate_permanent
* responders: reset ncache after domains are discovered during startup
* NSS: Reset negcache after checking domains
* MAN: Clarify how are GPO mappings called in GPO editor
* UTIL: Add a simple function to get the fd of debug_file
* dyndns: Log nsupdate stderr with a high debug level
* nsupdate: Append -d/-D to nsupdate with a high debug level
* subdom: Remove unused function get_flat_name_from_subdomain_name
* nss: Use negcache for getbysid requests
* tests: Add NSS responder tests for bysid requests
* LDAP: disable the cleanup task by default
* TESTS: Use the right testcase
* TESTS: Add test for get_next_domain
* LDAP: Do not print verbose DEBUG messages from providers that don't set UUID
* SYSDB: Store trust direction for subdomains
* UTIL/SYSDB: Move new_subdomain() to sysdb_subdomains.c and make it private
* TESTS: Add a test for sysdb_subdomains.c
* SYSDB: Add realm to sysdb_master_domain_add_info
* SYSDB: Add a forest root attribute to sss_domain_info
* IPA: Add ipa_subdomains_handler_get_{start,cont} wrappers
* IPA: Check master domain record before subdomain records
* IPA: Fold ipa_subdom_enumerates into ipa_subdom_store
* IPA: Also update master domain when initializing subdom handler
* IPA: Move server-mode functions to a separate module
* IPA: Split two functions to new module ipa_subdomains_utils.c
* IPA: Include ipaNTTrustDirection in the attribute set for trusted domains
* IPA: Read forest name for trusted forest roots as well
* IPA: Make constructing an IPA server mode context async
* TESTS: Split off keytab creation into a common module
* TESTS: Add a common mock_be_ctx function
* TESTS: Add a common function to set up sdap_id_ctx
* TESTS: Move krb5_try_kdcip to nested group test
* TESTS: Add unit test for the subdomain_server.c module
* IPA: Fetch keytab for 1way trusts
* AD: Rename ad_set_ad_id_options to ad_set_sdap_options
* AD: Rename ad_create_default_options to ad_create_2way_trust_options
* AD: Split off ad_create_default_options
* IPA/AD: Set up AD domain in ad_create_2way_trust_options
* IPA: Do not set AD_KRB5_REALM twice
* AD: Add ad_create_1way_trust_options
* IPA: Utility function for setting up one-way trust context
* LDAP: Do not set keytab through environment variable
* LDAP: Consolidate SDAP_SASL_REALM/SDAP_KRB5_REALM behaviour
* CONFIG: Add SSS_STATEDIR as VARDIR/lib/sss
* BUILD: Store keytabs in /var/lib/sss/keytabs
* Updating the translations for the 1.13 Alpha release
* Updating the version.m4 file for the 1.13 Beta release
* tests: Reduce duplication with new function test_ev_done
* KRB5: Add and use krb5_auth_queue_send to queue requests by default
* PAM: Only cache first-factor
* Updating the translations for the 1.13.0 release
* Updating the version for the 1.13.0 release
John Dickerson (1):
* MAN: Amend the description of ignore_group_members
Lukas Slebodnik (67):
* MAN: Remove indentation in element programlistening
* Fix warning: for loop has empty body
* Bump version to track 1.13 development
* SPEC: Use libnl3 for epel6
* MAKE: Don't include autoconf generated file to tarball
* TESTS: Mock return value of sdap_get_generic_recv
* test_nested_groups: Additional unit tests
* Fix warning: equality comparison with extraneous parentheses
* LDAP: Conditional jump depends on uninitialised value
* BUILD: Remove unused libraries for pysss.so
* BUILD: Remove unused variables
* BUILD: Remove detection of type Py_ssize_t
* UTIL: Remove python wrapper sss_python_set_new
* UTIL: Remove python wrapper sss_python_set_add
* UTIL: Remove python wrapper sss_python_set_check
* UTIL: Remove compatibility macro PyModule_AddIntMacro
* UTIL: Remove python wrapper sss_python_unicode_from_string
* BUILD: Use python-config for detection *FLAGS
* SPEC: Use new convention for python packages
* SPEC: Move python bindings to separate packages
* BUILD: Add possibility to build python{2,3} bindings
* TESTS: Run python tests with all supported python versions
* SPEC: Replace python_ macros with python2_
* SPEC: Build python3 bindings on available platforms
* BUILD: Uninstall also symbolic links to python bindings
* Remove unused argument from be_nsupdate_create_fwd_msg
* IPA: Remove unused argument from ipa_id_get_group_uuids
* Remove useless assignment to function parameter
* PAC: Fix memory leak
* responder_cache: Fix warning may be used uninitialized
* debug-tests: Fix test with new line in debug message
* BUILD: Add missing header file to tarball
* pam_client: fix casting to const pointer
* test_expire: Use right assertion macro for standard functions
* test_ldap_auth: Use right assertion for integer comparison
* test_resolv_fake: Fix alignment warning
* PAC: Remove unused function
* KRB5: Unify prototype and definition
* util-tests: Initialize boolean variable to default value
* SPEC: Drop workaround for old libtool
* SPEC: Drop workarounds for old rpmbuild
* SPEC: Remove unused option
* SPEC: Few cosmetic changes
* simple_access-tests: Simplify assertion
* sysdb-tests: Add missing assertions
* sysdb-tests: test return value before output arguments
* ad_opts: Use different default attribute for group name
* BUILD: Write hints about optional python bindings
* sss_client: Fix mixed enums
* LDAP: Remove dead assignment
* sss_client: Fix warning "_" redefined
* SSSDConfigTest: Use unique temporary directory
* util-tests: Add validation of internal error messages
* SDAP: Check return value before using output arguments
* SDAP: Log failure from sysdb_handle_original_uuid
* test_ipa_subdomains_server: Run clean-up after success
* IFP: Fix warnings with enabled optimisation
* SDAP: Remove user from cache for missing user in LDAP
* test_ipa_subdom_server: Add missing assert
* test_ipa_subdomains_server: Fix build with --coverage
* nss: Store entries in responder to initgr mmap cache
* mmap_cache: Invalidate entry in right memory cache
* nss: Invalidate entry in initgr mmap cache
* sss_client: Use initgr mmap cache in client code
* sss_cache: Clear also initgroups fast cache
* sss_client: Use unique lock for memory cache
* sss_client: Re-check memcache after acquiring the lock
Michal Zidek (5):
* Use FQDN if default domain was set
* MAN: default_domain_suffix with use_fully_qualified_names.
* views: Add is_default_view helper function
* MONITOR: Poll for resolv.conf if not available during boot
* MONITOR: Do not report missing file as fatal in monitor_config_file
Nikolai Kondrashov (3):
* BUILD: Add AM_PYTHON2_MODULE macro
* Add integration tests
* BUILD: Fix variable substitution in cwrap.m4
Pavel Březina (53):
* tests: refactor create_dom_test_ctx()
* tests: add create_multidom_test_ctx()
* tests: add test_multidom_suite_cleanup()
* tests: remove code duplication in single domain cleanup
* responders: new interface for cache request
* responders: enable views in cache request
* IFP: use new cache interface
* server-tests: use strtouint32 instead strtol
* sbus: add new iface via sbus_conn_register_iface()
* sbus: move iface and object path code to separate file
* sbus: use 'path/*' to represent a D-Bus fallback
* sbus: support multiple interfaces on single path
* sbus: add object path to sbus request
* sbus: add sbus_opath_hash_lookup_supported()
* sbus: support org.freedesktop.DBus.Introspectable
* sbus: support org.freedesktop.DBus.Properties
* sbus: unify naming of handler data variable
* sbus: move common opath functions from ifp to sbus code
* sbus: add sbus_opath_get_object_name()
* ifp: fix potential memory leak in check_and_get_component_from_path()
* sbus: use hard coded getters instead of generated
* sbus: remove unused 'reply as' functions
* IFP: move interface definitions from ifpsrv.c into separate file
* IFP: unify generated interfaces names
* sbus codegen: do not prefix getters with iface name
* IFP: simplify object path constant names
* sbus: add constant to represent subtree
* be_refresh: get rid of callback pointers
* sysdb: use sysdb_user/group_dn
* cache_req tests: rename test_user to test_user_by_name
* cache_req tests: define user name constant
* cache_req: preparations for different input type
* cache_req: add support for user by uid
* cache_req: add support for group by name
* cache_req: remove default branch from switches
* cache_req: add support for group by id
* cmocka: include mock_parse_inp in header file
* cache_req: parse input name if needed
* cache_req: return ERR_INTERNAL if more than one entry is found
* sbus: provide custom error names
* sbus: add sbus_opath_decompose[_exact]
* sbus: add a{sas} get invoker
* IFP: add org.freedesktop.sssd.infopipe.Users
* IFP: add org.freedesktop.sssd.infopipe.Users.User
* IFP: add org.freedesktop.sssd.infopipe.Groups
* IFP: add org.freedesktop.sssd.infopipe.Groups.Group
* IFP: deprecate GetUserAttr?
* IFP: Implement org.freedesktop.sssd.infopipe.Cache[.Object]
* SBUS: Use default GetAll? invoker if none is set
* SBUS: Add support for <node /> in introspection
* IFP: Export nodes
* sbus: add support for incoming signals
* sbus: listen to NameOwnerChanged?
Pavel Reichl (20):
* add missing '\n' in debug messages
* PROXY: add missing space in debug message
* BUILD: fix chmake not to generate warning
* SDAP: log expired accounts at lower severity level
* KRB5: add debug hint
* TESTS: test expiration
* ldap: refactor check_pwexpire_kerberos to use util func
* ldap: refactor nds_check_expired to use util func
* Fix a few typos in comments
* sbus: sbus_opath_hash_add_iface free tmp talloc ctx
* krb5: remove field run_as_user
* localauth plugin: fix coverity warning
* dyndns: remove dupl declaration of ipa_dyndns_update
* dyndns: don't pass zone directive to nsupdate
* dyndns: ipa_dyndns.h missed declaration of used data
* krb: remove duplicit decl. of write_krb5info_file
* IPA: Don't override homedir with subdomain_homedir
* sysdb: new attribute lastOnlineAuthWithCurrentToken
* PAM: authenticate agains cache
* Minor code improvements
Stephen Gallagher (5):
* LDAP: Support returning referral information
* AD GPO: Support processing referrals
* AD GPO: Change default to "enforcing"
* Add Vagrant configuration for SSSD
* GPO: Fix incorrect strerror on GPO access denial
Sumit Bose (22):
* Add leak check and command line option to test_authtok
* utils: add sss_authtok_[gs]et_2fa
* pam: handle 2FA authentication token in the responder
* Add pre-auth request
* krb5-child: add preauth and split 2fa token support
* IPA: create preauth indicator file at startup
* pam_sss: add pre-auth and 2fa support
* Add cache_credentials_minimal_first_factor_length config option
* sysdb: add sysdb_cache_password_ex()
* krb5: save hash of the first authentication factor to the cache
* krb5: try delayed online authentication only for single factor auth
* 2FA offline auth
* pam_sss: move message encoding into separate file
* PAM: add PAM responder unit test
* adding ldap_user_auth_type where missing
* LDAP: add ldap_user_certificate option
* certs: add PEM/DER conversion utilities
* sysdb: add sysdb_search_user_by_cert() and sysdb_search_object_by_cert()
* LDAP/IPA: add user lookup by certificate
* ncache: add calls for certificate based searches
* utils: add get_last_x_chars()
* IFP: add FindByCertificate? method for User objects
More information about the Freeipa-users
mailing list