[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Freeipa-users] Announcing SSSD 1.14.1

		     === SSSD 1.14.1 ===

The SSSD team is proud to announce the release of version 1.14.1 of
the System Security Services Daemon.

As always, the source is available from https://fedorahosted.org/sssd

RPM packages will be made available for Fedora shortly.

== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:

== Highlights ==
 * The IPA provider now supports logins with enterprise principals (also
   known as additional UPN suffixes). This functionality also enabled Active
   Directory users from trusted AD domains who use an additional UPN suffix
   to log in. Please note that this feature requires a recent IPA server.
 * When a user name is overriden in an IPA domain, resolving a group these
   users are a member of now returns the overriden user names
 * Users can be looked up by and log in with their e-mail address as an
   identifier. In order to do so, an attribute that represents the user's
   e-mail address is fetched by default. This attribute can by customized
   by setting the ldap_user_email configuration option.
 * A new ad_enabled_domains option was added. This option lets the
   administrator select domains that SSSD should attempt to reach in the
   AD forest SSSD is joined to. This option is useful for deployments where
   not all domains are reachable on the network level, yet the administrator
   needs to access some trusted domains and therefore disabling the subdomains
   provider completely is not desirable.
 * The sssctl tool has two new commands active-server and servers that
   allow the administrator to observe the server that SSSD is bound to and
   the servers that SSSD autodiscovered
 * SSSD used to fail to start when an attribute name is present in both
   the default SSSD attribute map and the custom ldap_user_extra_attrs map
 * GPO policy procesing no longer fails if the gPCMachineExtensionNames
   attribute only contains whitespaces
 * Several commits fix regressions related to switching all user and group
   names to fully qualified format, such as running initgroups for a user
   who is only a member of a primary group
 * Several patches fix regressions caused by splitting the database into
   two ldb files, such as when user attributes change without increasing
   the modifyTimestamp attribute value
 * systemd unit files are now shipped for the sssd-secrets responder,
   allowing the responder to be socket-activated. To do so, administrators
   should enable the sssd-secrets.socket and sssd-secrets.service systemd
 * The sssd binary has a new switch --disable-netlink that lets sssd skip
   messages from the kernel's netlink interface.
 * A crash when entries with special characters such as '(' were requested
   was fixed
 * The ldap_rfc_2307_fallback_to_local_users option was broken in the
   previous version. This release fixes the functionality.

== Packaging Changes ==
 * The NFS ID-mapping plugin was moved to its own subpackage 

== Documentation Changes ==
 * A new option ad_enabled_domains was added
 * A new LDAP attribute mapping for e-mail addresses called ldap_user_email
   was added

== Tickets Fixed ==
    Warn if ad_server contains IP address
    Add an option to disable checking for trusted domains in the subdomains provider
    [RFE] Allow users to authenticate with alternative names
    Add support for disabling netlink use
    Handle overriden name of members in the memberUid attribute
    Support multiple principals for IPA users
    pid file name decalration is duplicated
    Improve information about krb5_keytab & ldap_krb5_keytab option in sssd man pages
    sssd fails to mark a connection as bad on searches that time out
    Detect of IPA server can handle enterprise principals
    sssd-common brings in nfs-utils
    incorrect dataExpireTimestamp setting in the timestamps cache
    fixes to the initial config schema implementation
    The sssctl tool should provide information about active and available servers
    task: Add a 1.14 upstream repo
    sssd does not work under non-root user
    DP: Don't pass empty string, but NULL to providers
    tools: sssctl config-check and sssctl cache ignore --help
    tools: make sssctl command names consistent
    Review and update SSSD's wiki pages for 1.14.1 release
    Error message "Failed to retrieve users" is sometimes misleading
    Don't print message about trust direction on clients
    remove DEBUG(SSSDBG_TRACE_INTERNAL, "Trace: ldap_result found nothing!\n");
    Missing nested groups in user groups
    SELINUX_getpeercon failed [-1][Unknown error -1].
    sssctl: Time stamps without time zone information
    sssd does not start if sub-domain user is used with simple access provider
    Wrong pam error code returned for password change in offline mode
    Access denied after activating user in 389ds
    sssd doesn't start on IPA client if IPA server VM is paused
    SSSD fails to start when ldap_user_extra_attrs contains mail
    [abrt] [faf] sssd: unknown function(): /usr/libexec/sssd/sssd_nss killed by 11
    Do not check local users with disabled local_negative_timeout
    Better error message if sssctl is ran w/o activating the IFP responder
    check return value of sysdb_search_user_by_upn()

== Detailed Changelog ==
Dan Lavu (1):
    * MAN: Update description of sssctl 

Fabiano Fidêncio (5):
    * sssctl: Use localtime for time stamps
    * RESPONDERS: Decrease debug level for failures in SELINUX_getpeercon()
    * RESPONDERS: Show a bit more info in case of SELINUX_getpeercon() failure
    * RESPONDERS: Pass errno to strerror() when SELINUX_getpeercon() fails
    * SDAP: Don't log an op failure when no users are found 

Jakub Hrozek (18):
    * Updating the version for the 1.14.1 release
    * FO: Set port to NOT_WORKING when trying a next server
    * LDAP: Fix storing initgroups for users with no supplementary groups
    * LDAP: Use FQDN when linking parent LDAP groups
    * SYSDB: Fix setting dataExpireTimestamp if sysdb is supposed to set the current time
    * PAM: Do not act on ldb_message in case of a failure
    * IPA: Check the return value of sss_parse_internal_fqname
    * SIMPLE: Do not parse names on startup
    * SIMPLE: Fail on any error parsing the access control list
    * SIMPLE: Make the DP handlers testable
    * TESTS: Use the DP handlers in simple provider tests, add more tests
    * CONFIG: full_name_format is an allowed option for all domains
    * CONFIG: re_expression is an allowed option for all domains
    * SPEC: Own the secrets DB path
    * UTIL: Use sss_atomic_read_s in generate_csprng_buffer
    * SECRETS: Use sss_atomic_read/write for better readability
    * BUILD: Ship systemd service file for sssd-secrets
    * Updating the translations for the 1.14.1 release 

Justin Stephenson (4):
    * Make resolv_is_address() function public and create some basic tests
    * Warn if IP address is used as option for ipa_server/ad_server
    * Monitor: Add support for disabling netlink
    * SSSCTL: More helpful error message when InfoPipe? is disabled 

Lukas Slebodnik (37):
    * sssctl: Fix error handling after memory allocation failure
    * sssctl: Fix format string for size_t
    * doxygen: Fix path to header file ipa_hbac.h
    * ipa_hbac: Fix documentation for hbac_enable_debug
    * sssctl: Fix warning maybe-uninitialized
    * nss-srv-tests: Fix prototype of wrapped ncache functions
    * TOOLS: Prevent dereference of null pointer
    * sysdb-tests: Fix cast from pointer to integer
    * SPEC: Move nfsidmap plugin to separate package
    * test_utils: Clean files after sss_write_krb5_conf_snippet
    * CI: Use /bin/sh as a CONFIG SHELL
    * SECRETS: Log message for failures with removing file
    * Amend debug messages after failure of unlink
    * SYSDB: Do not try to modify ts cache for unsupported DNs
    * SDAP: sanitize member name before using in filter
    * SDAP: sysdb_search_users does not set users_count for failures
    * SYSDB: Sanitize dn in sysdb_get_user_members_recursively
    * LDAP: Fix Dereference after NULL check
    * NSS: Do not check local users with disabled local_negative_timeout
    * config_schema: Add ldap_user_email to schema
    * intg: Make location of sssd nss module configurable
    * intg: Allow to test netgroups
    * NSS: Use correct name for invalidating memory cache
    * SYSDB: Avoid optimisation with modifyTimestamp for users
    * dyndns-tests: Fix false positive failures
    * LDAP: Log autofs rfc2307 config changes only with enabled responder
    * DP: Add log message for get account info
    * ds.py: Do not call teardown in destructor
    * test_local_domain: Restore correct env variable
    * intg: rename test with enumeration
    * test_enumeration: Remove test without enumeration
    * intg: create ldap test without enumeration
    * sssd_id.py: Primary group should be returned for initgroups
    * intg: Fix pep8 warnings
    * test_ldap: test nested membership with rfc2307bis
    * test_ldap: test resolving of names with special characters
    * intg: Test extra attributes duplicate 

Michal Židek (13):
    * sssctl: config-check access check report
    * config: override_space is monitor's option
    * config: Fix user_attributes
    * config: Allow timeout for all sevices
    * config: Add config_file_version to schema
    * dyndns: Add checks for NULL
    * sdap: Fix ldap_rfc_2307_fallback_to_local_users
    * sss_ini: Change debug level of config error msgs
    * sssctl: Consistent commands naming
    * tools: Add missing gettext macro
    * sssctl: Generic help for cache-upgrade and config-check
    * gpo: gPCMachineExtensionNames with just whitespaces
    * sdap: Skip exact duplicates when extending maps 

Pavel Březina (17):
    * sssctl: move filter creation to separate function
    * sssctl: improve readability of a condition
    * DP: rename be_acct_req to dp_id_data
    * DP: Initialize D-Bus as soon as possible
    * utils: add remove_subtree
    * sssctl: use internal API to remove files
    * rdp: add ability to forward reply to the client request
    * sbus: add sbus_request_reply_error()
    * sbus: add utility function to simplify message and reply handling
    * sssctl: use talloc with sifp
    * failover: mark subdomain service with sd_ prefix
    * sssctl: print active server and server list
    * sifp: fix coverity warning
    * sbus: allow freeing msg through dbus api when using talloc
    * PROXY: Do not abuse data provider interface
    * DP: Remove old data provider interface
    * NSS: Remove unused functions 

Petr Cech (18):
    * SYSDB: Fixing DB update
    * PROVIDERS: Setting right {u,g}id if unprivileged
    * SYSDB: Removing of duplication of sysdb_ts_cache_attrs
    * test_utils: Fixing assignment discards 'const' qualifier
    * LDAP: Changing of confusing debug message
    * IPA: Changing of confusing debug message
    * Revert "LDAP: Lookup services by all protocols unless a protocol is specified"
    * PROVIDER: Conversion empty string from D-Bus to NULL
    * LDAP: Fixing wrong pam error code for passwd
    * UTILS: Fixing duplication of pid file declaration
    * AD_PROVIDER: Add ad_enabled_domains option
    * AD_PROVIDER: Initializing of ad_enabled_domains
    * AD_PROVIDER: ad_enabled_domains - only master
    * AD_PROVIDER: ad_enabled_domains - other then master
    * TESTS: Adding tests for ad_enabled_domains option
    * LDAP: Adding support for SIGTERM signal
    * LDAP: Adding SIGTERM signal before SIGKILL
    * LDAP: Adding SIGCHLD callback 

Sumit Bose (33):
    * views: allow override added for non-default views at runtime
    * IPA: read ipaNTAdditionalSuffixes for master and trusted domains
    * sysdb: add UPN suffix support for the master domain
    * sysdb: make subdomain calls aware of upn_suffixes
    * DP: add dp_get_module_data()
    * IPA: add ipa_init_get_krb5_auth_ctx()
    * IPA: enable enterprise principals if server supports them
    * IPA: fix [capaths] output
    * UTIL: make domain mapping content testable
    * tests: add tests for sss_get_domain_mappings_content()
    * AD: avoid memory leak in netlogon_get_domain_info() and make it public
    * AD: netlogon_get_domain_info() allow missing arguments and empty results
    * tests: add tests for netlogon_get_domain_info
    * AD: replace ad_get_client_site_parse_ndr() with netlogon_get_domain_info()
    * sysdb_master_domain_add_info: properly set do_update
    * IPA: make ipa_resolve_user_list_{send|recv} public and allow AD users
    * IPA: expand ghost members of AD groups in server-mode
    * sysdb: add sysdb_get_user_members_recursively()
    * views: properly override group member names
    * IPA: fix lookup by UPN for subdomains
    * LDAP: allow multiple user principals
    * LDAP: new attribute option ldap_user_email
    * sysdb: include email in UPN searches
    * LDAP: include email in UPN searches
    * NSS: add user email to fill_orig()
    * utils: add is_email_from_domain()
    * LDAP/IPA: add local email address to aliases
    * NSS: continue with UPN/email search if name was not found
    * PAM: continue with UPN/email search if name was not found
    * NSS: use different neg cache name for UPN searches
    * PAM: Fix domain for UPN based lookups
    * SDAP: add special handling for IPA Kerberos enterprise principal strings
    * SDAP: add enterprise principal strings for user searches 

Thorsten Scherf (1):
    * Fixed some typos in man pages 

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]