Ok, I have a bit of egg on my face here. I accidentally pushed a patch related to the Kerberos DIR cache support that had a debugging "#if 0" left in it. Because of this, DIR cache support is actually non-functional in 1.9.0 beta 2. I'm attaching a patch to fix this to this email (already pushed upstream) so anyone who wants to build beta 2 to try out the DIR cache support must apply this patch for it to work.
We decided not to reroll the beta for this one patch, since beta 3 is being released on Friday anyway. On Fri, 2012-06-15 at 15:22 -0400, Stephen Gallagher wrote: > The SSSD team is proud to announce the second beta of our upcoming 1.9.0 > release. We have revised our beta plan and will be having five betas > instead of three as originally communicated. Originally, the plan was to > have our next beta be the final one, at the end of July. We now have the > following schedule: > > Beta 3 will be released next Friday (Jun 22nd) or the following Monday > and contain enhancements necessary to support Kerberos cross-realm > trusts with FreeIPA, a server-side piece of which will be released a few > days after. > > Beta 4 will be released on July 10th and include a new AD provider > (wrapping the intricacies of setting up AD, configuring LDAP attributes > and Kerberos realm into a simpler set of configuration options) > > Beta 5 will be released on July 31st and will contain a new tool for > "seeding" accounts with a temporary password for sending machines to > remotees as well as introducing a concept of primary vs. secondary > servers. > > After Beta 5, no new features will be added to SSSD 1.9.0 and we will > focus on stability and our backlog of bugfixes until the final release > around September 1st. We will most likely issue a series of release > candidate builds prior to that, but these have not yet been scheduled. > > As always, you can download the latest sources at > https://fedorahosted.org/sssd/ > > > == Highlights == > * Add support for the Kerberos DIR cache for storing multiple TGTs > automatically > * Major performance enhancement when storing large groups in the cache > * Major performance enhancement when performing initgroups() against > Active Directory > * SSSDConfig data file default locations can now be set during > configure for easier packaging > > == Tickets Fixed == > https://fedorahosted.org/sssd/ticket/974 > [RFE] Support DIR: credential caches for multiple TGT support > > https://fedorahosted.org/sssd/ticket/984 > RFE: sssd should support Netscape LDAP password expiration controls > > https://fedorahosted.org/sssd/ticket/1213 > Warn to syslog when dereference requests fail > > https://fedorahosted.org/sssd/ticket/1240 > sudo: contact data provider only once > > https://fedorahosted.org/sssd/ticket/1255 > RFE: change the way we deal with fake users > > https://fedorahosted.org/sssd/ticket/1256 > Document the expectations about ghost users showing in the lookups > > https://fedorahosted.org/sssd/ticket/1330 > Potential NULL dereference in sss_krb5_read_etypes_for_keytab > > https://fedorahosted.org/sssd/ticket/1336 > Please only use named parameters in translatable strings > > https://fedorahosted.org/sssd/ticket/1337 > Minor typos in SSSD messages and man pages > > https://fedorahosted.org/sssd/ticket/1346 > in-memory cache causes nss to segfault if it cannot be initialized > properly > > https://fedorahosted.org/sssd/ticket/1367 > Optimize AD memberOf lookups with LDAP_MATCHING_RULE_IN_CHAIN > > == Detailed Changelog == > Ariel Barria (3): > * Potential NULL dereference in proxy provider > * Warn to syslog when dereference requests fail > * Clarify how comments work in sssd.conf > > Jakub Hrozek (20): > * NSS: keep a pointer to body after body is reallocated > * Use sized_string correctly in FQDN domains > * Use the sysdb attribute name, not LDAP attribute name > * LDAP nested groups: Do not process callback with _post deep in the > nested structure > * Send 16bit protocol numbers from the sss_client > * Revert the client packet length, too, after reverting the packet > protocol > * Fix the default sssd.conf path > * Fix the 0.11 sysdb upgrade > * sss_names_init: Report correct error code if allocation failed > * Two small krb5_child fixes > * Provide more debugging in krb5_child and ldap_child > * Allow redefining the KRB5_CHILD path > * Split parse_krb5_child_response so it can be reused > * Add a krb5_child test tool > * Residual util functions > * Handle trailing slash in the ccname template > * Add a credential cache back end structure > * Add support for storing credential caches in the DIR: back end > * Use Kerberos context in KRB5_DEBUG > * Make krb5_ccname_template and krb5_ccachedir configurable > > Jan Cholasta (3): > * SSH: Update sss_ssh_knownhostsproxy manual page > * SSH: Supress error message output in sss_ssh_knownhostsproxy > * SSH: Don't abort connection in sss_ssh_knownhostsproxy when DNS > records are missing > > Jan Zeleny (20): > * Fixed two minor memory leaks > * Fixed issue in SELinux user maps > * Ghost members - add the ghost attribute to sysdb > * Ghost members - support in LDAP provider > * Ghost members - support in proxy provider > * Ghost members - modifications in sysdb > * Ghost members - modifications in memberof plugin > * Ghost members - sysdb upgrade routine > * Ghost members - NSS responder changes > * Ghost members - removed sdap_check_aliases() > * Ghost members - modified sss_groupshow > * Ghost members - various small changes > * Add support for filtering atributes > * Utilize attribute exclusion in LDAP initgroups > * Fixed setting of debug level in test suite > * IPA subdomains - ask for information about master domain > * Allow fast memcache timeout to be configurable > * Fix an issue in ghost users > * Provide "service filter" for SELinux context > * Fixed debug message in sdap_save_group() > > Joshua Roys (1): > * Simple implementation of Netscape password warning expiration control > > Nick Guay (1): > * added DEBUG messages to krb5_child and ldap_child > > Stef Walter (1): > * Make re_expression and full_name_format per domain options > > Stephen Gallagher (27): > * Bumping version ton 1.8.92 for beta 2 development > * RPM: Allow running 'make rpms' on RHEL 5 machines > * NSS: Expire in-memory netgroup cache before the nowait timeout > * Always use positional arguments in translatable strings > * KRB5: Avoid NULL-dereference with empty keytab > * Update translation sources > * NSS: Fix segfault when mmap cache cannot be initialized > * NSS: Restore original protocol for getservbyport > * SSSDConfig: Make SSSDConfig a package > * SSSDConfig: Make default config and schema file locations > configurable > * PAM: Better pam_reply message > * SYSDB: Reduce noise level of debug messages in lookups > * LDAP: Remove redundant check > * LDAP: Fix incorrect switch statement in sdap_get_initgr_done() > * LDAP: Add helper function to get list of a user's groups from sysdb > * LDAP: Make sdap_initgr_common_store() non-static > * LDAP: Add ldap_*_use_matching_rule_in_chain options > * LDAP: Add support for AD chain matching extension in group lookups > * LDAP: Add support for AD chain matching extension in initgroups > * LDAP: Auto-detect support for the ldap match rule > * LDAP: Fix missing variable in debug message > * SSS_CLIENT: Fix uninitialized value error > * Fix compilation on older little-endian systems > * KRB5: Update DEBUG macros for create_ccache_dir and > find_ccdir_parent_data > * KRB5: Auto-detect DIR cache support in configure > * KRB5: Avoid shadowing dirname > * Updating translations for 1.9.0 beta 2 release > > Sumit Bose (4): > * Rename struct dom_sid to struct sss_dom_sid > * Fix libsss_hbac library version > * sss_idmap: add support for samba struct dom_sid > * sss_idmap: fix typo which prevents sub auth larger then 2^31 > > Yuri Chornoivan (1): > * Fix typos in message and man pages. > > _______________________________________________ > sssd-devel mailing list > sssd-de...@lists.fedorahosted.org > https://fedorahosted.org/mailman/listinfo/sssd-devel
From 6adec5daccb1b942c9bb284df11792f50c564ee2 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher <sgall...@redhat.com> Date: Mon, 18 Jun 2012 10:04:11 -0400 Subject: [PATCH] Fix typo breaking DIR cache detection --- src/util/sss_krb5.h | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/util/sss_krb5.h b/src/util/sss_krb5.h index 4f2e67a7ff41e11bb2e6273196a74aecca626d3e..d56b3bdd53f6ff15cd0ac027e248c96d0775cded 100644 --- a/src/util/sss_krb5.h +++ b/src/util/sss_krb5.h @@ -41,11 +41,9 @@ #define KERBEROS_PWEXPIRE_WARNING_TIME (7 * 24 * 60 * 60) #define KEYTAB_CLEAN_NAME keytab_name ? keytab_name : "default" -#if 0 #if defined HAVE_KRB5_CC_CACHE_MATCH && defined HAVE_KRB5_CC_GET_FULL_NAME #define HAVE_KRB5_DIRCACHE 1 #endif -#endif const char * KRB5_CALLCONV sss_krb5_get_error_message (krb5_context, krb5_error_code); -- 1.7.10.2
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel