The SSSD team is proud to announce the last preview release of version
1.9 of the System Security Services Daemon.

After this beta, no new features will be added to SSSD 1.9.0 and we will
focus on stability and our backlog of bugfixes until the final release
around September 1st. We might be releasing a release candidate prior to
that date, but we haven't scheduled one for a particular date yet.

Because this is the last beta before the feature freeze, we have also
entered the string freeze for the 1.9.0 release.

As always, you can download the latest sources at

== Highlights ==
 * A new option, override_shell was added. If this option is set, all
   users managed by SSSD will have their shell set to its value.
 * Many fixes for the support for setting default SELinux user context
   from FreeIPA. Most notably, the SELinux mappings can now link to HBAC
   rules as the source of users and hosts they apply to.
 * Fixed a regression introduced in beta 5 that prevented LDAP SASL binds
   from working unless the value of ldap_sasl_minssf was explicitly specified.
 * The SSSD supports the concept of a Primary Server and a Back Up
   Server. Certain servers in the fail over list can be marked as back up
   only. If the SSSD switches to a back up server because a primary server
   is not available, it would later try to re-establish a connection to the
   primary server. This feature would mainly benefit users who configure
   fail over servers from different data centers or geographies.
 * A new command-line tool sss_seed is available. This tool is able to
   prime the internal cache with a user record and a cached password to
   support the scenario when a user needs to log in to the client before
   the network connection to the centralized identity source is established,
   such as the first log in to a new machine.
 * In scenarios, where the SSSD is acting as an IPA client, it is able to
   discover and save the DNS domain-Kerberos realm mappings between an IPA
   server and a trusted Active Directory server.

== Packaging Changes ==
 * a new binary, called sss_seed is available. The binary is installed to
   /usr/sbin/sss_seed by default and includes its own manual page.
 * The SSSD uses a new directory to store the DNS domain - Kerberos realm
   mappings. The default location is /var/lib/sss/pubconf/krb5.include.d

== Tickets Fixed ==
    Create tool to seed a user for first-boot
    RFE: Allow Forcing User Shell
    Introduce the concept of a Primary Server in SSSD
    [Feature] AD Extensions
    RFE: make the NSS memory cache timeout configurable
    Missing hostid and subdomains sections in sssd-ipa.conf
    domain_realm mappings manipulation by sssd
    document how sudo works with sssd
    sudo: provide automatic configuration of machine hostnames
    Don't refersh HBAC rules when looking up SELinux rules
    IPA session code returns error when SELinux mapping rule links to an HBAC 
    Mention AD Provider in manpage of sssd.conf
    Suggested additions to manpage of sssd-ad
    SELinux specifity does not work with HBAC rules
    sss_pam needs to write out SELinux login file during the account phase
    The SELinux login file needs to be created by the responder, not PAM module

== Detailed Changelog ==
Jakub Hrozek (6):
      * Bumping version to 1.9.0 beta 6
      * Fix sysdb_search_selinux_usermap_by_username return value
      * Fix SSSDConfigTest
      * Fix bad check
      * Create a domain-realm mapping for krb5.conf to be included
      * Update translations for 1.9.0 beta 6 release

Jan Zeleny (25):
      * Added some DEBUG statements into SELinux related code
      * Extend category support in SELinux user maps
      * Remove ipa_selinux_map_merge()
      * Fix linking of HBAC rules and SELinux user maps
      * Provide counter of possible matches in SELinux IPA provider
      * Always free request in data provider PAM callback
      * Renamed session provider to selinux provider
      * Move SELinux processing from session to account PAM stack
      * Remove unused member of be_req
      * Write SELinux config files in responder instead of PAM module
      * Modify hbac_get_cached_rules() so it can be used outside of HBAC code
      * Support fetching of HBAC rules from sysdb in SELinux code
      * Support fetching of host from sysdb in SELinux code
      * Primary server support: introduce concept of reconnection
      * Primary server support: basic support in failover code
      * Primary server support: support for "disconnecting" connections in LDAP
      * Primary server support: IPA adaptation
      * Primary server support: krb5 adaptation
      * Primary server support: LDAP adaptation
      * Primary server support: AD adaptation
      * Primary server support: man page, failover section
      * Primary server support: new option in ldap provider
      * Primary server support: new options in krb5 provider
      * Primary server support: new option in IPA provider
      * Primary server support: new option in AD provider

Michal Zidek (1):
      * Added unit test for sysdb_ssh.c

Nick Guay (1):
      * First-boot sss_seed tool

Pavel Březina (7):
      * sdap_sudo.c: add missing end of line in few debug messages
      * add hostid and subdomains sections in sssd-ipa.conf
      * manpage: seealso - include ssh conditionally
      * tests: allow changing cwd in all tests
      * manpage: sssd-sudo - documents how sudo works with sssd
      * sudo ldap provider: support autoconfiguration of hostnames
      * Unbreak SASL

Simo Sorce (16):
      * Change subdomain_info
      * tests: Remove useless consts
      * 80 columns police
      * Fix double semi-colons
      * Fix wrong elements used in comparison
      * Use ldb_msg_add_string with bare strings
      * Fix return error and debug message
      * Make structure initializer more readable
      * 80 col and style fixes
      * Use a more tractable name for subdomain request
      * Add realm paramter to subdomain list
      * Expose an initializer function from subdomain
      * Change refreshing of subdomains
      * Limit refreshes keeping track of last refresh time
      * Add online callback to enumerate subdomains
      * Add automatic periodic retrieval of subdomains

Stephen Gallagher (4):
      * MAN: List all available backends for provider options
      * MAN: Improvements to the AD provider manpage
      * NSS: Add override_shell option
      * SYSDB: Add log message for unexpected LDB errors

Ville Skyttä (1):
      * Require and call ldconfig from subpackages if appropriate

Freeipa-interest mailing list

Reply via email to