The SSSD team is proud to announce the last preview release of version 1.9 of the System Security Services Daemon.
After this beta, no new features will be added to SSSD 1.9.0 and we will focus on stability and our backlog of bugfixes until the final release around September 1st. We might be releasing a release candidate prior to that date, but we haven't scheduled one for a particular date yet. Because this is the last beta before the feature freeze, we have also entered the string freeze for the 1.9.0 release. As always, you can download the latest sources at https://fedorahosted.org/sssd/ == Highlights == * A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. * Many fixes for the support for setting default SELinux user context from FreeIPA. Most notably, the SELinux mappings can now link to HBAC rules as the source of users and hosts they apply to. * Fixed a regression introduced in beta 5 that prevented LDAP SASL binds from working unless the value of ldap_sasl_minssf was explicitly specified. * The SSSD supports the concept of a Primary Server and a Back Up Server. Certain servers in the fail over list can be marked as back up only. If the SSSD switches to a back up server because a primary server is not available, it would later try to re-establish a connection to the primary server. This feature would mainly benefit users who configure fail over servers from different data centers or geographies. * A new command-line tool sss_seed is available. This tool is able to prime the internal cache with a user record and a cached password to support the scenario when a user needs to log in to the client before the network connection to the centralized identity source is established, such as the first log in to a new machine. * In scenarios, where the SSSD is acting as an IPA client, it is able to discover and save the DNS domain-Kerberos realm mappings between an IPA server and a trusted Active Directory server. == Packaging Changes == * a new binary, called sss_seed is available. The binary is installed to /usr/sbin/sss_seed by default and includes its own manual page. * The SSSD uses a new directory to store the DNS domain - Kerberos realm mappings. The default location is /var/lib/sss/pubconf/krb5.include.d == Tickets Fixed == https://fedorahosted.org/sssd/ticket/904 Create tool to seed a user for first-boot https://fedorahosted.org/sssd/ticket/1087 RFE: Allow Forcing User Shell https://fedorahosted.org/sssd/ticket/1128 Introduce the concept of a Primary Server in SSSD https://fedorahosted.org/sssd/ticket/1185 [Feature] AD Extensions https://fedorahosted.org/sssd/ticket/1318 RFE: make the NSS memory cache timeout configurable https://fedorahosted.org/sssd/ticket/1368 Missing hostid and subdomains sections in sssd-ipa.conf https://fedorahosted.org/sssd/ticket/1380 domain_realm mappings manipulation by sssd https://fedorahosted.org/sssd/ticket/1418 document how sudo works with sssd https://fedorahosted.org/sssd/ticket/1420 sudo: provide automatic configuration of machine hostnames https://fedorahosted.org/sssd/ticket/1427 Don't refersh HBAC rules when looking up SELinux rules https://fedorahosted.org/sssd/ticket/1429 IPA session code returns error when SELinux mapping rule links to an HBAC rule https://fedorahosted.org/sssd/ticket/1432 Mention AD Provider in manpage of sssd.conf https://fedorahosted.org/sssd/ticket/1433 Suggested additions to manpage of sssd-ad https://fedorahosted.org/sssd/ticket/1435 SELinux specifity does not work with HBAC rules https://fedorahosted.org/sssd/ticket/1439 sss_pam needs to write out SELinux login file during the account phase https://fedorahosted.org/sssd/ticket/1445 The SELinux login file needs to be created by the responder, not PAM module == Detailed Changelog == Jakub Hrozek (6): * Bumping version to 1.9.0 beta 6 * Fix sysdb_search_selinux_usermap_by_username return value * Fix SSSDConfigTest * Fix bad check * Create a domain-realm mapping for krb5.conf to be included * Update translations for 1.9.0 beta 6 release Jan Zeleny (25): * Added some DEBUG statements into SELinux related code * Extend category support in SELinux user maps * Remove ipa_selinux_map_merge() * Fix linking of HBAC rules and SELinux user maps * Provide counter of possible matches in SELinux IPA provider * Always free request in data provider PAM callback * Renamed session provider to selinux provider * Move SELinux processing from session to account PAM stack * Remove unused member of be_req * Write SELinux config files in responder instead of PAM module * Modify hbac_get_cached_rules() so it can be used outside of HBAC code * Support fetching of HBAC rules from sysdb in SELinux code * Support fetching of host from sysdb in SELinux code * Primary server support: introduce concept of reconnection * Primary server support: basic support in failover code * Primary server support: support for "disconnecting" connections in LDAP * Primary server support: IPA adaptation * Primary server support: krb5 adaptation * Primary server support: LDAP adaptation * Primary server support: AD adaptation * Primary server support: man page, failover section * Primary server support: new option in ldap provider * Primary server support: new options in krb5 provider * Primary server support: new option in IPA provider * Primary server support: new option in AD provider Michal Zidek (1): * Added unit test for sysdb_ssh.c Nick Guay (1): * First-boot sss_seed tool Pavel Březina (7): * sdap_sudo.c: add missing end of line in few debug messages * add hostid and subdomains sections in sssd-ipa.conf * manpage: seealso - include ssh conditionally * tests: allow changing cwd in all tests * manpage: sssd-sudo - documents how sudo works with sssd * sudo ldap provider: support autoconfiguration of hostnames * Unbreak SASL Simo Sorce (16): * Change subdomain_info * tests: Remove useless consts * 80 columns police * Fix double semi-colons * Fix wrong elements used in comparison * Use ldb_msg_add_string with bare strings * Fix return error and debug message * Make structure initializer more readable * 80 col and style fixes * Use a more tractable name for subdomain request * Add realm paramter to subdomain list * Expose an initializer function from subdomain * Change refreshing of subdomains * Limit refreshes keeping track of last refresh time * Add online callback to enumerate subdomains * Add automatic periodic retrieval of subdomains Stephen Gallagher (4): * MAN: List all available backends for provider options * MAN: Improvements to the AD provider manpage * NSS: Add override_shell option * SYSDB: Add log message for unexpected LDB errors Ville Skyttä (1): * Require and call ldconfig from subpackages if appropriate _______________________________________________ Freeipa-interest mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-interest