The SSSD team is proud to announce the seventh beta release of version 1.9 of the System Security Services Daemon.
This is a bugfix release only, no new features were added in this version. This release was originally planned to be a Release Candidate, however we are still actively working on fixing several crasher bugs. A proper Release Candidate will be released once we fix the known crashes. We will be focusing on more stabilizing after that point until the final 1.9.0 release which is tentatively scheduled for September 13, although that release date will probably slip a couple of days. As always, you can download the latest sources at https://fedorahosted.org/sssd/ == Highlights == * Fixed security bug CVE-2012-3462 - HBAC rules were ignored when the SELinux login context support was enabled * Mutexes in the nss_sss module are now released correctly if one thread in a multithreaded application is cancelled while the mutex is locked * The fail over code works correctly when the IPA provider is not able to establish a GSSAPI-encrypted connection to an IPA server * The SSSD correctly accepts -1 as a valid value of the shadow attributes * When the SSSD is unable to resolve a host name, it tries the next configured server now instead of going offline * The default SELinux login context for IPA users was changed to unconfined_t when there are no rules on the server * A file descriptor leak in cases the SSSD was unable to establish SSL connection to an LDAP server was fixed == Packaging Changes == * A new Python wrapper around the murmur hash library has been introduced. It is only useful to the FreeIPA server at the moment. == Tickets Fixed == https://fedorahosted.org/sssd/ticket/734 on reconnect we need to detect that a ipa/ds server has been reinitialized https://fedorahosted.org/sssd/ticket/1156 Do not use "goto" to jump backwards in the proxy code https://fedorahosted.org/sssd/ticket/1194 when nesting limit is reached, the LDAP provider tries to establish link to members outside the nesting limit https://fedorahosted.org/sssd/ticket/1345 sssd does not warn into sssd.log for broken configurations https://fedorahosted.org/sssd/ticket/1365 ipv6 address with square brackets doesn't work for krb5_server https://fedorahosted.org/sssd/ticket/1388 domain.remove_provider() does not work https://fedorahosted.org/sssd/ticket/1390 Add support for nested automount maps https://fedorahosted.org/sssd/ticket/1393 shadow attributes should accept -1 https://fedorahosted.org/sssd/ticket/1396 Kerberos validation algorithm is insufficient for cross-realm trusts https://fedorahosted.org/sssd/ticket/1415 Group lookups no longer work when fastcache cannot be initialized https://fedorahosted.org/sssd/ticket/1416 sssd_be crashes on using inappropriate keytab file https://fedorahosted.org/sssd/ticket/1430 Password change prompt doesn't appear when "User must change password on next logon" is set for a AD user. https://fedorahosted.org/sssd/ticket/1436 LOCAL domain lookups don't work https://fedorahosted.org/sssd/ticket/1446 sssd does not try another server when unable to resolve hostname https://fedorahosted.org/sssd/ticket/1447 Fail over does not work correctly when IPA server is establishing a GSSAPI-encrypted LDAP connection https://fedorahosted.org/sssd/ticket/1453 proxy provider: value stored to status is never read in get_pw_name https://fedorahosted.org/sssd/ticket/1455 SELinux code must fall back to default only if there are no rules on the server https://fedorahosted.org/sssd/ticket/1456 Attempt to close the same file stream twice https://fedorahosted.org/sssd/ticket/1457 Insecure temporary file in IPA subdomain provider https://fedorahosted.org/sssd/ticket/1459 SRV servers are always marked as back up https://fedorahosted.org/sssd/ticket/1460 SSSD thread issue can cause the application to not get any identity information https://fedorahosted.org/sssd/ticket/1470 FreeIPA HBAC rules ignored when FreeIPA and SSSD are configured to set SELinux user context https://fedorahosted.org/sssd/ticket/1472 Duplicate detection in fail over does not work https://fedorahosted.org/sssd/ticket/1478 ldap_autofs_* options missing from /usr/share/sssd/sssd.api.d/sssd-ldap.conf https://fedorahosted.org/sssd/ticket/1480 1.9.0b6 does not build with SELinux disabled https://fedorahosted.org/sssd/ticket/1488 Segfault in IPA subdomain provider https://fedorahosted.org/sssd/ticket/1490 SSSD does not close TCP connections when SSL fails https://fedorahosted.org/sssd/ticket/1491 Consolidate functions that make a realm upper-case https://fedorahosted.org/sssd/ticket/1492 There is no /etc/selinux/targeted/logins on RHEL5 https://fedorahosted.org/sssd/ticket/1500 SSSD's default ccache location needs to be updated (again), and the man pages should reflect it == Detailed Changelog == Ariel Barria (1): * SIGUSR2 should force SSSD to reread resolv.conf as well Jakub Hrozek (32): * Bumping version for the 1.9.0 release * Don't call fo_set_{server,port}_status for SRV servers * Fix the version number * SYSDB: Check the return value * SYSDB: Use ldb_msg_add_string for simple string additions * Failover: Return last tried server if it's still being tried * Subdomains: Send the DP reply in the correct format * Always mark SRV servers as primary * Allocate on top of a talloc context, not NULL * Abort PAM access phase if HBAC does not return PAM_SUCCESS * Change default for ldap_idmap_range_min to 200000 * Don't use server after SRV data collapsed * Document entry_cache_autofs_timeout * Add autofs-related options to configAPI * sss_client: Group lookups should work even when fastcache cannot be initialized * FO: Don't retry the same server if it's not working * FO: Return EAGAIN if there are more servers to try * KRB5: Only return PAM error for unreachable kpasswd when performing chpass * Build SELinux code in responder conditionally * Do not try to remove the temp login file if already renamed * Only create the SELinux login file if there are mappings on the server * Fix compilation error in Python murmurhash bindings * Process all groups from a single nesting level * Use PTHREAD_MUTEX_ROBUST to avoid deadlock in the client * RPM: Switch the default ccache location * RPM: Always include the patch file * Check if the SELinux login directory exists * SYSDB: Commit transaction in sysdb_store_user * SYSDB: Abort unit test if sysdb_getpwnam fails * Retry the next server if bind during LDAP auth times out * Don't terminate the same connection twice * Update translations for 1.9.0 beta 7 release Jan Cholasta (3): * SSH: Return error code in SSH utility functions * SSH: Simplify public key formatting function * SSH: Add support for OpenSSH-style public keys Michal Zidek (10): * Return value of fread in src/tools/sss_debuglevel.c no longer ignored. * Change default value of ldap_sasl_string to host/hostname@REALM in man page. * SRV resolution for backup servers should not be permitted. * When ldap_group_nesting_level was reached, the LDAP provider tried to link group members with groups outside nesting limit. * Duplicate detection in fail over did not work. * Typo in debug message (SSSd -> SSSD). * Unify usage of sysdb transactions * Fix: IPv6 address with square brackets doesn't work. * Adding -std=gnu99 flag. * Unify usage of sysdb transactions (part 2). Nick Guay (1): * remove duplicate sss_obfuscate reference in seealso manpage section Ondrej Kos (5): * Removed unused variable assignment * Replaced "id_max" & "id_min" * Backward GOTOs rewritten into do-while loops. * AD context was set to null due to type mismatch * Consolidation of functions that make realm upper-case Pavel Březina (12): * tests: build sysdb ssh tests conditionally * shadow attributes can contain -1 * Add end of line to debug message * monitor: set debug level when unable to load configuration * Remove redefinition of some SYSDB_* macros * Rename SYSDB_SUDO_CACHE_AT_OC to SYSDB_SUDO_CACHE_OC * Remove SYSDB_SUDO_CACHE_OC from attribute lists * Fix LOCAL domain lookups * Close LDAP connection when unable to install TLS * Unbreak build on RHEL5: replace ldap_destroy() with ldap_unbind_ext() * Remove compilation warning: ret may be uninitialized * Clean up cache on server reinitialization Stephen Gallagher (6): * SSSDConfig: Fix nonfunctional SSSDDomain.remove_provider() * IPA: Do not attempt to close the same file twice * IPA: Securely set umask for mkstemp in subdomain provider * MAN: Fix minor typo in ldap_search_base section * MAN: Improve description of ldap_*_search_base options * SYSDB: Make sysdb_attrs_get_el_int() public Sumit Bose (5): * Add python bindings for murmurhash3 * accept_fd_handler: add missing return * Fix fallback in validate_tgt() * Use new debug levels in validate_tgt() * Check flat names when searching for sub-domains as well Yuri Chornoivan (1): * Fix various typos in documentation. _______________________________________________ Freeipa-interest mailing list Freeipa-interest@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-interest
