The SSSD team is proud to announce the seventh beta release of version
1.9 of the System Security Services Daemon.

This is a bugfix release only, no new features were added in this
version. This release was originally planned to be a Release Candidate,
however we are still actively working on fixing several crasher bugs.
A proper Release Candidate will be released once we fix the known
crashes. We will be focusing on more stabilizing after that point
until the final 1.9.0 release which is tentatively scheduled for
September 13, although that release date will probably slip a couple of

As always, you can download the latest sources at

== Highlights ==
* Fixed security bug CVE-2012-3462 - HBAC rules were ignored when the
  SELinux login context support was enabled
* Mutexes in the nss_sss module are now released correctly if one thread
  in a multithreaded application is cancelled while the mutex is locked
* The fail over code works correctly when the IPA provider is not able to
  establish a GSSAPI-encrypted connection to an IPA server
* The SSSD correctly accepts -1 as a valid value of the shadow attributes
* When the SSSD is unable to resolve a host name, it tries the next
  configured server now instead of going offline
* The default SELinux login context for IPA users was changed to unconfined_t
  when there are no rules on the server
* A file descriptor leak in cases the SSSD was unable to establish SSL
  connection to an LDAP server was fixed

== Packaging Changes ==
 * A new Python wrapper around the murmur hash library has been
   introduced. It is only useful to the FreeIPA server at the moment.

== Tickets Fixed ==
    on reconnect we need to detect that a ipa/ds server has been reinitialized
    Do not use "goto" to jump backwards in the proxy code
    when nesting limit is reached, the LDAP provider tries to establish link to 
members outside the nesting limit
    sssd does not warn into sssd.log for broken configurations
    ipv6 address with square brackets doesn't work for krb5_server
    domain.remove_provider() does not work
    Add support for nested automount maps
    shadow attributes should accept -1
    Kerberos validation algorithm is insufficient for cross-realm trusts
    Group lookups no longer work when fastcache cannot be initialized
    sssd_be crashes on using inappropriate keytab file
    Password change prompt doesn't appear when "User must change password on 
next logon" is set for a AD user.
    LOCAL domain lookups don't work
    sssd does not try another server when unable to resolve hostname
    Fail over does not work correctly when IPA server is establishing a 
GSSAPI-encrypted LDAP connection
    proxy provider: value stored to status is never read in get_pw_name
    SELinux code must fall back to default only if there are no rules on the 
    Attempt to close the same file stream twice
    Insecure temporary file in IPA subdomain provider
    SRV servers are always marked as back up
    SSSD thread issue can cause the application to not get any identity 
    FreeIPA HBAC rules ignored when FreeIPA and SSSD are configured to set 
SELinux user context
    Duplicate detection in fail over does not work
    ldap_autofs_* options missing from /usr/share/sssd/sssd.api.d/sssd-ldap.conf
    1.9.0b6 does not build with SELinux disabled
    Segfault in IPA subdomain provider
    SSSD does not close TCP connections when SSL fails
    Consolidate functions that make a realm upper-case
    There is no /etc/selinux/targeted/logins on RHEL5
    SSSD's default ccache location needs to be updated (again), and the man 
pages should reflect it

== Detailed Changelog ==

Ariel Barria (1):
      * SIGUSR2 should force SSSD to reread resolv.conf as well

Jakub Hrozek (32):
      * Bumping version for the 1.9.0 release
      * Don't call fo_set_{server,port}_status for SRV servers
      * Fix the version number
      * SYSDB: Check the return value
      * SYSDB: Use ldb_msg_add_string for simple string additions
      * Failover: Return last tried server if it's still being tried
      * Subdomains: Send the DP reply in the correct format
      * Always mark SRV servers as primary
      * Allocate on top of a talloc context, not NULL
      * Abort PAM access phase if HBAC does not return PAM_SUCCESS
      * Change default for ldap_idmap_range_min to 200000
      * Don't use server after SRV data collapsed
      * Document entry_cache_autofs_timeout
      * Add autofs-related options to configAPI
      * sss_client: Group lookups should work even when fastcache cannot be 
      * FO: Don't retry the same server if it's not working
      * FO: Return EAGAIN if there are more servers to try
      * KRB5: Only return PAM error for unreachable kpasswd when performing 
      * Build SELinux code in responder conditionally
      * Do not try to remove the temp login file if already renamed
      * Only create the SELinux login file if there are mappings on the server
      * Fix compilation error in Python murmurhash bindings
      * Process all groups from a single nesting level
      * Use PTHREAD_MUTEX_ROBUST to avoid deadlock in the client
      * RPM: Switch the default ccache location
      * RPM: Always include the patch file
      * Check if the SELinux login directory exists
      * SYSDB: Commit transaction in sysdb_store_user
      * SYSDB: Abort unit test if sysdb_getpwnam fails
      * Retry the next server if bind during LDAP auth times out
      * Don't terminate the same connection twice
      * Update translations for 1.9.0 beta 7 release

Jan Cholasta (3):
      * SSH: Return error code in SSH utility functions
      * SSH: Simplify public key formatting function
      * SSH: Add support for OpenSSH-style public keys

Michal Zidek (10):
      * Return value of fread in src/tools/sss_debuglevel.c no longer ignored.
      * Change default value of ldap_sasl_string to host/hostname@REALM in man 
      * SRV resolution for backup servers should not be permitted.
      * When ldap_group_nesting_level was reached, the LDAP provider tried to 
link group members with groups outside nesting limit.
      * Duplicate detection in fail over did not work.
      * Typo in debug message (SSSd -> SSSD).
      * Unify usage of sysdb transactions
      * Fix: IPv6 address with square brackets doesn't work.
      * Adding -std=gnu99 flag.
      * Unify usage of sysdb transactions (part 2).

Nick Guay (1):
      * remove duplicate sss_obfuscate reference in seealso manpage section

Ondrej Kos (5):
      * Removed unused variable assignment
      * Replaced "id_max" & "id_min"
      * Backward GOTOs rewritten into do-while loops.
      * AD context was set to null due to type mismatch
      * Consolidation of functions that make realm upper-case

Pavel Březina (12):
      * tests: build sysdb ssh tests conditionally
      * shadow attributes can contain -1
      * Add end of line to debug message
      * monitor: set debug level when unable to load configuration
      * Remove redefinition of some SYSDB_* macros
      * Remove SYSDB_SUDO_CACHE_OC from attribute lists
      * Fix LOCAL domain lookups
      * Close LDAP connection when unable to install TLS
      * Unbreak build on RHEL5: replace ldap_destroy() with ldap_unbind_ext()
      * Remove compilation warning: ret may be uninitialized
      * Clean up cache on server reinitialization

Stephen Gallagher (6):
      * SSSDConfig: Fix nonfunctional SSSDDomain.remove_provider()
      * IPA: Do not attempt to close the same file twice
      * IPA: Securely set umask for mkstemp in subdomain provider
      * MAN: Fix minor typo in ldap_search_base section
      * MAN: Improve description of ldap_*_search_base options
      * SYSDB: Make sysdb_attrs_get_el_int() public

Sumit Bose (5):
      * Add python bindings for murmurhash3
      * accept_fd_handler: add missing return
      * Fix fallback in validate_tgt()
      * Use new debug levels in validate_tgt()
      * Check flat names when searching for sub-domains as well

Yuri Chornoivan (1):
      * Fix various typos in documentation.

Freeipa-interest mailing list

Reply via email to