=== SSSD 1.9.3 === The SSSD team is proud to announce the release of version 1.9.3 of the System Security Services Daemon.
This release is mainly focused on fixing regressions in functionality introduced by new features during the 1.9 development cycle or bugs in the new features themselves. As always, the source is available from https://fedorahosted.org/sssd RPM packages will be made available for Fedora shortly, initially for F-18 and rawhide and later also backported to F-17. We will also provide test builds for RHEL6.3 as was the case with 1.9.2. == Feedback == Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users == Highlights == * Many fixes related to deployments where the SSSD is running as a client of IPA server with trust relation established with an Active Directory server * Multiple fixes related to correct reporting of group memberships, especially in setups that use nested groups * Fixed a bug that prevented upgrade from the 1.8 series if the cache contained nested groups before the upgrade * Restarting the responders is more robust for cases where the machine is under heavy load during back end restart * The default_shell option can now be also set per-domain in addition to global setting == Tickets Fixed == https://fedorahosted.org/sssd/ticket/1345 sssd does not warn into sssd.log for broken configurations https://fedorahosted.org/sssd/ticket/1357 Init script reports complete before sssd is actually working https://fedorahosted.org/sssd/ticket/1437 upstream spec should use systemd where available https://fedorahosted.org/sssd/ticket/1482 "fullName" in sysdb doesn't match with the "name" ldap attribute on AD Server https://fedorahosted.org/sssd/ticket/1528 SSSD_NSS failure to gracefully restart after sbus failure https://fedorahosted.org/sssd/ticket/1581 sssd_be crashes while looking up users https://fedorahosted.org/sssd/ticket/1583 Allow setting the default_shell per-domain https://fedorahosted.org/sssd/ticket/1584 invalidating the memcache with sss_cache doesn't work if the sssd is not running https://fedorahosted.org/sssd/ticket/1589 sss_cache says 'Wrong DB version' https://fedorahosted.org/sssd/ticket/1590 sssd does not resolve group names from AD https://fedorahosted.org/sssd/ticket/1593 Silence the DEBUG messages when ID mapping code skips a built-in group https://fedorahosted.org/sssd/ticket/1594 ldap_child crashes on using invalid keytab during gssapi connection https://fedorahosted.org/sssd/ticket/1595 Password authentication with users coming via AD trust https://fedorahosted.org/sssd/ticket/1596 Sudo smart refresh doesn't occur on time https://fedorahosted.org/sssd/ticket/1600 The sssd_nss process grows the memory consumption over time https://fedorahosted.org/sssd/ticket/1601 A wrong callback used causes getgrgid to not work for trusted domains https://fedorahosted.org/sssd/ticket/1602 provider is forcibly killed with SIGKILL instead of SIGTERM if it's not responding https://fedorahosted.org/sssd/ticket/1604 sssd not granting access for AD trusted user in HBAC rule https://fedorahosted.org/sssd/ticket/1606 SSSD starts multiple processes due to syntax error in ldap_uri https://fedorahosted.org/sssd/ticket/1608 sss_cache: Multiple domains not handled properly https://fedorahosted.org/sssd/ticket/1610 subdomains: Invalid sub-domain request type. https://fedorahosted.org/sssd/ticket/1611 authconfig chokes on sssd.conf with chpass_provider directive https://fedorahosted.org/sssd/ticket/1612 Nested groups are not retrieved appropriately from cache https://fedorahosted.org/sssd/ticket/1613 ipa client setup should configure host properly in a trust is in place https://fedorahosted.org/sssd/ticket/1614 User appears twice on looking up a nested group https://fedorahosted.org/sssd/ticket/1615 IPA client cannot change AD Trusted User password https://fedorahosted.org/sssd/ticket/1616 sudo failing for ad trusted user in IPA environment https://fedorahosted.org/sssd/ticket/1619 pam: fd leak when writing the selinux login file in the pam responder https://fedorahosted.org/sssd/ticket/1623 Man page issue to list 'force_timeout' as an option for the [sssd] section https://fedorahosted.org/sssd/ticket/1628 user id lookup fails using proxy provider https://fedorahosted.org/sssd/ticket/1629 subdomains code does not save the proper user/group name https://fedorahosted.org/sssd/ticket/1631 sysdb upgrade failed converting db to 0.11 https://fedorahosted.org/sssd/ticket/1635 investigate the behaviour of ldap_sasl_authid in 1.9.x https://fedorahosted.org/sssd/ticket/1636 offline authentication failure always returns System Error https://fedorahosted.org/sssd/ticket/1638 password expiry warning message doesn't appear during auth https://fedorahosted.org/sssd/ticket/1640 "defaults" entry ignored https://fedorahosted.org/sssd/ticket/1647 LDAP provider fails to save empty groups https://fedorahosted.org/sssd/ticket/1649 ldap_connection_expire_timeout doesn't expire ldap connections https://fedorahosted.org/sssd/ticket/1650 Wrong variable check in sudosrv_parse_query_send https://fedorahosted.org/sssd/ticket/1651 Unchecked return value from waitpid() https://fedorahosted.org/sssd/ticket/1652 updating top-level group does not reflect ghost members correctly https://fedorahosted.org/sssd/ticket/1657 SIGSEGV in IPA provider when ldap_sasl_authid is not set https://fedorahosted.org/sssd/ticket/1658 ipa password auth failing for user principal name when shorter than IPA Realm name https://fedorahosted.org/sssd/ticket/1661 Allow backward compatible regex for domain / realm search in sssd 1.9 https://fedorahosted.org/sssd/ticket/1668 delete operation is not implemented for ghost users https://fedorahosted.org/sssd/ticket/1669 sssd hangs at startup with broken configurations https://fedorahosted.org/sssd/ticket/1671 mmap cache needs update after db changes https://fedorahosted.org/sssd/ticket/1674 Explicit null dereferenced https://fedorahosted.org/sssd/ticket/1683 arithmetic bug in the SSSD causes netgroup midpoint refresh to be always set to 10 seconds https://fedorahosted.org/sssd/ticket/1684 Dereference after null check in sss_idmap_sid_to_unix https://fedorahosted.org/sssd/ticket/1686 sssd crashes during start if id_provider is not mentioned https://fedorahosted.org/sssd/ticket/1688 sssd_sudo prints wrong debug message when notBefore or notAfter attribute is missing https://fedorahosted.org/sssd/ticket/1694 Incorrect synchronization in mmap cache https://fedorahosted.org/sssd/ticket/1695 user is not removed from group membership during initgroups == Packaging Changes == * The sss_cache has been moved from sss-tools subpackage to the main sssd package * The upstream RPM uses a systemd unit file by default, rather than a SystemV init script * Several rpmlint warnings have been fixed in the upstream spec file == Detailed Changelog == Ariel O. Barria (1): * Monitor quit when not exists no process no stops Jakub Hrozek (42): * Updating the version for the 1.9.3 release * LDAP: Check validity of naming_context * Allow setting the default_shell option per-domain as well * KRB5: Return error when principal selection fails * Free the internal DP request * LDAP: Fix off-by-one error when saving ghost users * Monitor: read the correct SIGKILL timeout for providers, too * PAM: Do not leak fd after SELinux context file is written * Do not always return PAM_SYSTEM_ERR when offline krb5 authentication fails * KRB5: Rename variable to avoid shadowing a global declaration * Only build extract_and_send_pac on platforms that support it * Include the auth_utils.h header in the distribution * SYSDB: Do not touch the member attribute during conversion to ghost users * Provide AM_COND_IF-combatible implementation for old automake systems * LDAP: Expire even non authenticated connections * SUDO: Fix wrong variable check * SERVER: Check the return value of waitpid * LDAP: Allocate the temporary context on NULL, not memctx * LDAP: Fix saving empty groups * LDAP: use the correct memory context * LDAP: Refactor saving ghost users * Restart services with a delay in case they are restarted too often * MAN: document the ldap_sasl_realm option * LDAP: Provide a common sdap_set_sasl_options init function * LDAP: Checking the principal should not be considered fatal * LDAP: Make it possible to use full principal in ldap_sasl_authid again * SYSDB: Use the add_string convenience functions for managing ghost user attribute * LDAP: Only convert direct parents' ghost attribute to member * MONITOR: Fix off-by-one error in add_string_to_list * Handle compiling FQDN regular expression with old pcre gracefully * MEMBEROF: Do not add the ghost attribute to self * TESTS: Test ghosts users in the RFC2307 schema * NSS: Fix netgroup midpoint cache refresh * LDAP: Continue adjusting group membership even if there is nothing to add * MEMBEROF: Implement delete operation for ghost users * MEMBEROF: split processing the member modify into a separate function * MEMBEROF: Split the del ghost attribute op into a reusable function * MEMBEROF: Split the add ghost operation into a separate function * MEMBEROF: Implement the modify operation for ghost users * MEMBEROF: Keep inherited ghost users around on modify operation * RESOLV: return ENOENT if the address list is empty * Updating the translations for the 1.9.3 release Jan Cholasta (3): * Use systemd by default on Fedora 16+ * Fix errors reported by rpmlint * MAN: Move ssh_known_hosts_timeout documentation to the correct section Michal Zidek (11): * sss_cache: Multiple domains not handled properly * util: Added new file util_lock.c * sss_cache: Remove fastcache even if sssd is not running. * util_lock.c: sss_br_lock_file accepted invalid parameter value * debug: print fatal and critical errors if debug level is unresolved * sss_cache: Small refactor. * Uninitialized pointer read * idmap: Silence DEBUG messages when dealing with built-in SIDs. * Null pointer dereferenced. * Dereference after null check in sss_idmap_sid_to_unix * Missing parameter in DEBUG message. Ondrej Kos (4): * MAN: sssd-simple - suggest awarness of empty rules * Display more information on DB version crash * LDAP: fix uninitialized variable * SYSDB: Don't operate with aliases same as name Pavel Březina (23): * sudo: do not fail if usn value is zero but full refresh is completed * sudo refresh: handle errors properly * authconfig: allow chpass_provider = proxy * add SSSDBG_IMPORTANT_INFO macro * fix indendation, coding style and debug levels in server.c * make monitor_quit() usable outside signal handler * exit original process after sssd is initialized * create pid file immediately after fork again * do not default fullname to gecos when schema = ad * sss_dp_get_domains_send(): handle subreq error correctly * subdomains: check request type on one place only * backend: add PAC to the list of known clients * sudo: fix missing parameter in two debug messages * use tmp_ctx in sudosrv_get_sudorules_from_cache() * sudo: support users from subdomains * sudo: do not send domain name with username * sudo: print how many rules we are refreshing or returning * sudo: store rules with no sudoHost attribute * fix SIGSEGV in IPA provider when ldap_sasl_authid is not set * avoid versioning libsss_sudo * warn user if password is about to expire * do not crash when id_provider is not set * sudo: print rule name if notBefore or notAfter attribute is missing Simo Sorce (9): * Simplify writing db update functions * Refactor the way subdomain accounts are saved * Handle conversion to fully qualified usernames * mmap cache: public functions to invalidate records * Hook to perform a mmap cache update from sssd_nss * Hook for mmap cache update on initgroup calls * Add backchannel NSS provider query on initgr calls * Always append rctx as private data * Add memory barrier to mmap cache client code loop Stephen Gallagher (9): * LDAP: Better debug logging when saving groups * RPMS: Move sss_cache tool to main package * Monitor: Better debugging for ping timeouts * MAN: Specify the correct location for the force_timeout option * SSSDConfig: Locate the force_timeout option in the correct sections * MAN: Fix validation error caused by bad 'ca' translation * SUDO: Remove unused variable * BUILD: Temporary workaround for Kerberos build * IPA: Handle bad results from c-ares lookup Sumit Bose (34): * Fix two errors in the nss responder * subdomain-id: Generate homedir only for users not groups * pac responder: fix copy-and-paste error * sysdb: look for ranges in the parent tree * pac responder: use only lower case user name * pac responder: add user principal and name alias to cached user object * krb5_auth_send: check for sub-domains * sysdb: add sysdb_base_dn() * check_ccache_files: search sub-domains as well * Add replacement for krb5_find_authdata() * krb5_auth: check if principal belongs to a different realm * krb5_auth: send different_realm flag to krb5_child * krb5_child: send PAC to PAC responder * krb5_mod_ccname: replace wrong memory context * krb5_child: send back the client principal * Add new call find_or_guess_upn() * Use find_or_guess_upn() where needed * krb5_auth: update with correct UPN if needed * sss_parse_name_for_domains: always return the canonical domain name * Make sub-domains case-insensitive * Clarify debug message about initgroups and subdomains * Do not remove a group if it has members from subdomains * Add diff_gid_lists() with test * Add pac_user_get_grp_info() to read current group memberships * Get lists of GIDs to be added and deleted and use them * Store the original group DN in the subdomain user object * Add string_in_list() and add_string_to_list() with tests * Always start PAC responder if IPA ID provider is configured * Run IPA subdomain provider if IPA ID provider is configured * Do not save HBAC rules in subdomain subtree * Just use the service name with krb5_get_init_creds_password() * Fix compare_principal_realm() check * Disable canonicalization during password changes * KRB5: Work around const warning for krb5 releases older than 1.11 Timo Aaltonen (1): * link sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy with -lpthread _______________________________________________ Freeipa-interest mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-interest