=== SSSD 1.9.3 ===

The SSSD team is proud to announce the release of version 1.9.3 of
the System Security Services Daemon.

This release is mainly focused on fixing regressions in functionality
introduced by new features during the 1.9 development cycle or bugs in
the new features themselves.

As always, the source is available from https://fedorahosted.org/sssd

RPM packages will be made available for Fedora shortly, initially for F-18
and rawhide and later also backported to F-17. We will also provide test builds
for RHEL6.3 as was the case with 1.9.2.

== Feedback ==

Please provide comments, bugs and other feedback via the sssd-devel or
sssd-users mailing lists:

== Highlights ==

* Many fixes related to deployments where the SSSD is running as a client
  of IPA server with trust relation established with an Active Directory server
* Multiple fixes related to correct reporting of group memberships,
  especially in setups that use nested groups
* Fixed a bug that prevented upgrade from the 1.8 series if the cache
  contained nested groups before the upgrade
* Restarting the responders is more robust for cases where the machine is
  under heavy load during back end restart
* The default_shell option can now be also set per-domain in addition to
  global setting

== Tickets Fixed ==

    sssd does not warn into sssd.log for broken configurations
    Init script reports complete before sssd is actually working
    upstream spec should use systemd where available
    "fullName" in sysdb doesn't match with the "name" ldap attribute on AD 
    SSSD_NSS failure to gracefully restart after sbus failure
    sssd_be crashes while looking up users
    Allow setting the default_shell per-domain
    invalidating the memcache with sss_cache doesn't work if the sssd is not 
    sss_cache says 'Wrong DB version'
    sssd does not resolve group names from AD
    Silence the DEBUG messages when ID mapping code skips a built-in group
    ldap_child crashes on using invalid keytab during gssapi connection
    Password authentication with users coming via AD trust
    Sudo smart refresh doesn't occur on time
    The sssd_nss process grows the memory consumption over time
    A wrong callback used causes getgrgid to not work for trusted domains
    provider is forcibly killed with SIGKILL instead of SIGTERM if it's not 
    sssd not granting access for AD trusted user in HBAC rule
    SSSD starts multiple processes due to syntax error in ldap_uri
    sss_cache: Multiple domains not handled properly
    subdomains: Invalid sub-domain request type.
    authconfig chokes on sssd.conf with chpass_provider directive
    Nested groups are not retrieved appropriately from cache
    ipa client setup should configure host properly in a trust is in place
    User appears twice on looking up a nested group
    IPA client cannot change AD Trusted User password
    sudo failing for ad trusted user in IPA environment
    pam: fd leak when writing the selinux login file in the pam responder
    Man page issue to list 'force_timeout' as an option for the [sssd] section
    user id lookup fails using proxy provider
    subdomains code does not save the proper user/group name
    sysdb upgrade failed converting db to 0.11
    investigate the behaviour of ldap_sasl_authid in 1.9.x
    offline authentication failure always returns System Error
    password expiry warning message doesn't appear during auth
    "defaults" entry ignored
    LDAP provider fails to save empty groups
    ldap_connection_expire_timeout doesn't expire ldap connections
    Wrong variable check in sudosrv_parse_query_send
    Unchecked return value from waitpid()
    updating top-level group does not reflect ghost members correctly
    SIGSEGV in IPA provider when ldap_sasl_authid is not set
    ipa password auth failing for user principal name when shorter than IPA 
Realm name
    Allow backward compatible regex for domain / realm search in sssd 1.9
    delete operation is not implemented for ghost users
    sssd hangs at startup with broken configurations
    mmap cache needs update after db changes
    Explicit null dereferenced
    arithmetic bug in the SSSD causes netgroup midpoint refresh to be always 
set to 10 seconds
    Dereference after null check in sss_idmap_sid_to_unix
    sssd crashes during start if id_provider is not mentioned
    sssd_sudo prints wrong debug message when notBefore or notAfter attribute 
is missing
    Incorrect synchronization in mmap cache
    user is not removed from group membership during initgroups

== Packaging Changes ==
* The sss_cache has been moved from sss-tools subpackage to the main sssd 
* The upstream RPM uses a systemd unit file by default, rather than a SystemV 
init script
* Several rpmlint warnings have been fixed in the upstream spec file

== Detailed Changelog ==
Ariel O. Barria (1):
      * Monitor quit when not exists no process no stops

Jakub Hrozek (42):
      * Updating the version for the 1.9.3 release
      * LDAP: Check validity of naming_context
      * Allow setting the default_shell option per-domain as well
      * KRB5: Return error when principal selection fails
      * Free the internal DP request
      * LDAP: Fix off-by-one error when saving ghost users
      * Monitor: read the correct SIGKILL timeout for providers, too
      * PAM: Do not leak fd after SELinux context file is written
      * Do not always return PAM_SYSTEM_ERR when offline krb5 authentication 
      * KRB5: Rename variable to avoid shadowing a global declaration
      * Only build extract_and_send_pac on platforms that support it
      * Include the auth_utils.h header in the distribution
      * SYSDB: Do not touch the member attribute during conversion to ghost 
      * Provide AM_COND_IF-combatible implementation for old automake systems
      * LDAP: Expire even non authenticated connections
      * SUDO: Fix wrong variable check
      * SERVER: Check the return value of waitpid
      * LDAP: Allocate the temporary context on NULL, not memctx
      * LDAP: Fix saving empty groups
      * LDAP: use the correct memory context
      * LDAP: Refactor saving ghost users
      * Restart services with a delay in case they are restarted too often
      * MAN: document the ldap_sasl_realm option
      * LDAP: Provide a common sdap_set_sasl_options init function
      * LDAP: Checking the principal should not be considered fatal
      * LDAP: Make it possible to use full principal in ldap_sasl_authid again
      * SYSDB: Use the add_string convenience functions for managing ghost user 
      * LDAP: Only convert direct parents' ghost attribute to member
      * MONITOR: Fix off-by-one error in add_string_to_list
      * Handle compiling FQDN regular expression with old pcre gracefully
      * MEMBEROF: Do not add the ghost attribute to self
      * TESTS: Test ghosts users in the RFC2307 schema
      * NSS: Fix netgroup midpoint cache refresh
      * LDAP: Continue adjusting group membership even if there is nothing to 
      * MEMBEROF: Implement delete operation for ghost users
      * MEMBEROF: split processing the member modify into a separate function
      * MEMBEROF: Split the del ghost attribute op into a reusable function
      * MEMBEROF: Split the add ghost operation into a separate function
      * MEMBEROF: Implement the modify operation for ghost users
      * MEMBEROF: Keep inherited ghost users around on modify operation
      * RESOLV: return ENOENT if the address list is empty
      * Updating the translations for the 1.9.3 release

Jan Cholasta (3):
      * Use systemd by default on Fedora 16+
      * Fix errors reported by rpmlint
      * MAN: Move ssh_known_hosts_timeout documentation to the correct section

Michal Zidek (11):
      * sss_cache: Multiple domains not handled properly
      * util: Added new file util_lock.c
      * sss_cache: Remove fastcache even if sssd is not running.
      * util_lock.c: sss_br_lock_file accepted invalid parameter value
      * debug: print fatal and critical errors if debug level is unresolved
      * sss_cache: Small refactor.
      * Uninitialized pointer read
      * idmap: Silence DEBUG messages when dealing with built-in SIDs.
      * Null pointer dereferenced.
      * Dereference after null check in sss_idmap_sid_to_unix
      * Missing parameter in DEBUG message.

Ondrej Kos (4):
      * MAN: sssd-simple - suggest awarness of empty rules
      * Display more information on DB version crash
      * LDAP: fix uninitialized variable
      * SYSDB: Don't operate with aliases same as name

Pavel Březina (23):
      * sudo: do not fail if usn value is zero but full refresh is completed
      * sudo refresh: handle errors properly
      * authconfig: allow chpass_provider = proxy
      * add SSSDBG_IMPORTANT_INFO macro
      * fix indendation, coding style and debug levels in server.c
      * make monitor_quit() usable outside signal handler
      * exit original process after sssd is initialized
      * create pid file immediately after fork again
      * do not default fullname to gecos when schema = ad
      * sss_dp_get_domains_send(): handle subreq error correctly
      * subdomains: check request type on one place only
      * backend: add PAC to the list of known clients
      * sudo: fix missing parameter in two debug messages
      * use tmp_ctx in sudosrv_get_sudorules_from_cache()
      * sudo: support users from subdomains
      * sudo: do not send domain name with username
      * sudo: print how many rules we are refreshing or returning
      * sudo: store rules with no sudoHost attribute
      * fix SIGSEGV in IPA provider when ldap_sasl_authid is not set
      * avoid versioning libsss_sudo
      * warn user if password is about to expire
      * do not crash when id_provider is not set
      * sudo: print rule name if notBefore or notAfter attribute is missing

Simo Sorce (9):
      * Simplify writing db update functions
      * Refactor the way subdomain accounts are saved
      * Handle conversion to fully qualified usernames
      * mmap cache: public functions to invalidate records
      * Hook to perform a mmap cache update from sssd_nss
      * Hook for mmap cache update on initgroup calls
      * Add backchannel NSS provider query on initgr calls
      * Always append rctx as private data
      * Add memory barrier to mmap cache client code loop

Stephen Gallagher (9):
      * LDAP: Better debug logging when saving groups
      * RPMS: Move sss_cache tool to main package
      * Monitor: Better debugging for ping timeouts
      * MAN: Specify the correct location for the force_timeout option
      * SSSDConfig: Locate the force_timeout option in the correct sections
      * MAN: Fix validation error caused by bad 'ca' translation
      * SUDO: Remove unused variable
      * BUILD: Temporary workaround for Kerberos build
      * IPA: Handle bad results from c-ares lookup

Sumit Bose (34):
      * Fix two errors in the nss responder
      * subdomain-id: Generate homedir only for users not groups
      * pac responder: fix copy-and-paste error
      * sysdb: look for ranges in the parent tree
      * pac responder: use only lower case user name
      * pac responder: add user principal and name alias to cached user object
      * krb5_auth_send: check for sub-domains
      * sysdb: add sysdb_base_dn()
      * check_ccache_files: search sub-domains as well
      * Add replacement for krb5_find_authdata()
      * krb5_auth: check if principal belongs to a different realm
      * krb5_auth: send different_realm flag to krb5_child
      * krb5_child: send PAC to PAC responder
      * krb5_mod_ccname: replace wrong memory context
      * krb5_child: send back the client principal
      * Add new call find_or_guess_upn()
      * Use find_or_guess_upn() where needed
      * krb5_auth: update with correct UPN if needed
      * sss_parse_name_for_domains: always return the canonical domain name
      * Make sub-domains case-insensitive
      * Clarify debug message about initgroups and subdomains
      * Do not remove a group if it has members from subdomains
      * Add diff_gid_lists() with test
      * Add pac_user_get_grp_info() to read current group memberships
      * Get lists of GIDs to be added and deleted and use them
      * Store the original group DN in the subdomain user object
      * Add string_in_list() and add_string_to_list() with tests
      * Always start PAC responder if IPA ID provider is configured
      * Run IPA subdomain provider if IPA ID provider is configured
      * Do not save HBAC rules in subdomain subtree
      * Just use the service name with krb5_get_init_creds_password()
      * Fix compare_principal_realm() check
      * Disable canonicalization during password changes
      * KRB5: Work around const warning for krb5 releases older than 1.11

Timo Aaltonen (1):
      * link sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy with -lpthread

Freeipa-interest mailing list

Reply via email to