=== SSSD 1.10 Alpha 1 ===
The SSSD team is proud to announce the alpha release of version 1.10 of
the System Security Services Daemon.
This alpha release includes all the features developed since the sssd-1-9
branched off as well as refactoring of several internal interfaces,
making the code more readable and maintanable in the long term.
As always, the source is available from https://fedorahosted.org/sssd.
RPM packages will be made available for Fedora 19 and rawhide shortly.
The SSSD 1.10 Beta release is scheduled for April 25th and will contain
all the planned features. We will most likely issue another pre-release
build prior to the Beta, but that has not been firmly scheduled yet.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* Includes a fix for CVE-2013-0287: A simple access provider flaw prevents
intended ACL use when SSSD is configured as an Active Directory client
* Many internal interfaces were refactored, making the code more readable
and maintanable in the long term. This refactoring includes the subdomains
code, the sysdb interface as a whole, internal error code reporting,
SELinux login context processing and processing of nested LDAP groups.
* A new option ipa_dyndns_ttl was added, allowing the client to set a
custom TTL on IPA dynamic DNS updates
* A new ignore_group_members option was added. This option can be used
to suppress downloading group members on group lookups, making the group
lookups much faster for environments that do not need to know the group
members.
* A new option ldap_rfc2307_fallback_to_local_users was added. If this
option is set to true, SSSD is be able to resolve local group members of
LDAP groups.
* Added support for krb5 1.11's responder callback.
* Support for libnl version 3 was added.
* Fixed an indexing bug that prevented the contents of autofs maps from
being returned to the automounter deamon in case the map contained a
large number of entries
* Fixed spurious password expiration warning that was printed on login
with the Kerberos back end
* Fixed a regression when saving binary attributes to the cache
* Fixed a file descriptor leak when sss_cache was executed
== Packaging Changes ==
* The shared components of the SSSD are now built as a shared library to
reduce amount of duplicated code being linked into multiple SSSD binaries
and lower the disk usage of SSSD installation.
* The check that ensured that SSSD is running with the same ldb version it
was built against was made optional, defaulting to false. You can enable the
strict check again by selecting --enable-ldb-version-check during configure
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/812
Support libnl 3.x
https://fedorahosted.org/sssd/ticket/1033
[RFE] implement a script/tool joining to the Active Directory domain
https://fedorahosted.org/sssd/ticket/1287
compilation warnings with -O2
https://fedorahosted.org/sssd/ticket/1327
When multiple values are assigned, sss_debuglevel should display a usage
message
https://fedorahosted.org/sssd/ticket/1371
Missing resolv.conf should be non-fatal
https://fedorahosted.org/sssd/ticket/1376
[RFE] Add support for suppressing group members
https://fedorahosted.org/sssd/ticket/1405
[RFE] Kerberos canonicalization should be skipped on password-changes in AD
provider
https://fedorahosted.org/sssd/ticket/1476
SSSD has a much longer TTL when updating a DNS record than IPA client
install placed in the beginning
https://fedorahosted.org/sssd/ticket/1481
Move sss_cache to the main subpackage
https://fedorahosted.org/sssd/ticket/1484
failover should protect against empty host names
https://fedorahosted.org/sssd/ticket/1495
include talloc log in our debug facility
https://fedorahosted.org/sssd/ticket/1575
Change responder contexts hierarchy
https://fedorahosted.org/sssd/ticket/1586
Make authtoken opaque objects
https://fedorahosted.org/sssd/ticket/1603
[RFE] Send user principal together with the PAC to the pac responder
https://fedorahosted.org/sssd/ticket/1643
[RFE] refactor sysdb interface
https://fedorahosted.org/sssd/ticket/1660
LDAP_CONTROL_X_DEREF: sssd should fallback if server returns
LDAP_UNAVAILABLE_CRITICAL_EXTENSION error
https://fedorahosted.org/sssd/ticket/1712
sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin
https://fedorahosted.org/sssd/ticket/1738
Decrease the krb5_auth_timeout default value of 15
https://fedorahosted.org/sssd/ticket/1743
selinux: move all logic to responder, provider should only update db
https://fedorahosted.org/sssd/ticket/1744
selinux: reuse IPA_HBAC_REFRESH or provide an alternative
https://fedorahosted.org/sssd/ticket/1745
Unnecessary output is seen when invalid option is passed to sss_cache
https://fedorahosted.org/sssd/ticket/1746
sss_* tools with use_fully_qualified_names should require fqdn
https://fedorahosted.org/sssd/ticket/1747
Refactor subdomain interfaces
https://fedorahosted.org/sssd/ticket/1756
append new line to error string from poptStrerror()
https://fedorahosted.org/sssd/ticket/1763
check the return values of sysdb_transaction_commit in sysdb tests
https://fedorahosted.org/sssd/ticket/1765
remove the alt_db_path parameter of sysdb_init
https://fedorahosted.org/sssd/ticket/1766
use an explanatory macro for checking if a domain is a subdomain
https://fedorahosted.org/sssd/ticket/1771
Negative cache messages are displayed at too low of a DEBUG level
https://fedorahosted.org/sssd/ticket/1790
Possible null derefence in ipa_subdomains.c
https://fedorahosted.org/sssd/ticket/1794
reuse open_cloexec elsewhere in the code
https://fedorahosted.org/sssd/ticket/1803
SSSD returns System Error if the ccachedir is not writable
https://fedorahosted.org/sssd/ticket/1804
Filter out inappropriate multicast and subnet broadcast addresses from IPA
dynamic DNS update
https://fedorahosted.org/sssd/ticket/1805
RFE: Add a new override_homedir expansion for the "original value"
https://fedorahosted.org/sssd/ticket/1810
Uninitialized scalar variable in responder_get_domain
https://fedorahosted.org/sssd/ticket/1811
Unchecked return value in tests
https://fedorahosted.org/sssd/ticket/1812
make the get_next_domain() function a little more readable
https://fedorahosted.org/sssd/ticket/1813
make the ldb check configurable
https://fedorahosted.org/sssd/ticket/1819
Refresh doxygen template files
https://fedorahosted.org/sssd/ticket/1820
sysdb unit tests uses system memberof
https://fedorahosted.org/sssd/ticket/1825
Invalid assignment to enum
https://fedorahosted.org/sssd/ticket/1833
segmentation fault in cmocka unit tests with raised optization level
https://fedorahosted.org/sssd/ticket/1834
Support for libini 1.0
https://fedorahosted.org/sssd/ticket/1838
nss and pam clients broken in master
https://fedorahosted.org/sssd/ticket/1840
Add --with-test-dir=/dev/shm to DISTCHECK_CONFIGURE_FLAGS
== Detailed Changelog ==
Abhishek Singh (1):
* filename in comment is corrected
Ariel Barria (1):
* Improve syslog message when configuration cannot be loaded
Jakub Hrozek (44):
* Bump version to 1.10dev
* Require ar in configure.ac
* TESTS: Fix a couple of debug-level setters
* SYSDB: Remove unused macros
* LDAP: Remove double break
* Indentation fix
* Bump the version and reset release back to 0
* tests: add a unit test for sysdb_netgroup_base_dn
* tests: unit test for test_sysdb_search_users
* tests: adda a unit test for test_sysdb_search_groups
* tests: test sysdb_initgroups
* tests: add unit test for sysdb_get_new_id
* tests: unit test for sysdb_remove_attrs
* TOOLS: set domain in check_group_names
* Fix code style
* Don't use srcdir with tests
* krb5: include backwards compatible declaration of krb5_trace_info
* LDAP: Check for authtok validity
* Filter out multicast addresses from IPA DNS updates
* Lower the DEBUG level if an entry cannot be deleted from memcache
* Fix the krb5 password expiration warning
* Remove enumerate=true from man sssd-ldap
* Do not process success case in an else
* Revert "Add debug message to autofs client"
* Don't treat 0 as default for pam_pwd_expiration warning
* Remove unused functions
* Use the correct memory context in be_req_create
* Check the return value of sysdb_search_services
* Detect the presence of libcmocka during configure
* Add utility functions for tests that use sysdb or tevent.
* Move sss_cmd_execute from client to responder code.
* CMocka based test for the NSS responder
* Retry the correct service on krb5 child timeout
* Remove duplicate remake from bashrc_sssd
* Provide a be_get_account_info_send function
* Add unit tests for simple access test by groups
* Do not compile main() in DP if UNIT_TESTING is defined
* Resolve GIDs in the simple access provider
* Return error code from ipa_subdom_store
* Move signal.m4 from src/util to external
* Document what does access_provider=ad do
* Include config.h to build io.c on RHEL5
* selinux: Remove unused parameter
* Updating the translations for the 1.10 alpha release
James Hogarth (1):
* Make TTL configurable for dynamic dns updates
Jan Cholasta (1):
* LDAP: If deref search fails, try again without deref
Jan Engelhardt (1):
* sysdb: try dealing with binary-content attributes
John Hodrien (1):
* Correct sss_ssh_knowhostsproxy typo in man pages
Kamil Dudka (1):
* sssd-1.8.0: work around a bug in cov-build from Coverity
Lukas Slebodnik (12):
* Improved readability of get_next_domain()
* Fixed typo in debug message.
* Removing unused parameter type from sudosrv_get_sudorules_query_cache()
* Reuse sss_open_cloexec at other places in code.
* More generalized function open_debug_file_ex()
* Removing unused header file providers.h
* Fix sss_client breakage.
* Removing unused declaration of functions and variable.
* Making the ldb check configurable
* Fixing duplicate const
* Reusing create_pam_data() on the other places.
* Making the authtok structure really opaque.
Michal Zidek (15):
* sss_debuglevel: Multiple arguments are treated as error.
* Include talloc log in our debug facility
* failover: Protect against empty host names
* sss_cache: Call DEBUG_INIT sooner
* tools: Respect use_fully_qualified_names
* Possible null derefence in ipa_subdomains.c.
* Unchecked return value in files.c
* Use the same dbg level for all ncache hits.
* Remove the alt_db_path parameter of sysdb_init
* File descriptor leak in nss responder.
* Debug message in sss_mc_create_file.
* Move SELinux processing to provider.
* Reuse cached SELinux mappings.
* Make the SELinux refresh time configurable.
* tests: Print warning if LDB_MODULES_PATH is not set
Milan Cejnar (1):
* tools: append new line to string from poptStrerror()
Nathaniel McCallum (1):
* Add support for krb5 1.11's responder callback.
Ondrej Kos (13):
* MAN: quotation fix
* Display more information on DB version mismatch
* SYSDB: split sysdb_add_user
* TESTS: Fix coverity issues 13126, 13127
* TESTS: include error message on fail
* Fix uninitialized time_t var in responder
* krb5_child: fix value type and initialization
* Fix initialization of multiple variables
* Fix coverity issue 13136
* Decrease krb5_auth_timeout default
* Update README file
* LDAP: Fix value initialization
* Provide libnl3 support
Paul B. Henson (1):
* Add ignore_group_members option.
Pavel Březina (25):
* sudo: do not hardcode protocol version
* fix -O3 variable may be uninitialized warnings
* sudo: print message if old protocol is used
* sudo manpage: clarify that sudoHost may contain wildcards and not
regular expression
* use talloc_zfree when freeing rhostent in resolver
* set ret to EOK after for loop in sdap_sudo_purge_sudoers
* Fix LDAP authentication - invalid password length
* set struct bet_info->bet_type
* krb: recreate ccache if it was deleted
* dp: check whether hostid backend is configured before filing be request
* get_next_domain() test dom->parent->next for NULL
* subdomains: replace invalid characters with underscore in krb5 mapping
file name
* if selinux is disabled, ignore that selogin dir is missing
* sdap_fill_memberships: continue if a member is not foud in sysdb
* Add debug message to autofs client
* autofs: fix invalid header 'number of entries' in packet
* build: require libcmocka on fedora 18+
* fix segfault in nss responder unit test
* krb5-utils-tests: remove invalid condition
* correct order in error_to_str table
* do not leak memory on failure in *_process_init()
* change responder contexts hierarchy
* coding style fix
* refactor nested group processing: add new code
* refactor nested group processing: replace old code
Simo Sorce (131):
* Add helpers to set common mc record fields
* Save errno before it might be modified.
* Revert "Avoid accessing half-deallocated memory when using talloc_zfree
macro."
* Avoid duplicating macros
* Avoid const warnings when deallocating memory
* Fix tevent_req style for krb5_auth
* Fix ipa_subdomain_id names and tevent_req style
* Fix tevent_req style for get_netgroup in ipa_id
* Streamline ipa_account_info handler
* Use an entry type mask macro to filter entry types
* Fix comment on wrong line
* Remove redundant definition.
* Fix tevent_req style for sdap_async_sudo.
* Remove unhelpful vtable from sss_cache
* Remove dead netgroup functions
* Revert "Add a default section to a switch-statement"
* Add sysdb_search_service() helper function
* Use sysdb_search_service() for all svc queries
* Fix sdap reinit.
* Code can only check for cached passwords
* Add function to safely wipe memory.
* Add authtok utility functions.
* Change pam data auth tokens.
* Use new sysdb_search_service() in sss_cache
* The Big sysdb/domain split-up!
* Refactor sysdb initialization
* Refactor single domain initialization
* Remove the sysdb_ctx_get_domain() function.
* Make sysdb_user_dn() require a domain explictly.
* Make sysdb_group_dn() require a domain explictly.
* Make sysdb_netgroup_dn() require a domain explictly.
* Make sysdb_netgroup_base_dn() require a domain.
* Make sysdb_domain_dn() require a domain.
* Make sysdb_custom_dn() require a domain.
* Make sysdb_custom_subtree_dn() require a domain.
* Move range objects into their own top-level tree.
* Upgrade DB and move ranges into top level object
* Pass domain to sysdb_get<pw/gr>nam() functions
* Pass domain to sysdb_get<pwu/grg><id() functions
* Pass domain to sysdb_enum<pw/gr>ebt() functions
* Add domain option to sysdb_get/netgr/attrs() fns
* Add domain argument to sysdb_initgroups()
* Add domain argument to sysdb_get_user_attr()
* Add domain to sysdb_search_user_by_name()
* Add domain to sysdb_search_user_by_uid()
* Add domain to sysdb_search_group_by_name()
* Add domain to sysdb_search_group_by_gid()
* Add domain arg to sysdb_search_netgroup_by_name()
* Add domain argument to sysdb_set_user_attr()
* Add domain argument to sysdb_set_group_attr()
* Add domain argument to sysdb_set_netgroup_attr()
* Add domain argument to sysdb_get_new_id()
* Add domain argument to sysdb_add_basic_user()
* Add domain argument to sysdb_add_user()
* Add domain arguments to sysdb_add_group functions.
* Add domain arguments to sysdb_add_inetgroup fns.
* Add domain argument to sysdb_store_user()
* Add domain argument to sysdb_store_group()
* Add domain arg to sysdb group member functions
* Add domain argument to sysdb_cache_password()
* Add domain argument to sysdb_cache_auth()
* Add domain argument to sysdb_store_custom()
* Add domain argument to sysdb_search_custom()
* Add domain to sysdb_delete_custom
* Add domain arg to sysdb_search_users()
* Add domain argument to sysdb_delete_user()
* Add domain argument to sysdb_search_groups()
* Add domain argument to sysdb_delete_group()
* Add domain arg to sysdb_search/delete_netgroup()
* Add domain argument to sysdb_has/set_enumerated()
* Add domain argument to sysdb_remove_attrs()
* Add domain argument to sysdb_idmap_ funcitons
* Add domain arguemnt to sysdb_get_real_name()
* Add domain argument to sysdb autofs functions
* Add domain argument to sysdb selinux functions
* Add domain arguments to sysdb services functions
* Add domain arguments to sysdb ssh functions
* Add domain arguments to sysdb sudo functions
* Add domain to some subdomain functions
* Pass the domain to upgrade functions
* Move mpg flag to the domain where it belongs
* Kill sysdb->domain
* Stop creating fake sysdb contexts
* Tidy up BASE dn macros
* Remove outdated code.
* Move ldap provider access functions
* Remove sysdb as a be context structure member
* Remove sysdb as a be request structure member
* Remove sysdb argument from ipa_host_info_send()
* Remove unused structure
* Remove sysdb argument from hbac_user_attrs_to_rule()
* Remove sysdb arg from hbac_service_attrs_to_rule()
* Remove sysdb arg from hbac_*host_attrs_to_rule()
* Remove sysdb arg from ipa_hbac_service_info_send()
* Remove sysdb arg from [ipa_]hbac_sysdb_save()
* Remove sysdb argument from hbac_get_cached_rules()
* Remove hbac_ctx_sysdb()
* Remove hbac_ctx_be()
* Remove hbac_ctx_ev()
* Remove hbac_ctx_sdap_id_[ctx|op]()
* Move hbac_ctx_is_offline()
* Do not pass NULL to ipa_subdomain_retrieve()
* Split simple_access_check function out
* Pass domain not be_req to access check functions
* Remove domain from be_req structure
* Introduce be_req_terminate() helper
* Add be_req_create() helper
* Add be_req_get_be_ctx() helper.
* Add be_req_get_data() helper funciton.
* Make struct be_req opaque
* Add realm info to sss_domain_info
* Avoid sysdb_subdom in sysdb_get_subdomains()
* Update main domain info in place
* Refactor sysdb_master_domain_add_info()
* Add sysdb_subdomain_store() function
* Remove sysdb_subdom completely
* Add function get_next_domain()
* Add ability to disable domains
* Change the way domains are linked.
* Parent and subdomains use the same sysdb
* Introduce IS_SUBDOMAIN() macro
* krb5_child style fix
* Refactor krb5 child
* Add SSSD specific error codes and definitions
* Use SSSD specific errors for offline auth
* Return ERR_INTERNAL instead of EIO
* Cleanup error message handling for krb5 child
* Improve IS_SSSD_ERROR() macro
* Use common error facility instead of sdap_result
* Convert sdap_access to new error codes
* ldap: Fallback option for rfc2307 schema
Stephen Gallagher (10):
* LDAP: Better debug logging when saving groups
* Correct format security for talloc_named of auth tokens
* Fix minor grammar error in log
* NSS: Add original homedir to home directory template options
* BUILD: Build shared components as an internal shared library
* BUILD: Add contributed macros and aliases to simplify building
* BUILD: Include build aliases in the tarball
* BUILD: Fix cmocka detection
* BUILD: Fix up whitespace in Makefile.am
* BUILD: Always run distcheck and RPM tests in /dev/shm
Sumit Bose (1):
* Add a default section to a switch-statement
Thorsten Scherf (1):
* Updated Doxygen configuration to 1.8.1
_______________________________________________
Freeipa-interest mailing list
Freeipa-interest@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-interest
