=== SSSD 1.10 Alpha 1 ===

The SSSD team is proud to announce the alpha release of version 1.10 of
the System Security Services Daemon.

This alpha release includes all the features developed since the sssd-1-9
branched off as well as refactoring of several internal interfaces,
making the code more readable and maintanable in the long term.

As always, the source is available from https://fedorahosted.org/sssd.
RPM packages will be made available for Fedora 19 and rawhide shortly.

The SSSD 1.10 Beta release is scheduled for April 25th and will contain
all the planned features. We will most likely issue another pre-release
build prior to the Beta, but that has not been firmly scheduled yet.

== Feedback ==

Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:

== Highlights ==
 * Includes a fix for CVE-2013-0287: A simple access provider flaw prevents
   intended ACL use when SSSD is configured as an Active Directory client
 * Many internal interfaces were refactored, making the code more readable
   and maintanable in the long term. This refactoring includes the subdomains
   code, the sysdb interface as a whole, internal error code reporting,
   SELinux login context processing and processing of nested LDAP groups.
 * A new option ipa_dyndns_ttl was added, allowing the client to set a
   custom TTL on IPA dynamic DNS updates
 * A new ignore_group_members option was added. This option can be used
   to suppress downloading group members on group lookups, making the group
   lookups much faster for environments that do not need to know the group
 * A new option ldap_rfc2307_fallback_to_local_users was added. If this
   option is set to true, SSSD is be able to resolve local group members of
   LDAP groups.
 * Added support for krb5 1.11's responder callback.
 * Support for libnl version 3 was added.
 * Fixed an indexing bug that prevented the contents of autofs maps from
   being returned to the automounter deamon in case the map contained a
   large number of entries
 * Fixed spurious password expiration warning that was printed on login
   with the Kerberos back end
 * Fixed a regression when saving binary attributes to the cache
 * Fixed a file descriptor leak when sss_cache was executed 

== Packaging Changes ==
 * The shared components of the SSSD are now built as a shared library to
   reduce amount of duplicated code being linked into multiple SSSD binaries
   and lower the disk usage of SSSD installation.
 * The check that ensured that SSSD is running with the same ldb version it
   was built against was made optional, defaulting to false. You can enable the
   strict check again by selecting --enable-ldb-version-check during configure

== Tickets Fixed ==
    Support libnl 3.x
    [RFE] implement a script/tool joining to the Active Directory domain
    compilation warnings with -O2
    When multiple values are assigned, sss_debuglevel should display a usage 
    Missing resolv.conf should be non-fatal
    [RFE] Add support for suppressing group members
    [RFE] Kerberos canonicalization should be skipped on password-changes in AD 
    SSSD has a much longer TTL when updating a DNS record than IPA client 
install placed in the beginning
    Move sss_cache to the main subpackage
    failover should protect against empty host names
    include talloc log in our debug facility
    Change responder contexts hierarchy
    Make authtoken opaque objects
    [RFE] Send user principal together with the PAC to the pac responder
    [RFE] refactor sysdb interface
    LDAP_CONTROL_X_DEREF: sssd should fallback if server returns 
    sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin
    Decrease the krb5_auth_timeout default value of 15
    selinux: move all logic to responder, provider should only update db
    selinux: reuse IPA_HBAC_REFRESH or provide an alternative
    Unnecessary output is seen when invalid option is passed to sss_cache
    sss_* tools with use_fully_qualified_names should require fqdn
    Refactor subdomain interfaces
    append new line to error string from poptStrerror()
    check the return values of sysdb_transaction_commit in sysdb tests
    remove the alt_db_path parameter of sysdb_init
    use an explanatory macro for checking if a domain is a subdomain
    Negative cache messages are displayed at too low of a DEBUG level
    Possible null derefence in ipa_subdomains.c
    reuse open_cloexec elsewhere in the code
    SSSD returns System Error if the ccachedir is not writable
    Filter out inappropriate multicast and subnet broadcast addresses from IPA 
dynamic DNS update
    RFE: Add a new override_homedir expansion for the "original value"
    Uninitialized scalar variable in responder_get_domain
    Unchecked return value in tests
    make the get_next_domain() function a little more readable
    make the ldb check configurable
    Refresh doxygen template files
    sysdb unit tests uses system memberof
    Invalid assignment to enum
    segmentation fault in cmocka unit tests with raised optization level
    Support for libini 1.0
    nss and pam clients broken in master
    Add --with-test-dir=/dev/shm to DISTCHECK_CONFIGURE_FLAGS

== Detailed Changelog ==
Abhishek Singh (1):
      * filename in comment is corrected
Ariel Barria (1):
      * Improve syslog message when configuration cannot be loaded
Jakub Hrozek (44):
      * Bump version to 1.10dev
      * Require ar in configure.ac
      * TESTS: Fix a couple of debug-level setters
      * SYSDB: Remove unused macros
      * LDAP: Remove double break
      * Indentation fix
      * Bump the version and reset release back to 0
      * tests: add a unit test for sysdb_netgroup_base_dn
      * tests: unit test for test_sysdb_search_users
      * tests: adda a unit test for test_sysdb_search_groups
      * tests: test sysdb_initgroups
      * tests: add unit test for sysdb_get_new_id
      * tests: unit test for sysdb_remove_attrs
      * TOOLS: set domain in check_group_names
      * Fix code style
      * Don't use srcdir with tests
      * krb5: include backwards compatible declaration of krb5_trace_info
      * LDAP: Check for authtok validity
      * Filter out multicast addresses from IPA DNS updates
      * Lower the DEBUG level if an entry cannot be deleted from memcache
      * Fix the krb5 password expiration warning
      * Remove enumerate=true from man sssd-ldap
      * Do not process success case in an else
      * Revert "Add debug message to autofs client"
      * Don't treat 0 as default for pam_pwd_expiration warning
      * Remove unused functions
      * Use the correct memory context in be_req_create
      * Check the return value of sysdb_search_services
      * Detect the presence of libcmocka during configure
      * Add utility functions for tests that use sysdb or tevent.
      * Move sss_cmd_execute from client to responder code.
      * CMocka based test for the NSS responder
      * Retry the correct service on krb5 child timeout
      * Remove duplicate remake from bashrc_sssd
      * Provide a be_get_account_info_send function
      * Add unit tests for simple access test by groups
      * Do not compile main() in DP if UNIT_TESTING is defined
      * Resolve GIDs in the simple access provider
      * Return error code from ipa_subdom_store
      * Move signal.m4 from src/util to external
      * Document what does access_provider=ad do
      * Include config.h to build io.c on RHEL5
      * selinux: Remove unused parameter
      * Updating the translations for the 1.10 alpha release
James Hogarth (1):
      * Make TTL configurable for dynamic dns updates
Jan Cholasta (1):
      * LDAP: If deref search fails, try again without deref
Jan Engelhardt (1):
      * sysdb: try dealing with binary-content attributes
John Hodrien (1):
      * Correct sss_ssh_knowhostsproxy typo in man pages
Kamil Dudka (1):
      * sssd-1.8.0: work around a bug in cov-build from Coverity
Lukas Slebodnik (12):
      * Improved readability of get_next_domain()
      * Fixed typo in debug message.
      * Removing unused parameter type from sudosrv_get_sudorules_query_cache()
      * Reuse sss_open_cloexec at other places in code.
      * More generalized function open_debug_file_ex()
      * Removing unused header file providers.h
      * Fix sss_client breakage.
      * Removing unused declaration of functions and variable.
      * Making the ldb check configurable
      * Fixing duplicate const
      * Reusing create_pam_data() on the other places.
      * Making the authtok structure really opaque.
Michal Zidek (15):
      * sss_debuglevel: Multiple arguments are treated as error.
      * Include talloc log in our debug facility
      * failover: Protect against empty host names
      * sss_cache: Call DEBUG_INIT sooner
      * tools: Respect use_fully_qualified_names
      * Possible null derefence in ipa_subdomains.c.
      * Unchecked return value in files.c
      * Use the same dbg level for all ncache hits.
      * Remove the alt_db_path parameter of sysdb_init
      * File descriptor leak in nss responder.
      * Debug message in sss_mc_create_file.
      * Move SELinux processing to provider.
      * Reuse cached SELinux mappings.
      * Make the SELinux refresh time configurable.
      * tests: Print warning if LDB_MODULES_PATH is not set
Milan Cejnar (1):
      * tools: append new line to string from poptStrerror()
Nathaniel McCallum (1):
      * Add support for krb5 1.11's responder callback.
Ondrej Kos (13):
      * MAN: quotation fix
      * Display more information on DB version mismatch
      * SYSDB: split sysdb_add_user
      * TESTS: Fix coverity issues 13126, 13127
      * TESTS: include error message on fail
      * Fix uninitialized time_t var in responder
      * krb5_child: fix value type and initialization
      * Fix initialization of multiple variables
      * Fix coverity issue 13136
      * Decrease krb5_auth_timeout default
      * Update README file
      * LDAP: Fix value initialization
      * Provide libnl3 support
Paul B. Henson (1):
      * Add ignore_group_members option.
Pavel Březina (25):
      * sudo: do not hardcode protocol version
      * fix -O3 variable may be uninitialized warnings
      * sudo: print message if old protocol is used
      * sudo manpage: clarify that sudoHost may contain wildcards and not 
regular expression
      * use talloc_zfree when freeing rhostent in resolver
      * set ret to EOK after for loop in sdap_sudo_purge_sudoers
      * Fix LDAP authentication - invalid password length
      * set struct bet_info->bet_type
      * krb: recreate ccache if it was deleted
      * dp: check whether hostid backend is configured before filing be request
      * get_next_domain() test dom->parent->next for NULL
      * subdomains: replace invalid characters with underscore in krb5 mapping 
file name
      * if selinux is disabled, ignore that selogin dir is missing
      * sdap_fill_memberships: continue if a member is not foud in sysdb
      * Add debug message to autofs client
      * autofs: fix invalid header 'number of entries' in packet
      * build: require libcmocka on fedora 18+
      * fix segfault in nss responder unit test
      * krb5-utils-tests: remove invalid condition
      * correct order in error_to_str table
      * do not leak memory on failure in *_process_init()
      * change responder contexts hierarchy
      * coding style fix
      * refactor nested group processing: add new code
      * refactor nested group processing: replace old code
Simo Sorce (131):
      * Add helpers to set common mc record fields
      * Save errno before it might be modified.
      * Revert "Avoid accessing half-deallocated memory when using talloc_zfree 
      * Avoid duplicating macros
      * Avoid const warnings when deallocating memory
      * Fix tevent_req style for krb5_auth
      * Fix ipa_subdomain_id names and tevent_req style
      * Fix tevent_req style for get_netgroup in ipa_id
      * Streamline ipa_account_info handler
      * Use an entry type mask macro to filter entry types
      * Fix comment on wrong line
      * Remove redundant definition.
      * Fix tevent_req style for sdap_async_sudo.
      * Remove unhelpful vtable from sss_cache
      * Remove dead netgroup functions
      * Revert "Add a default section to a switch-statement"
      * Add sysdb_search_service() helper function
      * Use sysdb_search_service() for all svc queries
      * Fix sdap reinit.
      * Code can only check for cached passwords
      * Add function to safely wipe memory.
      * Add authtok utility functions.
      * Change pam data auth tokens.
      * Use new sysdb_search_service() in sss_cache
      * The Big sysdb/domain split-up!
      * Refactor sysdb initialization
      * Refactor single domain initialization
      * Remove the sysdb_ctx_get_domain() function.
      * Make sysdb_user_dn() require a domain explictly.
      * Make sysdb_group_dn() require a domain explictly.
      * Make sysdb_netgroup_dn() require a domain explictly.
      * Make sysdb_netgroup_base_dn() require a domain.
      * Make sysdb_domain_dn() require a domain.
      * Make sysdb_custom_dn() require a domain.
      * Make sysdb_custom_subtree_dn() require a domain.
      * Move range objects into their own top-level tree.
      * Upgrade DB and move ranges into top level object
      * Pass domain to sysdb_get<pw/gr>nam() functions
      * Pass domain to sysdb_get<pwu/grg><id() functions
      * Pass domain to sysdb_enum<pw/gr>ebt() functions
      * Add domain option to sysdb_get/netgr/attrs() fns
      * Add domain argument to sysdb_initgroups()
      * Add domain argument to sysdb_get_user_attr()
      * Add domain to sysdb_search_user_by_name()
      * Add domain to sysdb_search_user_by_uid()
      * Add domain to sysdb_search_group_by_name()
      * Add domain to sysdb_search_group_by_gid()
      * Add domain arg to sysdb_search_netgroup_by_name()
      * Add domain argument to sysdb_set_user_attr()
      * Add domain argument to sysdb_set_group_attr()
      * Add domain argument to sysdb_set_netgroup_attr()
      * Add domain argument to sysdb_get_new_id()
      * Add domain argument to sysdb_add_basic_user()
      * Add domain argument to sysdb_add_user()
      * Add domain arguments to sysdb_add_group functions.
      * Add domain arguments to sysdb_add_inetgroup fns.
      * Add domain argument to sysdb_store_user()
      * Add domain argument to sysdb_store_group()
      * Add domain arg to sysdb group member functions
      * Add domain argument to sysdb_cache_password()
      * Add domain argument to sysdb_cache_auth()
      * Add domain argument to sysdb_store_custom()
      * Add domain argument to sysdb_search_custom()
      * Add domain to sysdb_delete_custom
      * Add domain arg to sysdb_search_users()
      * Add domain argument to sysdb_delete_user()
      * Add domain argument to sysdb_search_groups()
      * Add domain argument to sysdb_delete_group()
      * Add domain arg to sysdb_search/delete_netgroup()
      * Add domain argument to sysdb_has/set_enumerated()
      * Add domain argument to sysdb_remove_attrs()
      * Add domain argument to sysdb_idmap_ funcitons
      * Add domain arguemnt to sysdb_get_real_name()
      * Add domain argument to sysdb autofs functions
      * Add domain argument to sysdb selinux functions
      * Add domain arguments to sysdb services functions
      * Add domain arguments to sysdb ssh functions
      * Add domain arguments to sysdb sudo functions
      * Add domain to some subdomain functions
      * Pass the domain to upgrade functions
      * Move mpg flag to the domain where it belongs
      * Kill sysdb->domain
      * Stop creating fake sysdb contexts
      * Tidy up BASE dn macros
      * Remove outdated code.
      * Move ldap provider access functions
      * Remove sysdb as a be context structure member
      * Remove sysdb as a be request structure member
      * Remove sysdb argument from ipa_host_info_send()
      * Remove unused structure
      * Remove sysdb argument from hbac_user_attrs_to_rule()
      * Remove sysdb arg from hbac_service_attrs_to_rule()
      * Remove sysdb arg from hbac_*host_attrs_to_rule()
      * Remove sysdb arg from ipa_hbac_service_info_send()
      * Remove sysdb arg from [ipa_]hbac_sysdb_save()
      * Remove sysdb argument from hbac_get_cached_rules()
      * Remove hbac_ctx_sysdb()
      * Remove hbac_ctx_be()
      * Remove hbac_ctx_ev()
      * Remove hbac_ctx_sdap_id_[ctx|op]()
      * Move hbac_ctx_is_offline()
      * Do not pass NULL to ipa_subdomain_retrieve()
      * Split simple_access_check function out
      * Pass domain not be_req to access check functions
      * Remove domain from be_req structure
      * Introduce be_req_terminate() helper
      * Add be_req_create() helper
      * Add be_req_get_be_ctx() helper.
      * Add be_req_get_data() helper funciton.
      * Make struct be_req opaque
      * Add realm info to sss_domain_info
      * Avoid sysdb_subdom in sysdb_get_subdomains()
      * Update main domain info in place
      * Refactor sysdb_master_domain_add_info()
      * Add sysdb_subdomain_store() function
      * Remove sysdb_subdom completely
      * Add function get_next_domain()
      * Add ability to disable domains
      * Change the way domains are linked.
      * Parent and subdomains use the same sysdb
      * Introduce IS_SUBDOMAIN() macro
      * krb5_child style fix
      * Refactor krb5 child
      * Add SSSD specific error codes and definitions
      * Use SSSD specific errors for offline auth
      * Return ERR_INTERNAL instead of EIO
      * Cleanup error message handling for krb5 child
      * Improve IS_SSSD_ERROR() macro
      * Use common error facility instead of sdap_result
      * Convert sdap_access to new error codes
      * ldap: Fallback option for rfc2307 schema
Stephen Gallagher (10):
      * LDAP: Better debug logging when saving groups
      * Correct format security for talloc_named of auth tokens
      * Fix minor grammar error in log
      * NSS: Add original homedir to home directory template options
      * BUILD: Build shared components as an internal shared library
      * BUILD: Add contributed macros and aliases to simplify building
      * BUILD: Include build aliases in the tarball
      * BUILD: Fix cmocka detection
      * BUILD: Fix up whitespace in Makefile.am
      * BUILD: Always run distcheck and RPM tests in /dev/shm
Sumit Bose (1):
      * Add a default section to a switch-statement
Thorsten Scherf (1):
      * Updated Doxygen configuration to 1.8.1

Freeipa-interest mailing list

Reply via email to