=== SSSD 1.10 Beta 2 === The SSSD team is proud to announce the second beta release of version 1.10 of the System Security Services Daemon.
This beta release includes the rest of the new features planned for 1.10. The features are mostly targeted at better integration with Microsoft Active Directory. As always, the source is available from https://fedorahosted.org/sssd. RPM packages will be made available for Fedora 19 and rawhide shortly. With this release, the 1.10 version is considered feature complete and the strings are frozen. We will release the final 1.10.0 version once we fix all the known crashes and regressions. The 1.10.0 release is tentatively scheduled for the end of this week. Because the short period between this beta and the final release would not allow the translators to provide updated translations, the strings will remain frozen even for the 1.10.1 release. == Feedback == Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users == Highlights == * The Active Directory provider now includes support for retrieving identity information and authentication as users from trusted domains in the same forest. The SSSD looks up the information using the Global Catalog. Currently this feature is only supported when the SSSD is connected to the forest root. * The group memberships for Active Directory users are read from the PAC during login. If the PAC is not available (such as when group membership is requested for a user who has never logged in), the SSSD falls back to using tokenGroups. * The Active Directory provider is able to autodiscover the NetBIOS (flat) name of the domain it connects to. The NetBIOS name is discovered automatically on startup. * The full_name_format option now accepts a new parameter that expands to the NetBIOS name of the domain * The new krb5_use_kdcinfo option allows the administrator to disable the Kerberos locator plugin and rely on information read from the krb5.conf file completely. * A new option ldap_disable_range_retrieval was added. Switching this option to True skips large Active Directory groups that might otherwise take a long time to download and process. * A new option refresh_expired_interval was added. This option allows to configure a background task that would automatically refresh entries that are nearing their expiration time. In this release, only refreshing netgroups is implemented. == Packaging Changes == * The Makefile has been amended so that it no longer uses overlinking which is disabled by default on some distributions (such as Debian and its derivatives) * The upstream RPM specfile now packages each provider separately. The SSSD deamon and the responders are now included in the sssd-common package, while the sssd package has become a "meta package" that Requires all the existing providers for backwards compatibility. * The libsss_sudo and libsss_autofs libraries are now part of the sssd-common package == Tickets Fixed == https://fedorahosted.org/sssd/ticket/1510 Split providers into their own subpackages https://fedorahosted.org/sssd/ticket/1797 Use hardened flags for building RPMs https://fedorahosted.org/sssd/ticket/1976 Copy-n-paste error in AD provider https://fedorahosted.org/sssd/ticket/1883 Add a new option to disable the Kerberos locator plugin completely https://fedorahosted.org/sssd/ticket/1713 [RFE] Add a task to the SSSD to periodically refresh cached entries https://fedorahosted.org/sssd/ticket/1891 unite periodic refresh API https://fedorahosted.org/sssd/ticket/1789 ldap_access_order improvements (man page fix) https://fedorahosted.org/sssd/ticket/1972 Dereference after a NULL check in tests/common_dom.c https://fedorahosted.org/sssd/ticket/1971 Dereference before NULL check in nscd.c https://fedorahosted.org/sssd/ticket/1816 Non-fatal errors looking up trusted domains with IPA back end https://fedorahosted.org/sssd/ticket/1845 move libsss_sudo and libsss_autofs back into the main sssd package https://fedorahosted.org/sssd/ticket/364 [RFE] Recognize trusted domains in AD provider https://fedorahosted.org/sssd/ticket/1557 [RFE] Use the Global Catalog in SSSD for the AD provider https://fedorahosted.org/sssd/ticket/1558 [RFE] Use MS-PAC to retrieve user's group list https://fedorahosted.org/sssd/ticket/1951 NetBIOS domain name should be read at startup https://fedorahosted.org/sssd/ticket/1929 Junk character in sssd_domain.log for domain string when sssd tries to go online from offline mode https://fedorahosted.org/sssd/ticket/1928 Libtool fails to find dependent libraries https://fedorahosted.org/sssd/ticket/1950 segfault while processing ASQ request https://fedorahosted.org/sssd/ticket/1924 MAN: Make it clear which address is used to update DNS records https://fedorahosted.org/sssd/ticket/1648 Fully qualified account names form should be able to use flatname in the fq format https://fedorahosted.org/sssd/ticket/1930 Crash with negative values in ldap_idmap_range_size https://fedorahosted.org/sssd/ticket/1823 getgrnam / getgrgid for large user groups is too slow due to range retrieval functionality https://fedorahosted.org/sssd/ticket/1927 Provide a script to create a SRPM without having to run configure https://fedorahosted.org/sssd/ticket/1785 NSCD warning is irritating https://fedorahosted.org/sssd/ticket/1934 sssd crashes if junk is present in sssd.conf https://fedorahosted.org/sssd/ticket/1772 Rename or alias the SAFEALIGN macros https://fedorahosted.org/sssd/ticket/1909 Clarify the AD site discovery in sssd-ad man page https://fedorahosted.org/sssd/ticket/1921 Login failure: Enterprise Principal enabled by default for AD Provider https://fedorahosted.org/sssd/ticket/1905 pysss_nss_idmap improvements https://fedorahosted.org/sssd/ticket/1914 pysss_nss_idmap: Support also Unicode strings and return them by default https://fedorahosted.org/sssd/ticket/1922 sssd_be crashes when looking up users in the LDAP provider with ID mapping https://fedorahosted.org/sssd/ticket/1910 Clarify that AD DNS updates are performed using GSS-TSIG https://fedorahosted.org/sssd/ticket/1915 Turn on dyndns updates by default in the AD provider https://fedorahosted.org/sssd/ticket/1912 SUDO is not working for users from trusted AD domain https://fedorahosted.org/sssd/ticket/1468 [RFE] AD: Should be able to log in as long or short domains == Detailed Changelog == Jakub Hrozek (45): * Update the version for the 1.10 beta2 release * Actually use the index parameter in resolv_get_sockaddr_address_index * Fix a typo in sssd-ad man page * tests: Do not set cwd twice * Enable the AD dynamic DNS updates by default * man: Clarify that AD dyndns updates are secured using GSS-TSIG * LDAP: Always initialize idmap object * Re-add a useful DEBUG message * man: Clarify the AD site discovery documentation * man: Note that IPA updates are secured with GSS-TSIG * Remove unneeded parameter of setup_child and namespace it * Fix dyndns timer initialization * IPA: Check for ENOMEM * Remove unneeded comment * FO: Fix setting status of duplicates * AD dyndns: extract the host name from URI * Add utility functions for formatting fully-qualified names * Check the validity of FQname format prior to using it * Allow flat name in the FQname format * Remove branching to improve readability * tests: Link fqnames_tests with libsss_test_common.la * Do not obfuscate calls with booleans * LDAP: sdap_id_ctx might contain several connections * LDAP: Refactor account info handler into a tevent request * LDAP: Pass in a connection to ID functions * LDAP: new SDAP domain structure * LDAP: return sdap search return code to ID * Move domain_to_basedn outside IPA subtree * New utility function sss_get_domain_name * LDAP: split a function to create search bases * LDAP: store FQDNs for trusted users and groups * Split generating primary GID for ID mapped users into a separate function * LDAP: Do not store separate GID for subdomain users * AD: Add additional service to support Global Catalog lookups * AD ID lookups - choose GC or LDAP as appropriate * AD: Store trusted AD domains as subdomains * rpm: Fold libsss_sudo and libsss_autofs back into the main SSSD package * dyndns: Fix NULL check * man: document the need to set ldap_access_order * A new option krb5_use_kdcinfo * Fix allocation check in the AD provider * rpm: Use hardened flags for RPM build * rpm: Split providers into separate subpackages * Update transifex URL to transifex.com * Updating translations for the 1.10 beta2 release Jan Cholasta (4): * UTIL: Add function sss_names_init_from_args * SSH: Fix parsing of names from client requests * SSH: Use separate field for domain name in client requests * SSH: Do not skip domains with use_fully_qualified_names in host key requests Lukas Slebodnik (13): * Fixes compilation without selinux. * Fix broken build with selinux. * Fix segfault in AD Subdomains Module * Fixing critical format string issues. * Adding script to create a SRPM * Removing unused functions. * Adding option to disable retrieving large AD groups. * Making order in tests. * Remove empty directories after tests run. * Prevent segfault while processing ASQ request * Fix compilation with disabled link_all_deplibs. * Use deep copy for dns_domain and discovery_domain * Fix dereference after a NULL check in tests. Michal Zidek (1): * Rename SAFEALIGN macros. Ondrej Kos (8): * Fix segfault in DYNDNS * DB: Fix segfault when configuration file cannot be parsed * Move nscd.c from tools to util * Check NSCD configuration file * Fail with misconfigured id-mapping ranges * MAN: state default dyndns interface * DB: Don't add invalid ranges * Don't test for NULL in nscd config check Pavel Březina (5): * sudo responder: search rules for subdomains in parent domain subtree * back end: periodic task API * back end: periodical refresh of expired records API * back end: add refresh expired records periodic task * providers: refresh expired netgroups Stef Walter (1): * Add a domain config attribute for realmd Stephen Gallagher (2): * Remove old hash support from example spec * Add 'description' attribute to SSSDConfig API Sumit Bose (21): * AD: read flat name and SID of the AD domain * Add missing \n to debug string * Fix missing initialization in Python bindings for libsss_nss_idmap * Add support for tuples and unicode pysss_nss_idmap.so * Always update cached upn if enterprise principals are used * Fix return code for AD subdomain request * pysss_nss_idmap: do not treat strings as sequences * IPA: Always initialize ID mapping * Handle SID strings in sdap_attrs_get_sid_str() as well * IPA: read user and group SID * Add SID related requests to the LDAP provider * Set canonicalize flag if enterprise principals are used * Lookup domains at startup * Add be request queue * Use queue for get_subdomains * Read SIDs of groups with sysdb_initgroups() as well * Enhance PAC responder for AD users * Intermittent fix for get_user_and_group_users_done * Always send the PAC to the PAC responder * Implicitly activate the PAC responder for AD provider * Fix some doxygen warnings Yuri Chornoivan (1): * Fix minor typos _______________________________________________ Freeipa-interest mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-interest