=== SSSD 1.11.1 ===

The SSSD team is proud to announce the release of version 1.11.1 of
the System Security Services Daemon.

As always, the source is available from https://fedorahosted.org/sssd

RPM packages will be made available for Fedora 19, 20 and rawhide shortly.

== Feedback ==

Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
    https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
    https://lists.fedorahosted.org/mailman/listinfo/sssd-users

== Highlights ==
 * This release contains mainly bug fixes in the Active Directory provider
   and setups where the SSSD is running on an IPA server instance. In
   particular:
  - Several cases where offline authentication did not work correctly for
    users from Active Directory domains were fixed
  - Fixed a resolver bug that caused the SSSD to only look up AAAA records
    for trusted Active Directory servers
  - SSSD is now able to resolve users from trusted AD domains using their
    POSIX attributes
 * The simple access provider now allows the administrator to specify
   users or groups from trusted domains in the access or deny lists
 * Handling of Kerberos credential caches was made simpler and more robust

== Packaging Changes ==
 * A new subpackage sssd-common-pac was added to work around a packaging
   bug. Previous SSSD versions would own the PAC responder by both the
   IPA and AD providers, which is not permitted by the Fedora packaging
   guidelines.

== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1945
    Enable printf format string checking in function debug_fn
https://fedorahosted.org/sssd/ticket/2001
    Implement heuristics to use Global Catalog servers from local DNS
    domain first
https://fedorahosted.org/sssd/ticket/2007
    sss_debuglevel did not increase verbosity in sssd_pac.log
https://fedorahosted.org/sssd/ticket/2034
    [RFE] simple access provider: support subdomain users and groups
https://fedorahosted.org/sssd/ticket/2060
    Cached credentials aren't working with sssd-ad UPN logins
https://fedorahosted.org/sssd/ticket/2063
    sssd-ad unable to resolve names in other domains possibly UPN related
https://fedorahosted.org/sssd/ticket/2066
    ad: invalid handling of Domain Users group for subdomain user
https://fedorahosted.org/sssd/ticket/2067
    Carry on if detecting the flat name fails
https://fedorahosted.org/sssd/ticket/2068
    Initial enumeration in the AD provider does not work
https://fedorahosted.org/sssd/ticket/2070
    The present sssd-ad is unable to pull RFC2307 attributes from all
    domains in a forest
https://fedorahosted.org/sssd/ticket/2075
    sssd fails to retrieve netgroups with multiple CN attributes
https://fedorahosted.org/sssd/ticket/2076
    Fix expand_ccname_template libkrb5 style expansion and add tests
https://fedorahosted.org/sssd/ticket/2079
    SSSD subdomains provider does not resolve SRV records correctly when
    DNS name of the server is different from domain/realm name of IPA
    install in IPA server mode
https://fedorahosted.org/sssd/ticket/2080
    When in IPA server mode, SSSD should map trusted forest subdomains to
    root domain realm
https://fedorahosted.org/sssd/ticket/2085
    man sssd-sudo: improve description of necessary configuration
https://fedorahosted.org/sssd/ticket/2087
    The multicast check is wrong in the sudo source code getting the host info
https://fedorahosted.org/sssd/ticket/2090
    getpwuid and getgrgid do not use the negative cache
https://fedorahosted.org/sssd/ticket/2091
    Document that server side password policies always takes precedence
https://fedorahosted.org/sssd/ticket/2093
    sssd should write capaths for IPA trusted forests' subdomains

== Detailed Changelog ==
Jakub Hrozek (24):
    * Updating the version for 1.11.1 release
    * PROXY: Handle empty GECOS
    * MAN: Document that sss_cache should be run after changing the cache 
timeout
    * AD: Rename parametrized #define
    * LDAP: Store cleanup timestamp after initial cleanup
    * Remove unused code
    * TESTS: Remove unused variable
    * KRB5: Call umask before mkstemp in the krb5 child code
    * AD: async request to retrieve master domain info
    * LDAP: sdap_id_setup_tasks accepts a custom enum request
    * AD: Download master domain info when enumerating
    * AD: Failure to get flat name is not fatal
    * Convert IN_MULTICAST parameter to host order
    * NSS: Set UID and GID to negative cache after searching all domains
    * NSS: Failure to store entry negative cache should not be fatal
    * KRB5: Fix bad comparison
    * IPA: Ignore dns_discovery_domain in server mode
    * KRB5: Return ERR_NETWORK_IO when trusted AD server can't be resolved
    * KRB5: Use the correct domain when authenticating with cached password
    * LDAP: Require ID numbers when ID mapping is off
    * LDAP: Allow searching subdomain during RFC2307bis initgroups
    * AD: talk to GC first even for local domain objects
    * MAN: Document that POSIX attributes must be replicated to GC
    * Updating the translations for the 1.11.1 release

Lukas Slebodnik (38):
    * AUTOMAKE: Add missing escaped newline
    * Include sys/types.h for types id_t and uid_t
    * UTIL: Use standard maximum value of type size_t
    * KRB5: Fix warning declaration shadows global declaration
    * Fix warning missing arguments
    * mmap_cache: Do not remove record from chain twice
    * AUTOTOOLS: Add -LLIBDIR to PYTHON_LIBS
    * AUTOTOOLS: Add missing AC_MSG_RESULT
    * AUTOMAKE: Use portable way to link with dlopen
    * AUTOMAKE: Use portable way to link with gettext
    * AUTOTOOLS: Add directories for searching ldap headers and libs
    * AUTOTOOLS: Refactor unicode library detection
    * AUTOTOOLS: add check for type intptr_t
    * AUTOTOOLS: Use pkg-config to detect libraries.
    * AUTOTOOLS: More robust detection of inotify.
    * krb5: Fix warning sometimes uninitialized
    * Fix formating of variables with type: long
    * Fix formating of variables with type: unsigned long
    * Fix formating of variables with type: int
    * Fix pointer formatting
    * Use the same variable type like in struct ldb_message_element
    * Fix formating of variables with type: ssize_t
    * Fix formating of variables with type: size_t
    * Adding new header for printf formating macros
    * Fix formating of variables with type: key_serial_t
    * Fix formating of variables with type: rlim_t
    * Fix formating of variables with type defined in stdint.h
    * Fix formating of variables with type: time_t
    * Fix formating of variables with ber_ type
    * Fix warning: data argument not used by format string
    * Use right formating to print string
    * Fix formating of variables with type: id_t
    * Fix formating of variables with type: uid_t
    * Fix formating of variables with type: gid_t
    * Enable printf format string checking
    * KRB: Remove unused memory context
    * KRB: Remove unused function parameters
    * LDAP: Use primary cn to search netgroup

Michal Zidek (4):
    * Rename SAFEALIGN macros
    * Rename _SSS_MC_SPECIAL
    * man sssd: Add note about SSS_NSS_USE_MEMCACHE
    * Check slot validity before MC_SLOT_TO_PTR.

Nikolai Kondrashov (1):
    * Fix reference to sssd-krb5 man page

Ondrej Kos (2):
    * DB: Add user/group lookup by SID
    * DB: Rise search functions debug levels

Pavel Březina (22):
    * Fix czech specific character in my name
    * krb5_utils tests: fix some typos
    * resolv_sort_srv_reply: remove unnecessary mem_ctx
    * fo srv: add priority to fo_server_info
    * utils: add is_host_in_domain()
    * ad srv: prefer servers that are in the same domain as client
    * sysdb_search_group_by_gid: obtain gid instead of uid
    * is_dn(): free dn
    * util: add sss_idmap_talloc[_free]
    * simple access tests: fix typos
    * simple provider: support subdomain users
    * util: add find_subdomain_by_sid()
    * util: add find_subdomain_by_object_name()
    * simple provider: support subdomain groups
    * simple access test: initialize be_ctx for all tests
    * simple provider: obey case sensitivity for subdomain users and groups
    * man: improve sssd-sudo manual page
    * man: server side password policies always takes precedence
    * util: add get_domains_head()
    * sysdb: get_sysdb_grouplist() can return either names or dn
    * sysdb: sysdb_update_members can take either name or dn
    * ad: store group in correct tree on initgroups via tokenGroups

Simo Sorce (18):
    * Makefile: Fix sssd_be targets
    * krb5: Ingnore unknown expansion sequences
    * tests: Add dlopen test to make sure modules works
    * krb5: Add calls to change and restore credentials
    * krb5: Add helper to destroy ccache as user
    * krb5: Use krb5_cc_destroy to remove old ccaches
    * krb5: Replace type-specific ccache/principal check
    * krb5: Move determination of user being active
    * krb5: move template check to initializzation
    * krb5: Make check_for_valid_tgt() static
    * krb5: Use new function to validate ccaches
    * krb5: Unify function to create ccache files
    * krb5: Remove unused ccache backend infrastructure
    * krb5: Remove unused function
    * krb5: Add file/dir path precheck
    * krb5_child: Simplify ccache creation
    * krb5: Remove unused helper functions
    * krb5: Be more lenient on failures for old ccache

Stephen Gallagher (1):
    * RPM: Add new subpackage for PAC responder

Sumit Bose (7):
    * dyndns: do not modify global family_order
    * sdap_domain_add: remove too strict consistency check
    * krb5: save canonical upn to sysdb
    * krb5: do not expand enterprise principals is offline
    * IPA: store forest name for forest member domains
    * ipa_server_mode: write capaths to krb5 include file
    * Do not return DP_ERR_FATAL in case of success

_______________________________________________
Freeipa-interest mailing list
Freeipa-interest@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-interest

Reply via email to