=== SSSD 1.11.1 ===

The SSSD team is proud to announce the release of version 1.11.1 of
the System Security Services Daemon.

As always, the source is available from https://fedorahosted.org/sssd

RPM packages will be made available for Fedora 19, 20 and rawhide shortly.

== Feedback ==

Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:

== Highlights ==
 * This release contains mainly bug fixes in the Active Directory provider
   and setups where the SSSD is running on an IPA server instance. In
  - Several cases where offline authentication did not work correctly for
    users from Active Directory domains were fixed
  - Fixed a resolver bug that caused the SSSD to only look up AAAA records
    for trusted Active Directory servers
  - SSSD is now able to resolve users from trusted AD domains using their
    POSIX attributes
 * The simple access provider now allows the administrator to specify
   users or groups from trusted domains in the access or deny lists
 * Handling of Kerberos credential caches was made simpler and more robust

== Packaging Changes ==
 * A new subpackage sssd-common-pac was added to work around a packaging
   bug. Previous SSSD versions would own the PAC responder by both the
   IPA and AD providers, which is not permitted by the Fedora packaging

== Tickets Fixed ==
    Enable printf format string checking in function debug_fn
    Implement heuristics to use Global Catalog servers from local DNS
    domain first
    sss_debuglevel did not increase verbosity in sssd_pac.log
    [RFE] simple access provider: support subdomain users and groups
    Cached credentials aren't working with sssd-ad UPN logins
    sssd-ad unable to resolve names in other domains possibly UPN related
    ad: invalid handling of Domain Users group for subdomain user
    Carry on if detecting the flat name fails
    Initial enumeration in the AD provider does not work
    The present sssd-ad is unable to pull RFC2307 attributes from all
    domains in a forest
    sssd fails to retrieve netgroups with multiple CN attributes
    Fix expand_ccname_template libkrb5 style expansion and add tests
    SSSD subdomains provider does not resolve SRV records correctly when
    DNS name of the server is different from domain/realm name of IPA
    install in IPA server mode
    When in IPA server mode, SSSD should map trusted forest subdomains to
    root domain realm
    man sssd-sudo: improve description of necessary configuration
    The multicast check is wrong in the sudo source code getting the host info
    getpwuid and getgrgid do not use the negative cache
    Document that server side password policies always takes precedence
    sssd should write capaths for IPA trusted forests' subdomains

== Detailed Changelog ==
Jakub Hrozek (24):
    * Updating the version for 1.11.1 release
    * PROXY: Handle empty GECOS
    * MAN: Document that sss_cache should be run after changing the cache 
    * AD: Rename parametrized #define
    * LDAP: Store cleanup timestamp after initial cleanup
    * Remove unused code
    * TESTS: Remove unused variable
    * KRB5: Call umask before mkstemp in the krb5 child code
    * AD: async request to retrieve master domain info
    * LDAP: sdap_id_setup_tasks accepts a custom enum request
    * AD: Download master domain info when enumerating
    * AD: Failure to get flat name is not fatal
    * Convert IN_MULTICAST parameter to host order
    * NSS: Set UID and GID to negative cache after searching all domains
    * NSS: Failure to store entry negative cache should not be fatal
    * KRB5: Fix bad comparison
    * IPA: Ignore dns_discovery_domain in server mode
    * KRB5: Return ERR_NETWORK_IO when trusted AD server can't be resolved
    * KRB5: Use the correct domain when authenticating with cached password
    * LDAP: Require ID numbers when ID mapping is off
    * LDAP: Allow searching subdomain during RFC2307bis initgroups
    * AD: talk to GC first even for local domain objects
    * MAN: Document that POSIX attributes must be replicated to GC
    * Updating the translations for the 1.11.1 release

Lukas Slebodnik (38):
    * AUTOMAKE: Add missing escaped newline
    * Include sys/types.h for types id_t and uid_t
    * UTIL: Use standard maximum value of type size_t
    * KRB5: Fix warning declaration shadows global declaration
    * Fix warning missing arguments
    * mmap_cache: Do not remove record from chain twice
    * AUTOTOOLS: Add missing AC_MSG_RESULT
    * AUTOMAKE: Use portable way to link with dlopen
    * AUTOMAKE: Use portable way to link with gettext
    * AUTOTOOLS: Add directories for searching ldap headers and libs
    * AUTOTOOLS: Refactor unicode library detection
    * AUTOTOOLS: add check for type intptr_t
    * AUTOTOOLS: Use pkg-config to detect libraries.
    * AUTOTOOLS: More robust detection of inotify.
    * krb5: Fix warning sometimes uninitialized
    * Fix formating of variables with type: long
    * Fix formating of variables with type: unsigned long
    * Fix formating of variables with type: int
    * Fix pointer formatting
    * Use the same variable type like in struct ldb_message_element
    * Fix formating of variables with type: ssize_t
    * Fix formating of variables with type: size_t
    * Adding new header for printf formating macros
    * Fix formating of variables with type: key_serial_t
    * Fix formating of variables with type: rlim_t
    * Fix formating of variables with type defined in stdint.h
    * Fix formating of variables with type: time_t
    * Fix formating of variables with ber_ type
    * Fix warning: data argument not used by format string
    * Use right formating to print string
    * Fix formating of variables with type: id_t
    * Fix formating of variables with type: uid_t
    * Fix formating of variables with type: gid_t
    * Enable printf format string checking
    * KRB: Remove unused memory context
    * KRB: Remove unused function parameters
    * LDAP: Use primary cn to search netgroup

Michal Zidek (4):
    * Rename SAFEALIGN macros
    * Rename _SSS_MC_SPECIAL
    * man sssd: Add note about SSS_NSS_USE_MEMCACHE
    * Check slot validity before MC_SLOT_TO_PTR.

Nikolai Kondrashov (1):
    * Fix reference to sssd-krb5 man page

Ondrej Kos (2):
    * DB: Add user/group lookup by SID
    * DB: Rise search functions debug levels

Pavel Březina (22):
    * Fix czech specific character in my name
    * krb5_utils tests: fix some typos
    * resolv_sort_srv_reply: remove unnecessary mem_ctx
    * fo srv: add priority to fo_server_info
    * utils: add is_host_in_domain()
    * ad srv: prefer servers that are in the same domain as client
    * sysdb_search_group_by_gid: obtain gid instead of uid
    * is_dn(): free dn
    * util: add sss_idmap_talloc[_free]
    * simple access tests: fix typos
    * simple provider: support subdomain users
    * util: add find_subdomain_by_sid()
    * util: add find_subdomain_by_object_name()
    * simple provider: support subdomain groups
    * simple access test: initialize be_ctx for all tests
    * simple provider: obey case sensitivity for subdomain users and groups
    * man: improve sssd-sudo manual page
    * man: server side password policies always takes precedence
    * util: add get_domains_head()
    * sysdb: get_sysdb_grouplist() can return either names or dn
    * sysdb: sysdb_update_members can take either name or dn
    * ad: store group in correct tree on initgroups via tokenGroups

Simo Sorce (18):
    * Makefile: Fix sssd_be targets
    * krb5: Ingnore unknown expansion sequences
    * tests: Add dlopen test to make sure modules works
    * krb5: Add calls to change and restore credentials
    * krb5: Add helper to destroy ccache as user
    * krb5: Use krb5_cc_destroy to remove old ccaches
    * krb5: Replace type-specific ccache/principal check
    * krb5: Move determination of user being active
    * krb5: move template check to initializzation
    * krb5: Make check_for_valid_tgt() static
    * krb5: Use new function to validate ccaches
    * krb5: Unify function to create ccache files
    * krb5: Remove unused ccache backend infrastructure
    * krb5: Remove unused function
    * krb5: Add file/dir path precheck
    * krb5_child: Simplify ccache creation
    * krb5: Remove unused helper functions
    * krb5: Be more lenient on failures for old ccache

Stephen Gallagher (1):
    * RPM: Add new subpackage for PAC responder

Sumit Bose (7):
    * dyndns: do not modify global family_order
    * sdap_domain_add: remove too strict consistency check
    * krb5: save canonical upn to sysdb
    * krb5: do not expand enterprise principals is offline
    * IPA: store forest name for forest member domains
    * ipa_server_mode: write capaths to krb5 include file
    * Do not return DP_ERR_FATAL in case of success

Freeipa-interest mailing list

Reply via email to