=== SSSD 1.11.1 === The SSSD team is proud to announce the release of version 1.11.1 of the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd RPM packages will be made available for Fedora 19, 20 and rawhide shortly. == Feedback == Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users == Highlights == * This release contains mainly bug fixes in the Active Directory provider and setups where the SSSD is running on an IPA server instance. In particular: - Several cases where offline authentication did not work correctly for users from Active Directory domains were fixed - Fixed a resolver bug that caused the SSSD to only look up AAAA records for trusted Active Directory servers - SSSD is now able to resolve users from trusted AD domains using their POSIX attributes * The simple access provider now allows the administrator to specify users or groups from trusted domains in the access or deny lists * Handling of Kerberos credential caches was made simpler and more robust == Packaging Changes == * A new subpackage sssd-common-pac was added to work around a packaging bug. Previous SSSD versions would own the PAC responder by both the IPA and AD providers, which is not permitted by the Fedora packaging guidelines. == Tickets Fixed == https://fedorahosted.org/sssd/ticket/1945 Enable printf format string checking in function debug_fn https://fedorahosted.org/sssd/ticket/2001 Implement heuristics to use Global Catalog servers from local DNS domain first https://fedorahosted.org/sssd/ticket/2007 sss_debuglevel did not increase verbosity in sssd_pac.log https://fedorahosted.org/sssd/ticket/2034 [RFE] simple access provider: support subdomain users and groups https://fedorahosted.org/sssd/ticket/2060 Cached credentials aren't working with sssd-ad UPN logins https://fedorahosted.org/sssd/ticket/2063 sssd-ad unable to resolve names in other domains possibly UPN related https://fedorahosted.org/sssd/ticket/2066 ad: invalid handling of Domain Users group for subdomain user https://fedorahosted.org/sssd/ticket/2067 Carry on if detecting the flat name fails https://fedorahosted.org/sssd/ticket/2068 Initial enumeration in the AD provider does not work https://fedorahosted.org/sssd/ticket/2070 The present sssd-ad is unable to pull RFC2307 attributes from all domains in a forest https://fedorahosted.org/sssd/ticket/2075 sssd fails to retrieve netgroups with multiple CN attributes https://fedorahosted.org/sssd/ticket/2076 Fix expand_ccname_template libkrb5 style expansion and add tests https://fedorahosted.org/sssd/ticket/2079 SSSD subdomains provider does not resolve SRV records correctly when DNS name of the server is different from domain/realm name of IPA install in IPA server mode https://fedorahosted.org/sssd/ticket/2080 When in IPA server mode, SSSD should map trusted forest subdomains to root domain realm https://fedorahosted.org/sssd/ticket/2085 man sssd-sudo: improve description of necessary configuration https://fedorahosted.org/sssd/ticket/2087 The multicast check is wrong in the sudo source code getting the host info https://fedorahosted.org/sssd/ticket/2090 getpwuid and getgrgid do not use the negative cache https://fedorahosted.org/sssd/ticket/2091 Document that server side password policies always takes precedence https://fedorahosted.org/sssd/ticket/2093 sssd should write capaths for IPA trusted forests' subdomains == Detailed Changelog == Jakub Hrozek (24): * Updating the version for 1.11.1 release * PROXY: Handle empty GECOS * MAN: Document that sss_cache should be run after changing the cache timeout * AD: Rename parametrized #define * LDAP: Store cleanup timestamp after initial cleanup * Remove unused code * TESTS: Remove unused variable * KRB5: Call umask before mkstemp in the krb5 child code * AD: async request to retrieve master domain info * LDAP: sdap_id_setup_tasks accepts a custom enum request * AD: Download master domain info when enumerating * AD: Failure to get flat name is not fatal * Convert IN_MULTICAST parameter to host order * NSS: Set UID and GID to negative cache after searching all domains * NSS: Failure to store entry negative cache should not be fatal * KRB5: Fix bad comparison * IPA: Ignore dns_discovery_domain in server mode * KRB5: Return ERR_NETWORK_IO when trusted AD server can't be resolved * KRB5: Use the correct domain when authenticating with cached password * LDAP: Require ID numbers when ID mapping is off * LDAP: Allow searching subdomain during RFC2307bis initgroups * AD: talk to GC first even for local domain objects * MAN: Document that POSIX attributes must be replicated to GC * Updating the translations for the 1.11.1 release Lukas Slebodnik (38): * AUTOMAKE: Add missing escaped newline * Include sys/types.h for types id_t and uid_t * UTIL: Use standard maximum value of type size_t * KRB5: Fix warning declaration shadows global declaration * Fix warning missing arguments * mmap_cache: Do not remove record from chain twice * AUTOTOOLS: Add -LLIBDIR to PYTHON_LIBS * AUTOTOOLS: Add missing AC_MSG_RESULT * AUTOMAKE: Use portable way to link with dlopen * AUTOMAKE: Use portable way to link with gettext * AUTOTOOLS: Add directories for searching ldap headers and libs * AUTOTOOLS: Refactor unicode library detection * AUTOTOOLS: add check for type intptr_t * AUTOTOOLS: Use pkg-config to detect libraries. * AUTOTOOLS: More robust detection of inotify. * krb5: Fix warning sometimes uninitialized * Fix formating of variables with type: long * Fix formating of variables with type: unsigned long * Fix formating of variables with type: int * Fix pointer formatting * Use the same variable type like in struct ldb_message_element * Fix formating of variables with type: ssize_t * Fix formating of variables with type: size_t * Adding new header for printf formating macros * Fix formating of variables with type: key_serial_t * Fix formating of variables with type: rlim_t * Fix formating of variables with type defined in stdint.h * Fix formating of variables with type: time_t * Fix formating of variables with ber_ type * Fix warning: data argument not used by format string * Use right formating to print string * Fix formating of variables with type: id_t * Fix formating of variables with type: uid_t * Fix formating of variables with type: gid_t * Enable printf format string checking * KRB: Remove unused memory context * KRB: Remove unused function parameters * LDAP: Use primary cn to search netgroup Michal Zidek (4): * Rename SAFEALIGN macros * Rename _SSS_MC_SPECIAL * man sssd: Add note about SSS_NSS_USE_MEMCACHE * Check slot validity before MC_SLOT_TO_PTR. Nikolai Kondrashov (1): * Fix reference to sssd-krb5 man page Ondrej Kos (2): * DB: Add user/group lookup by SID * DB: Rise search functions debug levels Pavel Březina (22): * Fix czech specific character in my name * krb5_utils tests: fix some typos * resolv_sort_srv_reply: remove unnecessary mem_ctx * fo srv: add priority to fo_server_info * utils: add is_host_in_domain() * ad srv: prefer servers that are in the same domain as client * sysdb_search_group_by_gid: obtain gid instead of uid * is_dn(): free dn * util: add sss_idmap_talloc[_free] * simple access tests: fix typos * simple provider: support subdomain users * util: add find_subdomain_by_sid() * util: add find_subdomain_by_object_name() * simple provider: support subdomain groups * simple access test: initialize be_ctx for all tests * simple provider: obey case sensitivity for subdomain users and groups * man: improve sssd-sudo manual page * man: server side password policies always takes precedence * util: add get_domains_head() * sysdb: get_sysdb_grouplist() can return either names or dn * sysdb: sysdb_update_members can take either name or dn * ad: store group in correct tree on initgroups via tokenGroups Simo Sorce (18): * Makefile: Fix sssd_be targets * krb5: Ingnore unknown expansion sequences * tests: Add dlopen test to make sure modules works * krb5: Add calls to change and restore credentials * krb5: Add helper to destroy ccache as user * krb5: Use krb5_cc_destroy to remove old ccaches * krb5: Replace type-specific ccache/principal check * krb5: Move determination of user being active * krb5: move template check to initializzation * krb5: Make check_for_valid_tgt() static * krb5: Use new function to validate ccaches * krb5: Unify function to create ccache files * krb5: Remove unused ccache backend infrastructure * krb5: Remove unused function * krb5: Add file/dir path precheck * krb5_child: Simplify ccache creation * krb5: Remove unused helper functions * krb5: Be more lenient on failures for old ccache Stephen Gallagher (1): * RPM: Add new subpackage for PAC responder Sumit Bose (7): * dyndns: do not modify global family_order * sdap_domain_add: remove too strict consistency check * krb5: save canonical upn to sysdb * krb5: do not expand enterprise principals is offline * IPA: store forest name for forest member domains * ipa_server_mode: write capaths to krb5 include file * Do not return DP_ERR_FATAL in case of success _______________________________________________ Freeipa-interest mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-interest