=== SSSD 1.11.2 ===

The SSSD team is proud to announce the release of version 1.11.2 of
the System Security Services Daemon.

As always, the source is available from https://fedorahosted.org/sssd

RPM packages will be made available for Fedora 19, 20 and rawhide shortly.

== Feedback ==

Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
    https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
    https://lists.fedorahosted.org/mailman/listinfo/sssd-users

== Highlights ==

* A new option ad_access_filter was added. This option allows the
  administrator to easily configure LDAP search filter that the users logging
  in must match in order to be granted access
* Group resolution now supports resolving group members from different
  trusted AD domains in a single forest
* A bug that prevented a configuration file with trailing spaces to be
  loaded was fixed
* SSSD no longer crashes if the LDAP connection is terminated while LDAP
  requests are still in progress
* Several important bugs related to the Global Catalog support were fixed:
   * SSSD now correctly falls back to LDAP lookups in case Global Catalog
     is not reachable
   * If the AD servers were specified using the ad_server option and not
     autodiscovered, server fail over did not work correctly with 1.11.1

== Feature removal ==

* The Kerberos provider is no longer able to create public directories
  when evaluating the krb5_ccachedir option. This is a backwards-incompatible
  change. Creating public directories is something the system administrator
  should perform in order for the directories to have the correct permissions
  and allow the authentication daemon to create user directories as private
  only.

== Documentation Changes ==

* The decimal debug levels are now recommended instead of the advanced
  hexadecimal levels which are more suitable for developers

== Tickets Fixed ==

https://fedorahosted.org/sssd/ticket/1968
    Memory grows if subdomain goes away in the AD provider
https://fedorahosted.org/sssd/ticket/2030
    getent response requires sssd restart after trust add
https://fedorahosted.org/sssd/ticket/2064
    ad: unable to resolve membership when user is from different domain than 
group
https://fedorahosted.org/sssd/ticket/2071
    Ccache directory creation leads to unexpected results
https://fedorahosted.org/sssd/ticket/2082
    [RFE] Add a new option ad_access_filter
https://fedorahosted.org/sssd/ticket/2092
    Group lookup is not returned immediately after service startup
https://fedorahosted.org/sssd/ticket/2100
    sudo responder does not support specifying just one of 
sudoNotBefore/sudoNotAfter
https://fedorahosted.org/sssd/ticket/2101
    Use idrange of forest root if there is none for a member domain and type is 
ipa-ad-trust-posix
https://fedorahosted.org/sssd/ticket/2104
    AD provider should fall back the LDAP if Global Catalog is not reachable
https://fedorahosted.org/sssd/ticket/2105
    Do not show 'Could not add new domain' error messages if 
ldap_id_mapping=false
https://fedorahosted.org/sssd/ticket/2112
    Coverity reported potential NULL dereference
https://fedorahosted.org/sssd/ticket/2116
    SID looksups are not handled if noexist_delete flag is set
https://fedorahosted.org/sssd/ticket/2121
    ipa ad trusted user lookups failed with sssd_be crash
https://fedorahosted.org/sssd/ticket/2123
    Creating system accounts on a IdM client takes up to 10 minutes when AD 
trust is configured in the IdM.
https://fedorahosted.org/sssd/ticket/2124
    sssd_nss exited abnormally and generated core files.
https://fedorahosted.org/sssd/ticket/2126
    sssd_be segfault when authenticating against active directory
https://fedorahosted.org/sssd/ticket/2131
    NSS responder doesn't qualify memberuid and ghost users of groups that 
contain members from different domains

== Detailed Changelog ==

Jakub Hrozek (23):
  * Updating the version for the 1.11.2 release
  * krb5: Fix unit tests
  * INI: Disable line-wrapping functionality
  * KRB5: Return PAM_ACCT_EXPIRED when logging in as expired AD user
  * PROXY: Fix memory hierarchy when enumerating services
  * Inherit ID limits of parent domains if set
  * SYSDB: Add sysdb_delete_by_sid
  * LDAP: Delete entry by SID if not found
  * LDAP: Amend sdap_access_check to allow any connection
  * LDAP: Parse FQDN into name/domain for subdomain users
  * AD: Add a new option ad_access_filter
  * AD: Use the ad_access_filter if it's set
  * AD: Search GC by default during access control, fall back to LDAP
  * AD: Add extended access filter
  * TEST: Test getgrnam with emphasis on members
  * NSS: Print FQDN for groups with mixed domain membership
  * KRB5: Handle ERR_CHPASS_FAILED
  * NSS: Fix service enumeration
  * MAN: Document that krb5 directories can only be created as private
  * LDAP: Check all search bases during nested group processing
  * NSS: Fix parenthesis
  * AD: Fix ad_access_filter parsing with empty filter
  * Updating translation for the 1.11.2 release 

Lukas Slebodnik (9):
  * LDAP: Set default value for dyndns update to false
  * krb5: Remove warning dereference of a null pointer
  * krb5: Use right function to free data.
  * AD: Prefer GC port from SRV record
  * AD: fall back to LDAP if GC is not available.
  * tests: Use right format string for type size_t
  * Makefile: Add missing libraries
  * Makefile: Remove unused variable TEST_MOCK_OBJ
  * LDAP: Return correct error code 

Pavel Březina (23):
  * sudo: allow specifying only one time restriction
  * sudo: improve time restrictions debug messages
  * nss: wait for initial subdomains request to finish
  * subdomains: first destroy ptask then remove sdom
  * dp: make subdomains refresh interval configurable
  * dp: store list of ongoing requests
  * utils: add ERR_DOMAIN_NOT_FOUND error code
  * dp: set request domain
  * dp: add function to terminate request of specific domain
  * dp: free sdap domain if subdomain is removed
  * be_ptask: add be_ptask_create_sync()
  * dp: convert cleanup task to be_ptask
  * ipa: destroy cleanup task when subdomain is removed
  * ad: destroy ptasks when subdomain is removed
  * sdap_save_user: try to determine domain by SID
  * sdap_save_group: try to determine domain by SID
  * free sid obtained from sss_idmap_unix_to_sid()
  * ad: shortcut if possible during get object by ID or SID
  * sdap: store base dn in sdap_domain
  * sdap: add sdap_domain_get_by_dn()
  * ghosts: pick correct domain for every member
  * sdap_fill_memberships: pick correct domain for every member
  * nested groups: pick correct domain for cache lookups 

Simo Sorce (1):
  * krb5: Remove ability to create public directories 

Stephen Gallagher (4):
  * SYSDB: Fix incorrect DEBUG message
  * MAN: Clarify debug level documentation
  * MAN: Reflow debug_levels.xml
  * BUILD: Update bashrc macros 

Sumit Bose (17):
  * AD: properly intitialize GC from ad_server option
  * LDAP: handle SID requests if noexist_delete is set
  * IPA server mode: properly initialize ext_groups
  * idmap: add internal function to free a domain struct
  * idmap: fix a memory leak if a collision is detected
  * idmap: allow ranges with external mapping to overlap
  * sdap_idmap: add sdap_idmap_get_configured_external_range()
  * sdap_idmap: properly handle ranges for external mappings
  * Add unconditional online callbacks
  * IPA: add callback to reset subdomain timeouts
  * sdap_get_generic_ext_send: check if we a re still connected
  * find_subdomain_by_sid: skip domains with missing domain_id
  * idmap: add sss_idmap_domain_by_name_has_algorithmic_mapping()
  * sdap_idmap_domain_has_algorithmic_mapping: add domain name argument
  * IPA: add trusted domains with missing idrange
  * ad_subdom_store: check ID mapping of the domain not of the parent
  * be_spy_create: free be_req and not the long living data 

_______________________________________________
Freeipa-interest mailing list
Freeipa-interest@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-interest

Reply via email to