=== SSSD 1.11.3 === The SSSD team is proud to announce the release of version 1.11.3 of the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd RPM packages will be made available for Fedora 19, 20 and rawhide shortly. == Feedback == Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users == Highlights == * This release mostly focuses on bug fixes, especially in the AD provider * The AD provider is able to resolve group memberships for groups with Global and Universal scope * The initgroups (get groups for user) operation for users from trusted AD domains was made more reliable by reading the required tokenGroups attribute from LDAP instead of Global Catalog * A new option ad_enable_gc was added to the AD provider. This option allows the administrator to force SSSD to talk to LDAP port only and never try the Global Catalog * The AD provider is now able to leverage the tokenGroups attribute even when POSIX attributes are used, providing better performance during logins. * A memory leak in the NSS responder that affected long-lived clients that requested netgroup data was fixed == Documentation Changes == * A new option ldap_group_type was added to LDAP, IPA and AD providers * A new option ad_enable_gc was added to the AD provider == Tickets Fixed == https://fedorahosted.org/sssd/ticket/1568 [RFE] AD Provider should use tokenGroups with non-ID-mapping https://fedorahosted.org/sssd/ticket/2077 [RFE] If originalDN is not available during LDAP auth, the SSSD should look it up https://fedorahosted.org/sssd/ticket/2132 Improve detection of the right domain when processing group with members from several domains https://fedorahosted.org/sssd/ticket/2133 sss_idmap: add API to free objects allocated by the library https://fedorahosted.org/sssd/ticket/2137 SSSD fails to fetch netgroup information with setnetgrent failed error https://fedorahosted.org/sssd/ticket/2138 Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)" https://fedorahosted.org/sssd/ticket/2145 Push patch to bump version-info of libsss_idmap https://fedorahosted.org/sssd/ticket/2146 sssd can't retrieve auto.master when using the "default_domain_suffix" option in https://fedorahosted.org/sssd/ticket/2147 sssd_be crashes on manually adding a cleartext password to ldap_default_authtok https://fedorahosted.org/sssd/ticket/2148 Individual group search returned multiple results in GC lookups https://fedorahosted.org/sssd/ticket/2154 Incorrect mention of access_filter in sssd-ad manpage https://fedorahosted.org/sssd/ticket/2156 Non descriptive error message when sssd.conf is missing completely https://fedorahosted.org/sssd/ticket/2157 sssd_be segfaults if empty grop is resolved using ad_matching_rule https://fedorahosted.org/sssd/ticket/2161 tokenGroups do not work reliable with Global Catalog https://fedorahosted.org/sssd/ticket/2165 Update Gentoo init script https://fedorahosted.org/sssd/ticket/2168 If SSSD starts offline, subdomains list is never read. https://fedorahosted.org/sssd/ticket/2170 sssd_nss grows memory footprint when netgroups are requested https://fedorahosted.org/sssd/ticket/2173 sssd_be crashes occasionally https://fedorahosted.org/sssd/ticket/2178 AD groups with domain-local scope should be filtered out for trusted domains == Detailed Changelog == Aron Parsons (1): * do not use default_domain_suffix with autofs Jakub Hrozek (14): * Updating the version for the 1.11.3 release * Initialize sid_str to NULL to avoid freeing random data * LDAP: Split out a request to search for a user w/o saving * LDAP: Search for original DN during auth if it's missing * AD: Fix a typo in the man page * LDAP: Initialize user count for AD matching rule * SUBDOMAINS: Reuse cached results if DP is offline * AD: Refresh subdomain data structures on startup * IPA: Refresh subdomain data structures on startup * IPA: Call ipa_ad_subdom_refresh when server mode is initialized * AD: Add a utility function to create list of connections * AD: Add a new option to turn off GC lookups * AD: Enable fallback to LDAP of trusted domain * Updating translations for the 1.11.3 release Jan Engelhardt (1): * build: fix ordering of linker flags Lukas Slebodnik (7): * NSS: Set packet length for initgroups * LDAP: Prevent from using uninitialized sdap_options * SYSDB: Skip malformed netgroup attribute. * SYSDB: Sanitize filter before sysdb_search_groups * SYSDB: Sanitize filter before removing ghost attrs * NSS: Fix memory leak in sss_setnetgrent * AUTOTOOLS: krb5 1.12 is also supported krb5 libs Markos Chandras (2): * sysv/gentoo: Use xdm if possible * sysv/gentoo: Send debug output to a file instead of stderr Pavel Březina (11): * idmap: add API to free allocated SIDs * free idmapped SIDs correctly * free idmapped dom SIDs correctly * free idmapped smb SIDs correctly * free idmapped binary SIDs correctly * pac: fix double free * pac: fix potential memory leaks * failover: check dns_domain if primary servers lookup failed * ad: refactor tokengroups initgroups * ad: use tokengroups even when id mapping is disabled * Bump sss_idmap version to 3:0:3 Pavel Reichl (3): * monitor: Specific error message for missing sssd.conf * SSSD: Improved domain detection * SSSD: Unit test - sss_ldap_dn_in_search_bases Sumit Bose (10): * AD: use LDAP for group lookups * sss_cache: initialize names member of sss_domain_info * sss_cache: fix case-sensitivity issue * Add sysdb_attrs_add_lc_name_alias * Use sysdb_attrs_add_lc_name_alias to add case-insensitive alias * Use lower-case name for case-insensitive searches * Add new option ldap_group_type * Add sysdb_attrs_get_int32_t * AD: filter domain local groups for trusted/sub domains * AD: cross-domain membership fix _______________________________________________ Freeipa-interest mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-interest