=== SSSD 1.11.4 === The SSSD team is proud to announce the release of version 1.11.4 of the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd RPM packages will be made available for Fedora 19, 20 and rawhide shortly. == Feedback == Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users == Highlights == * This release focuses primarily on bug fixes, especially for use cases where SSSD is acting as an Active Directory client * The simple access provider supports specifying users and groups using their NetBIOS domain name (such as `DOMAIN\username`) * Support for enumerating users and groups from trusted AD domains was added to the AD provider * The Active Directory site discovery was made more robust for configurations which use multiple trusted domains * Several bugs in the LDAP provider that affected setups which mapped Windows SIDs to POSIX IDs were fixed * The SSSD is now able to use One Time Password (OTP) authentication configured on an IPA server. Please note that this functionality is not present in the released FreeIPA versions yet == Documentation Changes == * The `krb5_use_fast` option changes its default from `never` to `try` in the IPA provider. The config option value did not change in the other providers. == Tickets Fixed == https://fedorahosted.org/sssd/ticket/2142 AD Enumeration reads data from LDAP while regular lookups connect to GC https://fedorahosted.org/sssd/ticket/2152 Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not https://fedorahosted.org/sssd/ticket/2160 sssd_be crashes when ad_access_filter uses FOREST keyword. https://fedorahosted.org/sssd/ticket/2164 "System Error" when invalid ad_access_filter is used https://fedorahosted.org/sssd/ticket/2169 RHEL7 sssd not setting IPA AD trusted user homedir https://fedorahosted.org/sssd/ticket/2172 Enabling ldap_id_mapping doesn't exclude uidNumber in filter https://fedorahosted.org/sssd/ticket/2186 FAST does not work in SSSD 1.11.2 in Fedora 20 https://fedorahosted.org/sssd/ticket/2189 Access denied for users from gc domain when using format DOMAIN\user https://fedorahosted.org/sssd/ticket/2190 Group membership lookup issue https://fedorahosted.org/sssd/ticket/2191 Group lookup does not return member with multiple names after user lookup https://fedorahosted.org/sssd/ticket/2196 sssd ad trusted sub domain do not inherit fallbacks and overrides settings https://fedorahosted.org/sssd/ticket/2199 sssd_be crashes when ldap_search_base cannot be parsed. https://fedorahosted.org/sssd/ticket/2200 sssd_be aborts a request if it doesn't match any configured idmap domain https://fedorahosted.org/sssd/ticket/2202 sssd_be should hint about increasing the krb5_auth_timeout if krb5 auth times out https://fedorahosted.org/sssd/ticket/2208 Warn with a user-friendly error message when permissions on sssd.conf are incorrect https://fedorahosted.org/sssd/ticket/2213 sudo rules time filter is nondeterministic https://fedorahosted.org/sssd/ticket/2215 Man page states default_shell option supersedes other shell options but in fact override_shell does. == Detailed Changelog == Alexander Bokovoy (1): * FAST: when parsing krb5_child response, make sure to not miss OTP message if it was last one Benjamin Franzke (1): * dlopen-tests: Check the result of asprintf Jakub Hrozek (27): * Updating the version for the 1.11.4 release * LDAP: Fix typo and use the right attribute map * LDAP: Add a new error code for malformed access control filter * tests: Remove tests that check creating public directories * UTIL: Inherit parent domain's default_shell * NSS: Use plain user name when expanding homedir * AD: Don't fail the request if ad_account_can_shortcut fails * MAN: Fix a typo * LDAP: Fix error check * LDAP: Don't abort request if no id mapping domain matches * AD: Don't mark domain as enumerated twice * AD: Store info on whether a subdomain is set to enumerate * LDAP: Pass a private context to enumeration ptask instead of hardcoded connection * LDAP: Add enum request with custom connection * AD: Enumerate users from GC, other entities from LDAP * LDAP: Don't clobber original_member during enumeration * DB: Add sss_ldb_el_to_string_list * AD: Establish cross-domain memberships after enumeration finishes * MAN: clarify which shell option takes precedence * LDAP: Detect the presence of POSIX attributes * AD: Only download domains that are set to enumerate * AD: Remove dead code * LDAP: Handle errors from sdap_id_op properly in enum code * SSS_CACHE: Reset the initgroups attribute when resetting users * IPA: Default to krb5_use_fast=try * MAN: Clarify the new krb5_use_fast IPA default * Updating translations for the 1.11.4 release Lukas Slebodnik (7): * AD: Return right error code from netlogon_get_flat_name * LDAP: Don't fail if subdomain cannot be found by sid * LDAP: update id mapping detection for ldap provider * sdap_idamp: Fall back to another method if sid is wrong * krb5: fix warning may be used uninitialized * LDAP: store group if subdomain cannot be found by sid * LDAP: require attribute groupType for AD groups Pavel Březina (2): * sudo: memset tm when converting time attributes * IPA: default krb5_fast_principal to host/$client@$realm Pavel Reichl (10): * responder: Set forest attribute in AD domains * simple access: match objects using flat name * simple access: refresh master domain info * NSS: add support for subdomain_homedir * krb5: hint to increase krb5_auth_timeout * MONITOR: Incorrect permissions on sssd.conf * Revert "NSS: add support for subdomain_homedir" * AD: support for subdomain_homedir * MAN: update of subdomain_homedir usage * utils: handling NULL params in sss_parse_name Sumit Bose (2): * IPA: fix for recent AD group membership changes * AD SRV: use right domain name for CLDAP ping _______________________________________________ Freeipa-interest mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-interest