=== SSSD 1.11.4 ===

The SSSD team is proud to announce the release of version 1.11.4 of
the System Security Services Daemon.

As always, the source is available from https://fedorahosted.org/sssd

RPM packages will be made available for Fedora 19, 20 and rawhide shortly.

== Feedback ==

Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:

== Highlights ==

* This release focuses primarily on bug fixes, especially for use cases
  where SSSD is acting as an Active Directory client
* The simple access provider supports specifying users and groups using
  their NetBIOS domain name (such as `DOMAIN\username`)
* Support for enumerating users and groups from trusted AD domains was
  added to the AD provider
* The Active Directory site discovery was made more robust for configurations
  which use multiple trusted domains
* Several bugs in the LDAP provider that affected setups which mapped
  Windows SIDs to POSIX IDs were fixed
* The SSSD is now able to use One Time Password (OTP) authentication
  configured on an IPA server. Please note that this functionality is not
  present in the released FreeIPA versions yet

== Documentation Changes ==

* The `krb5_use_fast` option changes its default from `never` to `try` in the
  IPA provider. The config option value did not change in the other providers.

== Tickets Fixed ==

    AD Enumeration reads data from LDAP while regular lookups connect to GC
   Implement heuristics to detect if POSIX attributes have been replicated
   to the Global Catalog or not
   sssd_be crashes when ad_access_filter uses FOREST keyword.
   "System Error" when invalid ad_access_filter is used
   RHEL7 sssd not setting IPA AD trusted user homedir
   Enabling ldap_id_mapping doesn't exclude uidNumber in filter
   FAST does not work in SSSD 1.11.2 in Fedora 20
   Access denied for users from gc domain when using format DOMAIN\user
   Group membership lookup issue
   Group lookup does not return member with multiple names after user lookup
   sssd ad trusted sub domain do not inherit fallbacks and overrides settings
   sssd_be crashes when ldap_search_base cannot be parsed.
   sssd_be aborts a request if it doesn't match any configured idmap domain
   sssd_be should hint about increasing the krb5_auth_timeout if krb5 auth
   times out
   Warn with a user-friendly error message when permissions on sssd.conf
   are incorrect
   sudo rules time filter is nondeterministic
    Man page states default_shell option supersedes other shell options
    but in fact override_shell does.

== Detailed Changelog ==

Alexander Bokovoy (1):
      * FAST: when parsing krb5_child response, make sure to not miss OTP 
message if it was last one

Benjamin Franzke (1):
      * dlopen-tests: Check the result of asprintf

Jakub Hrozek (27):
      * Updating the version for the 1.11.4 release
      * LDAP: Fix typo and use the right attribute map
      * LDAP: Add a new error code for malformed access control filter
      * tests: Remove tests that check creating public directories
      * UTIL: Inherit parent domain's default_shell
      * NSS: Use plain user name when expanding homedir
      * AD: Don't fail the request if ad_account_can_shortcut fails
      * MAN: Fix a typo
      * LDAP: Fix error check
      * LDAP: Don't abort request if no id mapping domain matches
      * AD: Don't mark domain as enumerated twice
      * AD: Store info on whether a subdomain is set to enumerate
      * LDAP: Pass a private context to enumeration ptask instead of hardcoded 
      * LDAP: Add enum request with custom connection
      * AD: Enumerate users from GC, other entities from LDAP
      * LDAP: Don't clobber original_member during enumeration
      * DB: Add sss_ldb_el_to_string_list
      * AD: Establish cross-domain memberships after enumeration finishes
      * MAN: clarify which shell option takes precedence
      * LDAP: Detect the presence of POSIX attributes
      * AD: Only download domains that are set to enumerate
      * AD: Remove dead code
      * LDAP: Handle errors from sdap_id_op properly in enum code
      * SSS_CACHE: Reset the initgroups attribute when resetting users
      * IPA: Default to krb5_use_fast=try
      * MAN: Clarify the new krb5_use_fast IPA default
      * Updating translations for the 1.11.4 release

Lukas Slebodnik (7):
      * AD: Return right error code from netlogon_get_flat_name
      * LDAP: Don't fail if subdomain cannot be found by sid
      * LDAP: update id mapping detection for ldap provider
      * sdap_idamp: Fall back to another method if sid is wrong
      * krb5: fix warning may be used uninitialized
      * LDAP: store group if subdomain cannot be found by sid
      * LDAP: require attribute groupType for AD groups

Pavel Březina (2):
      * sudo: memset tm when converting time attributes
      * IPA: default krb5_fast_principal to host/$client@$realm

Pavel Reichl (10):
      * responder: Set forest attribute in AD domains
      * simple access: match objects using flat name
      * simple access: refresh master domain info
      * NSS: add support for subdomain_homedir
      * krb5: hint to increase krb5_auth_timeout
      * MONITOR: Incorrect permissions on sssd.conf
      * Revert "NSS: add support for subdomain_homedir"
      * AD: support for subdomain_homedir
      * MAN: update of subdomain_homedir usage
      * utils: handling NULL params in sss_parse_name

Sumit Bose (2):
      * IPA: fix for recent AD group membership changes
      * AD SRV: use right domain name for CLDAP ping

Freeipa-interest mailing list

Reply via email to