=== SSSD 1.11.5 ===

The SSSD team is proud to announce the release of version 1.11.5 of
the System Security Services Daemon.

As always, the source is available from https://fedorahosted.org/sssd

RPM packages will be made available for Fedora 19, 20 and rawhide shortly.

== Feedback ==

Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:

== Highlights ==

* This release focuses primarily on bug fixes.
* The release addresses an issue where the SSSD was not able to detect
  all domains in the forest if it was connected to an AD DC which was not
  the forest root
* A new AD sudo provider was introduced. Setting sudo_provider=ad uses
  the same connection options as id_provider=ad, which simplifies the
  configuration for users who store sudo rules on an Active Directory server.
* The ID mapping ranges are checked for collisions before being used,
  making SSSD more robust in cases where the ranges would collide
* Password changes when using OTPs with an IPA server are now
  supported. Please note that this functionality is not present in the
  released FreeIPA versions yet.
* Several bugs related to setting an SELinux user context from an IPA
  server were fixed

== Documentation Changes ==

* A new pam_sss option ignore_unknown_user was added. Setting this option
  makes pam_sss return PAM_IGNORE when processing an uknown user instead of
  PAM_USER_UNKNOWN. This option is mostly useful for BSD systems.

== Tickets Fixed ==

    SSSD pam module accepts usernames with leading spaces
    [RFE] Expose the list of trusted domains to IPA
    If both IPA and LDAP are set up with enumeration on, two enum tasks are 
    sssd.conf man pages don't list a configuration option.
    Make SSSD compilable on systems with non-standard paths to krb5 includes
    [freebsd] pam_sss: add ignore_unknown_user option
    MAN: Remove misleading memberof example from ldap_access_filter example
    not retrieving homedirs of AD users with posix attributes
    Document that `sssd` cache needs to be cleared manually, if ID mapping 
configuration changes
    Check IPA idranges before saving them to the cache
    Evaluate usage of sudo LDAP provider together with the AD provider
    Setting int option to 0 yields the default value
    ipa-server-mode: Use lower-case user name component in home dir path
    SSSD Does not cache SELinux map from FreeIPA correctly
    IPA SELinux code looks for the host in the wrong sysdb subdir when a 
trusted user logs in
    sssd fails to handle expired passwords when OTP is used
    Add another Kerberos error code to trigger IPA password migration
    Double OK when starting the service
    SSSD should create the SELinux mapping file with format expected by 
    Valgrind: Invalid read of int while processing netgroup
    other subdomains are unavailable when joined to a subdomain in the ad forest
    Error during password change
    configure time variables not expanded when running ./configure
    RHEL7 IPA selinuxusermap hbac rule not always matching

== Detailed Changelog ==

Alexey Shabalin (1):
    * Use KRB5_CFLAGS where appropriate 

Jakub Hrozek (16):
    * Updating the version for the 1.11.5 release
    * IPA: Don't call tevent_req_post outside _send
    * IPA: Don't fail if apply_subdomain_homedir returns ENOENT
    * OPTS: Allow using defaults for blobs
    * DP: Provide separate dp_copy_defaults function
    * MAN: Clarify the ldap_access_filter option further
    * MAN: Clarify that changing ID mapping options might require purging the 
    * IPA: Do not save intermediate data to sysdb
    * AD: Only connect to GC for subdomain users
    * MAN: Clarify the GC support a bit
    * IPA: Use the correct domain when processing SELinux rules
    * IPA: Write SELinux usernames in the right case
    * KRB5: Do not attempt to get a TGT after a password change using OTP
    * AD: connect to forest root when downloading the list of subdomains
    * IPA: Fix SELinux mapping order memory hierarchy
    * Updating the translations for the 1.11.5 release 

Lukas Slebodnik (10):
    * SPEC: Use systemd on available platforms
    * LDAP: Setup periodic task only once.
    * UTIL: Sanitize whitespaces.
    * DOC: Fix names of arguments in doxygen comments
    * AD: Continue if sssd failes to check extra members
    * SYSV: Do not call functions success and fail itself
    * IPA: Use function sysdb_attrs_get_el in safe way
    * Makefile: Add missing library to the dp_opt_tests
    * TESTS: Link libsss_test_common with tevent
    * Makefile: Use alternative method to replace *bindir 

Michal Zidek (1):
    * Possible null dereference in SELinux code 

Nathaniel McCallum (1):
    * Fix krb5 changepw when FAST-only preauth methods are used (like OTP) 

Pete Fritchman (1):
    * PAM: add ignore_unknown_user option 

Stef Walter (1):
    * providers: Fix types passed to dbus varargs functions 

Sumit Bose (13):
    * IDMAP: add sss_idmap_check_collision(_ex)
    * IPA: refactor idmap code and add test
    * IPA: check ranges for collisions before saving them
    * libsss_idmap: bump version-info
    * config API: add missing subdomain target to AD provider test
    * SUDO: AD provider
    * ipa-server-mode: use lower-case user name for home dir
    * IPA: Use GC for AD initgroup requests
    * IPA/KRB5: handle KRB5_PROG_ETYPE_NOSUPP during IPA password migration
    * krb5_child: remove unused option lifetime_str from k5c_setup_fast()
    * krb5-child: extract lifetime settings into set_lifetime_options()
    * krb5_client: rename krb5_set_canonicalize() to set_canonicalize_option()
    * krb5-child: add revert_changepw_options() 

Freeipa-interest mailing list

Reply via email to