=== SSSD 1.12.1 ===

The SSSD team is proud to announce the release of version 1.12.1 of
the System Security Services Daemon.

As always, the source is available from https://fedorahosted.org/sssd

RPM packages will be made available for Fedora 21 and rawhide shortly.

== Feedback ==

Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:

== Highlights ==

* The GPO access control was further enhanced to allow the access control
  decisions while offline and map the Windows logon rights onto Linux PAM
* The SSSD now ships a plugin for the rpc.idmapd daemon. Please refer to
  the sss_rpcidmapd(5) man page for more details on the plugin.
* A MIT Kerberos localauth plugin was added to SSSD. This plugin helps
  translating principals to user names in IPA-AD trust scenarios, allowing
  the krb5.conf configuration to be less complex.
* A libwbclient plugin implementation is now part of the SSSD. The main
  purpose is to map Active Directory users and groups identified by their
  SID to POSIX users and groups for the file-server use-case.
* Active Directory users ca nnow use their User Logon Name to log in
* The sss_cache tool was enhanced to allow invalidating the SSH host keys.
* Groups without full POSIX information can now be used to enroll group
  membership (fixes CVE-2014-0249)
* Detection of transition from offline to online state was improved,
  resulting in fewer timeouts when SSSD is offline.
* The Active Directory provider now correctly detects Windows Server 2012 R2
  Previous versions would fall back to the slower non-AD path with 2012 R2.
* Several other bugs related to deployments where SSSD is acting as an
  AD client were fixed. Please refer to the detailed changelog for more

== Packaging Changes ==

* The upstream spec file dropped support for RHEL-5
* The libwbclient plugin implementation is packaged in its own subpackage
* GPO files are stored in a new subdirectory, by default /var/lib/sss/gpo_cache

== Documentation Changes ==

* The case_sensitive option was changed to be a tri-state and accepts a
  new value "preserving". When this option is used, the sssd would match
  case-insensitive, but return the original case.
* A new option override_space was added. When this option is set, a space
  character in user or group names is replaced by the character specified
  in this option
* The NFS plugin has a new man page sss_rpcidmapd(5)
* A small random value is now added to the offline_timeout parameter value
  to avoid flooding servers with periodical online checks
* Several new GPO-related options were added. Please refer to the ​sssd-ad
  man page for more details. The options are prefixed with ad_gpo_*

== Tickets Fixed ==

    Enable OpenSSH-LPK support by default
    [RFE] Allow SSSD to be used with smbd shares
    [RFE] Allow email-address in ldap_user_principal
    [RFE] Implement localauth plugin for MIT krb5 1.12
    Remove the references to RHEL5 from upstream spec file
    [GSS 7.0] if access_provider is not set sssd fails with no good error
    Failover SRV discovery not honouring priority/weight
    [PATCH] sss_cache flush ssh host keys.
    "local" auth_provider is not documented in sssd.conf
    RFE: SSSD should preserve case for user uid field.
    Push patches to bump the version info of sss_sifp
    "Mapping ID [4294967295] to SID failed" messages clutter the sssd domain log
    Man sssd-ldap shows parameter ldap_purge_cache_timeout with "Default: 10800 
(12 hours)"
    offline gpo processing yields incorrect results if "tattooing" occurs

== Detailed Changelog ==

Ian Lee (1):
    * Add user lookup and session dependencies to systemd service file. 

Jakub Hrozek (45):
    * Updating the version for the 1.12.1 development
    * MAN: local auth_provider is not documented in sssd.conf
    * MAN: Document that each provider type uses its own set of options
    * No point in searching for gid if we already know the group should be 
    * Only check GID if ID-mapping
    * AD: Check return value of ad_gpo_evaluate_dacl
    * AD: Increment som_index when advancing to the next GPO
    * LDAP: Print referrals for debugging purposes
    * LDAP: Dump LDAP server IP address with a high DEBUG level
    * LDAP: Avoid undefined ret value
    * UTIL: remove get_username_from_uid
    * PAC: krb5_pac_verify failures should not be fatal
    * IFP: Fix lookups with fully-qualified names
    * RPM: Restart service in %posttrans, not %post
    * TESTS: Check if option maps have the right number of members
    * NSS: Ignore default_domain for netgroups
    * Only replace space with the specified substitution
    * Make the space override responder-agnostic
    * PAM: Use the override_space option
    * IFP: Use the override_space option
    * SUDO: Use the override_space option
    * TESTS: Add unit tests for the replace-space functionality
    * BE: Handle SIGUSR2
    * IPA: handle searches by SID in apply_subdomain_homedir
    * SYSDB: Clarify sss_ldb_modify_permissive returns ldb error code
    * Revert "IPA: new attribute map for non-posix groups"
    * Revert "IPA: process non-posix nested groups"
    * Revert "IPA: try to resolve nested groups as poxix group"
    * LDAP: Do not shortcut on ret != EOK during password expiry check
    * LDAP: Split out linking primary group members into a separate function
    * LDAP: Don't add a user member twice when adding a primary group
    * LDAP: Use tmp_ctx in ldap_child for temporary data
    * LDAP: Use randomized ccname for storing credentials
    * LDAP: Add Windows Server 2012 R2 functional level
    * LDAP: Fall back to functional level of Windows Server 2003
    * LDAP: Enable tokenGroups with Windows Server 2003
    * TESTS: Add unit tests for the GPO interface
    * LDAP: Set umask before calling mkstemp
    * LDAP: Ignore returned referrals if referral support is disabled
    * LDAP: Don't reuse a single tevent callback for multiple requests
    * LDAP: Skip dereferenced entries that we are not permitted to read
    * TESTS: Add a unit test for dereference parsing
    * MAN: Add sss_rpcidmapd.5.xml to the list of translatable man pages
    * LDAP: Check return value
    * Updating translations for the 1.12.1 release 

Jan Cholasta (1):
    * SDAP: Set default value of ldap_user_ssh_public_key to "sshPublicKey" 

Lukas Slebodnik (31):
    * sss_client: thread safe initialisation of sss_cli_mc_ctx
    * sss_client: Fix memory leak in nss_mc_{group,passwd}
    * LDAP: Remove unused option ldap_netgroup_uuid
    * LDAP: Remove unused option ldap_group_uuid
    * LDAP: Remove unused option ldap_user_uuid
    * test_utils: Use common header file for libsss_util tests.
    * UTIL: Add functions for replacing whitespaces.
    * NSS: Replace spaces with specified string in names.
    * SDAP: Deref needn't be treated as critical
    * Revert "SDAP: Deref needn't be treated as critical"
    * dyndns_test: Use right socket length of for IPv4 address.
    * responder-get-domains-tests: fix checking of leaks
    * test_dyndns: Use different talloc context in wrapped functions.
    * TESTS: leak_check functions shouldn't be called with NULL context
    * dyndns: Fix talloc hierarchy of "struct sss_iface_addr"
    * test_dyndns: sss_iface_addr_list_get can return more values
    * SDAP: free subrequest in sdap_dyndns_update_addrs_done
    * SDAP: Immediately finish request for empty array
    * SDAP: Use different talloc_context for array of names
    * SDAP: Update groups for user just once.
    * SDAP: Fix using of uninitialized variable
    * strtonum-tests: Add unit test for strtouint16.
    * responder_socket_access-tests: Fix condition in loop
    * MAN: Fix a conversion of seconds to hours
    * AD: Ignore all errors if gpo is in permissive mode.
    * AUTOCONF: Update detection of libnfsidmap
    * SPEC: Use netlink library version 3 for rhel7
    * SPEC: Drop old OS conditions from spec file.
    * refcount-tests: Do not force to run test in CK_FORK mode
    * NSS: Use right domain for group members with fq names
    * pysss: test return value of realloc. 

Michal Zidek (10):
    * Add function confdb_set_string.
    * case_sensitivity = preserving
    * MAN: case_sensitivity man page update
    * Remove unused function confdb_set_bool
    * ptask: Allow adding random_offset to scheduled execution time
    * ptask: Add backoff feature to the ptask api.
    * Exit offline mode only if server is available.
    * MAN: offline_timeout
    * be_get_account_info change level of debug message
    * IFP: Suppress 'git diff' noise 

Michal Šrubař (1):
    * LDAP SUDO: sudo provider doesn't fetch 'EntryUSN' 

Nalin Dahyabhai (2):
    * sss_client: Fix "struct sss_cli_mc_ctx" reinitialize-on-errors
    * Accept krb5 1.13 for building the PAC plugin 

Nikolai Kondrashov (10):
    * build: Remove substitution of *_OBJ variables
    * build: Mention required libini_config version
    * build: Distinguish libini_config version checks
    * build: Distinguish libnl version checks
    * build: Reverse order of libini_config checks
    * build: Move libini_config 1.1.0 check to libini_config.m4
    * build: Don't install ad and ipa man pages unnecessarily
    * Add basic support for CI test execution
    * CI: Add libnfsidmap-dev Debian dependency
    * CI: Consider libcmocka-devel always present 

Noam Meltzer (5):
    * NEW CLIENT: plugin for NFSv4 rpc.idmapd
    * NFSv4 client: (private) headers from libnfsidmap
    * NFSv4 client: add to build system
    * NFSv4 client: add to RPM spec
    * NFSv4 client: man page 

Pavel Březina (15):
    * resolv tests: remove ununused variable from for cyclus
    * resolv tests: add test for multiple servers with zero weights
    * resolv: fix server sort by weight
    * sudo: fetch sudoRunAs attribute
    * sss_sifp test: fix object path array test
    * sss_sifp: set output parameters if attribute is NULL
    * ad_handle_acct_info_step: fix typo
    * ad: comment ENOENT when id mapping is disabled
    * ad: update membership after SIDs are resolved
    * sudo: use dbus array for rules refresh
    * sudo: replace asterisk with escape sequence in host filter
    * failover: set port status to not working if previous srv lookup failed
    * ad initgroups: continue if resolved SID is still missing
    * sudo: work with correct D-Bus iterator
    * sss_sifp: bump version to 0:1:0 

Pavel Reichl (25):
    * SYSDB: augmented logging when adding new group
    * LDAP: tokengroups do not work with id_provider=ldap
    * SDAP: Continue resolving SID even if some fail
    * UTIL: rename find_subdomain_by_sid
    * UTIL: rename find_subdomain_by_name
    * UTIL: rename find_subdomain_by_object_name
    * SDAP: remove duplicated code
    * SDAP: reduce code duplicity-rfc2307bis nested groups
    * SDAP: fix use after free in async_initgroups
    * SDAP: split sdap_access_filter_get_access_done
    * SDAP: refactor sdap_access_filter_send
    * SDAP: nitpicks in sdap_access_filter_get_access_done
    * SDAP: refactor sdap_access_filter_done
    * SDAP: don't log error on access denied
    * IPA: new attribute map for non-posix groups
    * IPA: process non-posix nested groups
    * IPA: try to resolve nested groups as poxix group
    * SDAP: refactor AC offline checks
    * SDAP: new option - DN to ppolicy on LDAP
    * SDAP: account lockout to restrict access via ssh key
    * MAN: options 'lockout' and 'ldap_pwdlockout_dn'
    * SYSDB: SSS_LDB_SEARCH - macro around ldb_search
    * IPA: process non-posix nested groups
    * AD: process non-posix nested groups w/o tokenGroups
    * AD: process non-posix nested groups using tokenGroups 

Sumit Bose (17):
    * KRB5: add missing debug-to-stderr option to krb5_child
    * AD: add missing debug-to-stderr option to gpo_child
    * libwbclient: SSSD implementation
    * sss_log: fix handling of variable argument lists
    * sysdb_get_real_name: allow UPN as input
    * LDAP: If extra_value is 'U' do a UPN search
    * PAM: extract checks from parsing routines
    * PAM: remove ldb_result member from pam_auth_req context
    * NSS: check_cache() add extra option
    * PAM, NSS: allow UPN login names
    * Replace space: add some checks
    * Add conditional build for MIT Kerberos localauth plugin
    * Implement MIT Kerberos localauth plugin
    * Doxygen: replace <pre> with markdown table
    * libwbclient: make build optional
    * dlopen test: only test libwbclient when it is build
    * libwbclient: avoid collision with Samba version 

William B (1):
    * SSS_CACHE: Allow sss_cache tool to flush SSH hosts cache 

Yassir Elley (9):
    * AD-GPO: Store policy settings in local files
    * AD-GPO: add sysdb_gpo support for caching gpo version
    * AD-GPO: only download policy files if gpo version changes
    * AD-GPO: add ad_gpo_cache_timeout option
    * AD-GPO: sysdb_gpo changes for offline gpo support
    * AD-GPO: ad_gpo changes for offline gpo support
    * AD-GPO: config changes for gpo_map_* options
    * AD-GPO: processing changes for gpo_map_* options
    * AD-GPO: delete stale GPOs 

Freeipa-interest mailing list

Reply via email to