=== SSSD 1.11.7 ===

The SSSD team is proud to announce the release of version 1.11.7 of
the System Security Services Daemon.

As always, the source is available from https://fedorahosted.org/sssd

RPM packages will be made available for Fedora 19 and 20 shortly.

== Feedback ==

Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:

== Highlights ==

* This release focuses on delivering bug fixes and smaller features backported
  from the 1.12 line
* Several fixes related to retrieving the correct group memberships in
  the AD provider configured to use POSIX attributes were fixed.
* The Active Directory provider now correctly detects Windows Server 2012 R2.
  Previous versions would fall back to the slower non-AD path with 2012 R2.
* Groups without full POSIX information can now be used to enroll group
  membership (fixes CVE-2014-0249)
* Detection of transition from offline to online state was improved,
  resulting in fewer timeouts when SSSD is offline.
* If referrals are disabled with a config option (or by default in the AD
  provider), any returned referral would be ignored. Previously, the back
  end would switch to offline mode on encountering a referral.

== Documentation Changes ==

* A new option override_space was added. When this option is set, a space
  character in user or group names is replaced by the character specified
  in this option
* A small random value is now added to the offline_timeout parameter value
  to avoid flooding servers with periodical online checks

== Tickets Fixed ==

   [RFE] Add option for sssd to replace space with specified character in LDAP 
   [RFE] Add fallback to sudoRunAs when sudoRunAsUser is not defined and no 
ldap_sudorule_runasuser mapping has been defined in SSSD
   Expired shadow policy user(shadowLastChange=0) is not prompted for password 
   CVE-2014-0249 sssd: incorrect expansion of group membership when 
encountering a non-POSIX group [fedora-all]
   tokengroups do not work with id_provider=ldap
   public key validator is too strict and does not allow newlines anywhere in 
the public key string, not even at the end
   Requests queued during transition from offline to online mode
   The SSSD dbus service should retry system bus connection if it fails
   RFE: Be able to configure sssd to honor openldap account lock to restrict 
access via ssh key
   sudo: invalid sudoHost filter with asterisk
   Race condition in the client code
   dereferencing control failure against openldap server
   ad: group membership is empty when id mapping is off and tokengroups are 
   Problems with tokengroups and ldap_group_search_base
   Failover does not always happen from SRV to hostname resolution(via 
   sssd_be segfaults in ldb_msg_find_element
   Auth fails when space in username is replaced with character set by 
   RHEL6.6 sssd not running after upgrade
   sssd can't retrieve sudo rules when using the "default_domain_suffix" option
   clarify the offline timeout in man page
   IFP: FQDN lookups are broken
   use-after-free in dyndns code
   Saving group membership fails if provider is AD, POSIX attributes are used 
and primary group contains the user as a member
   simple_allow_groups does not lookup groups from other AD domains
   On error, libnss_sss can mistakenly close descriptors it doesn't "own"
   Race condition between sudo refresh
   sssd does not recognize Windows server 2012 R2's LDAP as AD
   Dereference code errors out when dereferencing entries protected by ACIs
    ipa user private group not found

== Detailed Changelog ==

Ian Lee (1):
    * Add user lookup and session dependencies to systemd service file. 

Jakub Hrozek (32):
    * Updating the version for the 1.11.7 release
    * BUILD: dbusintrospectdir is not used anymore
    * IFP: Fix DEBUG messages
    * IFP: Return a specific value on failure connecting to the system bus
    * IFP: Provide a SBUS method to reconnect to sysbus
    * MONITOR: Signal InfoPipe? to reconnect on SIGUSR2
    * TOOLS: New helper tool sss_signal
    * BUILD: Add the DBus service activation
    * IFP: Fix lookups with fully-qualified names
    * RPM: Restart service in %posttrans, not %post
    * NSS: Ignore default_domain for netgroups
    * Only replace space with the specified substitution
    * Make the space override responder-agnostic
    * PAM: Use the override_space option
    * IFP: Use the override_space option
    * SUDO: Use the override_space option
    * IPA: handle searches by SID in apply_subdomain_homedir
    * Revert "IPA: new attribute map for non-posix groups"
    * Revert "IPA: process non-posix nested groups"
    * Revert "IPA: try to resolve nested groups as poxix group"
    * LDAP: Do not shortcut on ret != EOK during password expiry check
    * LDAP: Split out linking primary group members into a separate function
    * LDAP: Don't add a user member twice when adding a primary group
    * LDAP: Use tmp_ctx in ldap_child for temporary data
    * LDAP: Use randomized ccname for storing credentials
    * LDAP: Add Windows Server 2012 R2 functional level
    * LDAP: Fall back to functional level of Windows Server 2003
    * LDAP: Enable tokenGroups with Windows Server 2003
    * LDAP: Ignore returned referrals if referral support is disabled
    * LDAP: Skip dereferenced entries that we are not permitted to read
    * Ignore referrals in deref and ASQ, too
    * Updating the translations for the 1.11.7 release 

Jan Cholasta (1):
    * SSH: Allow newline at the end of public key values in LDAP 

Lukas Slebodnik (19):
    * Don't use macro _XOPEN_SOURCE for function strptime
    * sss_client: thread safe initialisation of sss_cli_mc_ctx
    * sss_client: Fix memory leak in nss_mc_{group,passwd}
    * LDAP: Remove unused option ldap_netgroup_uuid
    * LDAP: Remove unused option ldap_group_uuid
    * LDAP: Remove unused option ldap_user_uuid
    * test_utils: Use common header file for libsss_util tests.
    * UTIL: Add functions for replacing whitespaces.
    * NSS: Replace spaces with specified string in names.
    * dyndns_test: Use right socket length of for IPv4 address.
    * responder-get-domains-tests: fix checking of leaks
    * test_dyndns: Use different talloc context in wrapped functions.
    * TESTS: leak_check functions shouldn't be called with NULL context
    * dyndns: Fix talloc hierarchy of "struct sss_iface_addr"
    * test_dyndns: sss_iface_addr_list_get can return more values
    * SDAP: free subrequest in sdap_dyndns_update_addrs_done
    * SDAP: Immediately finish request for empty array
    * SDAP: Use different talloc_context for array of names
    * SDAP: Update groups for user just once. 

Michal Zidek (6):
    * ptask: Allow adding random_offset to scheduled execution time
    * ptask: Add backoff feature to the ptask api.
    * Exit offline mode only if server is available.
    * MAN: How much time sssd spends offline
    * Add alternative objectClass to group attribute maps
    * Use the alternative objectclass in group maps. 

Michal Šrubař (1):
    * LDAP SUDO: sudo provider doesn't fetch 'EntryUSN' 

Nalin Dahyabhai (1):
    * sss_client: Fix "struct sss_cli_mc_ctx" reinitialize-on-errors 

Nikolai Kondrashov (1):
    * build: Switch back to DISTCHECK_CONFIGURE_FLAGS 

Pavel Březina (9):
    * sbus_request: fix potential NULL dereference
    * ad: comment ENOENT when id mapping is disabled
    * ad: update membership after SIDs are resolved
    * sudo: fetch sudoRunAs attribute
    * sudo: use dbus array for rules refresh
    * sudo: replace asterisk with escape sequence in host filter
    * failover: set port status to not working if previous srv lookup failed
    * ad initgroups: continue if resolved SID is still missing
    * sudo: work with correct D-Bus iterator 

Pavel Reichl (18):
    * TESTS: sss_ssh - textual public key format
    * LDAP: tokengroups do not work with id_provider=ldap
    * SDAP: Continue resolving SID even if some fail
    * IPA: new attribute map for non-posix groups
    * IPA: process non-posix nested groups
    * IPA: try to resolve nested groups as poxix group
    * SDAP: split sdap_access_filter_get_access_done
    * SDAP: refactor sdap_access_filter_send
    * SDAP: nitpicks in sdap_access_filter_get_access_done
    * SDAP: refactor sdap_access_filter_done
    * SDAP: don't log error on access denied
    * SDAP: refactor AC offline checks
    * SDAP: new option - DN to ppolicy on LDAP
    * SDAP: account lockout to restrict access via ssh key
    * MAN: options 'lockout' and 'ldap_pwdlockout_dn'
    * IPA: process non-posix nested groups
    * AD: process non-posix nested groups w/o tokenGroups
    * AD: process non-posix nested groups using tokenGroups 

Sumit Bose (1):
    * Replace space: add some checks 

Freeipa-interest mailing list

Reply via email to