=== SSSD 1.12.3 === The SSSD team is proud to announce the release of version 1.12.3 of the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd RPM packages will be made available for Fedora 21 and rawhide shortly. == Feedback == Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users == Highlights == * This is mostly a bug fixing release with only minor enhancements visible to the end user * Contains many fixes and enhancements related to the ID views functionality of FreeIPA servers * SSSD now allows the IPA client to move from one ID view to another after SSSD restart * It is possible to apply ID views to IPA domains as well. Previous SSSD versions only allowed views to be applied to AD trusted domains * Overriding SSH public keys is supported in this release * This release contains several fixes and enhancements related to users and groups from trusted AD domains * When a trusted AD domain is disabled on the server side, access is denied for users logging in from these domains * External group memberships (i.e. memberships in IPA groups) are now resolved correctly for trusted AD users * The localauth plugin configuration is written into the pubconf directory which should be included from krb5.conf on IPA clients. As a result, the localauth plugin should be configured automatically on IPA clients. * Password change when One-Time-Passwords are used was fixed * The tokenGroups support was disabled by default in the LDAP provider. The tokenGroups support is still enabled by default in the AD provider * Simple access provider skips user or group names that can't be resolved if only allow rules are configured == Packaging Changes == * Support for running SSSD as a non-privileged user was added. SSSD's directories must be owned by this user, hence SSSD needs to be configured properly at build time, using the new configure option --with-sssd-user. Additionally, the non-privileged user must also be selected in sssd.conf using the "user" configuration option. == Documentation Changes == * A new configuration option "krb5_confd_path" was added. This option specifies the directory where SSSD places Kerberos configuration snippets. * The default value of "ldap_user_uuid" was changed to be "objectSID" for the AD back end and unset for all other back ends. * The option "ldap_use_tokengroups" changed its default value to True for AD and IPA providers only. * The "allowed_shells" option newly accepts the wildcard ("*") value, allowing any shell == Tickets Fixed == https://fedorahosted.org/sssd/ticket/1195 4 functions with reference leaks within sssd (src/python/pyhbac.c) https://fedorahosted.org/sssd/ticket/1939 Create unit test for be_ptask https://fedorahosted.org/sssd/ticket/2102 disable midpoint refresh for netgroups if ptask refresh is enabled https://fedorahosted.org/sssd/ticket/2219 Shell fallback mechanism in SSSD https://fedorahosted.org/sssd/ticket/2370 sssd should run under unprivileged user https://fedorahosted.org/sssd/ticket/2372 SELinux: Audit changes to the SELinux label files https://fedorahosted.org/sssd/ticket/2404 Remove password from the PAM stack if OTP is used https://fedorahosted.org/sssd/ticket/2430 sssd segfaults repeatedly with error 4 in memberof.so https://fedorahosted.org/sssd/ticket/2439 Return a different errno from client when sssd is not running. https://fedorahosted.org/sssd/ticket/2445 Race condition while invalidating memory cache in client code https://fedorahosted.org/sssd/ticket/2451 sssd-ldap man page changes, add 'access_provider = ldap' as a requirement 'ldap_access_order = for lockout' https://fedorahosted.org/sssd/ticket/2454 [RFE] Views: apply user SSH public key override https://fedorahosted.org/sssd/ticket/2456 Error message not helpful if extdom lookup fails https://fedorahosted.org/sssd/ticket/2460 service lookups returned in lowercase with case_sensitive=preserving https://fedorahosted.org/sssd/ticket/2461 Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving https://fedorahosted.org/sssd/ticket/2462 Manpage description of case_sensitive=preserving is incomplete https://fedorahosted.org/sssd/ticket/2464 Use ldap_extra_attrs when requesting attributes from extdom plugin https://fedorahosted.org/sssd/ticket/2467 Set the right permissions in Makefile.am when installing from source https://fedorahosted.org/sssd/ticket/2468 Don't set the umask in the utility function that creates sockets https://fedorahosted.org/sssd/ticket/2470 refactor create_pipe_fd() https://fedorahosted.org/sssd/ticket/2473 RFE: Add a configuration option to specify where a snippet with sssd_krb5_localauth_plugin.so is generated https://fedorahosted.org/sssd/ticket/2475 Wrong results returned with enumeration https://fedorahosted.org/sssd/ticket/2477 SSSD doesn't tell that it can't start because of no longer existent ID range https://fedorahosted.org/sssd/ticket/2481 ID Views implementation does not support IPA user&group overrides https://fedorahosted.org/sssd/ticket/2484 Password change over ssh doesn't work with OTP and FreeIPA https://fedorahosted.org/sssd/ticket/2487 sssd does not work with custom value of option re_expression https://fedorahosted.org/sssd/ticket/2490 dereferencing failure against openldap server https://fedorahosted.org/sssd/ticket/2492 Group membership gets lost in IPA server mode https://fedorahosted.org/sssd/ticket/2498 "debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd. https://fedorahosted.org/sssd/ticket/2501 pam_sss domains option: Untrusted users from the same domain are allowed to auth. https://fedorahosted.org/sssd/ticket/2503 Use the MEMORY ccache to pass around keytab contents https://fedorahosted.org/sssd/ticket/2506 Check unlink return values to silence Coverity warnings https://fedorahosted.org/sssd/ticket/2510 The Kerberos provider is not properly views-aware https://fedorahosted.org/sssd/ticket/2512 selinuxusermap rule does not apply to trusted AD users https://fedorahosted.org/sssd/ticket/2514 gid is overridden by uid in default trust view https://fedorahosted.org/sssd/ticket/2516 pam_sss domains option: User auth should fail when domains=<emtpy value> https://fedorahosted.org/sssd/ticket/2518 SSSD master doesn't build on RHEL-6 https://fedorahosted.org/sssd/ticket/2519 SSSD should not fail authentication when only allow rules are used https://fedorahosted.org/sssd/ticket/2520 Crash in function get_object_from_cache https://fedorahosted.org/sssd/ticket/2521 be_ptask unit test fails sometimes https://fedorahosted.org/sssd/ticket/2524 getent fails for posix group with AD users after login https://fedorahosted.org/sssd/ticket/2526 User is unable to authenticate if the option krb5_fast_principal is NULL https://fedorahosted.org/sssd/ticket/2529 IPA: incomplete group memberships for AD users on IPA clients https://fedorahosted.org/sssd/ticket/2530 MAN: Document that only usernames are checked for pam_trusted_uids https://fedorahosted.org/sssd/ticket/2535 Access is not rejected for disabled domain https://fedorahosted.org/sssd/ticket/2537 sssd-libwbclient conflicts with Samba's and causes crash in wbinfo == Detailed Changelog == Carlos A. Munoz (1): * Add zanata.xml file for integration with Zanata command line client Dan Lavu (3): * MAN PAGE: modified sssd-ldap.5.xml for sssd ticket #2451 * MAN: page edit for ldap_use_tokengroups * MAN: Clarify ad_gpo_map* options Denis Kutin (1): * NSS: Possibility to use any shells in 'allowed_shells' Jakub Hrozek (68): * Updating the version for the 1.12.3 development * SSSD: Add the options to specify a UID and GID to run as * SSSD: Chown the log files * UTIL: Use a custom PID_PATH and DB_PATH when unit testing server.c * TESTS: Unit tests can use confdb without using sysdb * TESTS: Unit tests for server_setup * RPM: Package the libsss_semanage.so library * IPA: Handle NULL members in process_members() * UTIL: Add a function to convert id_t from a number or a name * BUILD: Add a config option for sssd user, own private directories as the user * RPM: Change file ownership to sssd.sssd * SSSD: Load a user to run a service as from configuration * SBUS: Chown the sbus socket if needed * SBUS: Allow connections from other UIDs * BE: Own the sbus socket as the SSSD user * NSS: Run as a user specified by monitor * TEST: Unit test for create_pipe_fd * AUTOFS: Run the autofs responder as the SSSD user * PAC: Run the pac responder as the SSSD user * SUDO: Run the sudo responder as the SSSD user * SSH: Run the ssh responder as the SSSD user * GPO: Terminate request on error * TESTS: Add tests for the views-related option maps * IPA: Don't fail the request when BE doesn't find the object * IPA: Rename user_dom into obj_dom * BUILD: Install ldap_child and as setuid if running under non-privileged user * LDAP: Move sss_krb5_verify_keytab_ex to ldap_child * LDAP: read the correct data type from ldap_child's input buffer * LDAP: Drop privileges after kinit in ldap_child * UTIL: Remove code duplication of struct io * UTIL: Remove more code duplication setting up child processes * IPA: Move setting the SELinux context to a child process * BE: Make struct bet_queue_item private to sssd_be * BUILD: Install krb5_child as suid if running under non-privileged user * KRB5: Drop privileges in the child, not the back end * KRB5: Move ccache-related functions to krb5_ccache.c * KRB5: Move checking for illegal RE to krb5_utils.c * KRB5: Move all ccache operations to krb5_child.c * KRB5: Do not switch_creds() if already the specified user * BUILD: Use separate chown to make changing ownership to the sssd user non-fatal * BUILD: Make chown of files to sssd user non-fatal * BUILD: Touch files in DESTDIR * BE: Become a regular user after initialization * BE: Fix a debug message * IPA: Handle IPA groups returned from extop plugin * Hint about removing sysdb if initializing ID map fails * PAM: Make pam_forwarder_parse_data static * SBUS: Initialize DBusError before using it * PAM: Check for trusted domain before sending the request to BE * PAM: Move is_uid_trusted from pam_ctx to preq * TESTS: Basic child tests * Add extra_args to exec_child() * KRB5: Create the fast ccache in a child process * LDAP: Remove useless include * sss_atomic_write_s() return value is signed * KRB5: Relax DEBUG message * TESTS: Build test_child even without cmocka * Rename test-child to dummy-child * CI: Suppress memory errors from poptGetNextOpt * tests: Free popt_context * IFP: Return group names with the right case * KRB5: Check FAST kinit errors using get_tgt_times() * Skip CHAUTHTOK_PRELIM when using OTPs * PAM: Domain names are case-insensitive * PAM: Missing argument to domains= should fail auth * MAN: Misspelled username in pam_trusted_users is not fatal * RESPONDER: Log failures to resolve user names in csv_string_to_uid_array * Updating translations for the 1.12.3 release Lukas Slebodnik (28): * BUILD: Fix automake warning * test_server: Fix waiting for background process * SPEC: Print testsuite log for failed test * SBUS: Fix error handling after closing container * BUILD: Fix linking cwrap tests with -Wl,--as-needed * test_sysdb_views: Use unique directory for cache * IPA: Store right username to selinux child context * PAM: Remove authtok from PAM stack with OTP * NSS: Fix warning enumerated type mixed with another type * Revert "LDAP: Change defaults for ldap_user/group_objectsid" * AD: Change level of debug message * CI: Build sssd on debian with samba support * LDAP: Disable token groups by default * sss_client: Extract destroying of mmap cache to function * sss_client: Fix race condition in memory cache * krb5: Check return value of krb5_principal_get_realm * krb5: Check return value of sss_krb5_princ_realm * AD: Set dp_error if gc was not used * TOOLS: sss_debuglevel should worh with ifp responder * CI: Update valgrind suppresion database for libselinux * IPA: Do not append domain name to fq name * sss_client: Work around glibc bug * MAKE: Fix linking of test_child_common * UTIL: Fix dependencies of internal sss libraries * BUILD: Install libsss_crypt after its dependencies * MONITOR: Disable inlining of function load_configuration * krb5_child: Initialize REALM earlier * IPA: properly handle groups from different domains Michal Zidek (21): * util: Move semanage related functions to src/util * sss_semanage: Add mlsrange parameter to set_seuser * IPA: Use set_seuser instead of writing selinux login file * MONITOR: Allow confdb to be accessed by nonroot user * SYSDB: Allow calling chown on the sysdb file from monitor * responder_common: Create fd for pipe in helper * responders: Do not initialize pipe fd if already present * PAM: Create pipe file descriptors before privileges are dropped * PAM: Run pam responder as nonroot * nss: preserve service name in getsrv call * MONITOR: Fix warning may be used uninitialized * selinux_child: Do not ignore return values. * proxy: Do not try to store same alias twice * PROXY: Preserve service name in proxy provider * MAN: Update case_sensitive=Preserving in man pages. * Man: debug_timestamps and debug_microseconds * test: Wrong parameter type in sss_parse_name_check * util: Special-case PCRE_ERROR_NOMATCH in sss_parse_name * util: sss_get_domain_name regex mismatch not fatal * confdb: Make confdb_set_string accept const char pointer * AD: Never store case_sensitive as "true" to confdb Nikolai Kondrashov (1): * CI: Remove Clang analyzer Pavel Březina (8): * IPA: use ipaUserGroup object class for groups * be_ptask: create a private header file * be_ptask: handle OFFLINE_DISABLE mode before task execution * be_ptask: add next_execution time to struct be_ptask * be_ptask: do not store sync ctx to _task * tests: be_ptask * be_ptask: let backoff affect only period * be_ptask: use gettimeofday() instead of time() Pavel Reichl (20): * TESTS: Add -std=gnu99 to cwrap tests CFLAGS * Fix debug messages - trailing '.' * pyhbac,pysss: fix reference leaks * RESPONDERS: refactor create_pipe_fd() * RESPONDERS: Don't hard-code umask value in utility function * RESPONDERS: Set default value for umask * CONFDB: Detect&fix misconf opt refresh_expired_interval * NSS: disable midpoint refresh for netgroups * SYSDB: sysdb_idmap_get_mappings returns ENOENT * Fix: always check return value of unlink() * BUILD: restrict perms. when installing from source * SYSDB: sysdb_get_bool() return ENOENT & unit tests * simple access provider: non-existing object * simple-access-provider: break matching allowed users * LDAP: retain external members * TESTS: sysdb_delete_by_sid() test return value * NSS: nss_cmd_getbysid_search return ENOENT * SYSDB: sysdb_search_object_by_sid returns ENOENT * CONFDB: Typo in debug message * TESTS: typo in 'assert message' Stephen Gallagher (1): * monitor: Service restart fixes Sumit Bose (48): * ipa: fix issues with older servers not supporting views * ipa: improve error reporting for extdom LDAP exop * ipa_subdomains_handler_master_done: initialize reply_count * nss: group enumeration fix * sdap_print_server: use getpeername() to get server address * IFP: Fix typo in debug message * memberof: check for empty arrays to avoid segfaults * Add add_strings_lists() utility function * IPA: inherit ldap_user_extra_attrs to AD subdomains * Add parse_attr_list_ex() helper function * nss: parse user_attributes option * nss: return user_attributes in origbyname request * sysdb_get_user_attr_with_views: add mandatory override attributes * sysdb_add_overrides_to_object: add new parameter and multi-value support * Views: apply user SSH public key override * Add test for sysdb_add_overrides_to_object() * Add ssh pubkey to origbyname request * Revert "LDAP: Remove unused option ldap_user_uuid" * Revert "LDAP: Remove unused option ldap_group_uuid" * Fix uuid defaults * sysdb: add sysdb_search_object_by_uuid() * ipa: add split_ipa_anchor() * LDAP: add support for lookups by UUID * LDAP: always store UUID if available * ipa: add get_be_acct_req_for_uuid() * IPA: make get_object_from_cache() public * IPA: check overrrides for IPA users as well * Enable views for all domains * Fix KRB5_CONF_PATH * AD/IPA: add krb5_confd_path configuration option * sysdb: add sysdb_delete_view_tree() * sysdb: add sysdb_invalidate_overrides() * views: allow view name change at startup * krb5: make krb5 provider view aware * IPA: only update view data if it really changed * krb5: do not fail if checking the old ccache failed * test: avoid leaks in leak tests * krb5: add copy_ccache_into_memory() * krb5: add copy_keytab_into_memory() * ldap_child: copy keytab into memory to drop privileges earlier * krb5_child: become user earlier * krb5: add wrapper for krb5_kt_have_content() * krb5: handle KRB5KRB_ERR_GENERIC as unspecific error * IPA: verify group memberships of trusted domain users * IPA: do not try to add override gid twice * IPA: handle GID overrides for MPG domains on clients * libwbclient: initialize some return values * Add test for sysdb_store_override _______________________________________________ Freeipa-interest mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-interest