=== SSSD 1.12.3 ===

The SSSD team is proud to announce the release of version 1.12.3 of
the System Security Services Daemon.

As always, the source is available from https://fedorahosted.org/sssd

RPM packages will be made available for Fedora 21 and rawhide shortly.

== Feedback ==

Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
    https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
    https://lists.fedorahosted.org/mailman/listinfo/sssd-users

== Highlights ==

 * This is mostly a bug fixing release with only minor enhancements visible
   to the end user
 * Contains many fixes and enhancements related to the ID views functionality of
   FreeIPA servers
   * SSSD now allows the IPA client to move from one ID view to another
     after SSSD restart
   * It is possible to apply ID views to IPA domains as well. Previous SSSD
     versions only allowed views to be applied to AD trusted domains
   * Overriding SSH public keys is supported in this release
 * This release contains several fixes and enhancements related to users
   and groups from trusted AD domains
   * When a trusted AD domain is disabled on the server side, access is
     denied for users logging in from these domains
   * External group memberships (i.e. memberships in IPA groups) are now
     resolved correctly for trusted AD users
   * The localauth plugin configuration is written into the pubconf directory
     which should be included from krb5.conf on IPA clients. As a result,
     the localauth plugin should be configured automatically on IPA clients.
 * Password change when One-Time-Passwords are used was fixed
 * The tokenGroups support was disabled by default in the LDAP provider. The
   tokenGroups support is still enabled by default in the AD provider
 * Simple access provider skips user or group names that can't be resolved
   if only allow rules are configured

== Packaging Changes ==

 * Support for running SSSD as a non-privileged user was added. SSSD's
   directories must be owned by this user, hence SSSD needs to be
   configured properly at build time, using the new configure option
   --with-sssd-user. Additionally, the non-privileged user must also be
   selected in sssd.conf using the "user" configuration option.

== Documentation Changes ==

 * A new configuration option "krb5_confd_path" was added. This option
   specifies the directory where SSSD places Kerberos configuration snippets.
 * The default value of "ldap_user_uuid" was changed to be "objectSID"
   for the AD back end and unset for all other back ends.
 * The option "ldap_use_tokengroups" changed its default value to True
   for AD and IPA providers only.
 * The "allowed_shells" option newly accepts the wildcard ("*") value, allowing 
any shell

== Tickets Fixed ==

https://fedorahosted.org/sssd/ticket/1195
    4 functions with reference leaks within sssd (src/python/pyhbac.c)
https://fedorahosted.org/sssd/ticket/1939
    Create unit test for be_ptask
https://fedorahosted.org/sssd/ticket/2102
    disable midpoint refresh for netgroups if ptask refresh is enabled
https://fedorahosted.org/sssd/ticket/2219
    Shell fallback mechanism in SSSD
https://fedorahosted.org/sssd/ticket/2370
    sssd should run under unprivileged user
https://fedorahosted.org/sssd/ticket/2372
    SELinux: Audit changes to the SELinux label files
https://fedorahosted.org/sssd/ticket/2404
    Remove password from the PAM stack if OTP is used
https://fedorahosted.org/sssd/ticket/2430
    sssd segfaults repeatedly with error 4 in memberof.so
https://fedorahosted.org/sssd/ticket/2439
    Return a different errno from client when sssd is not running.
https://fedorahosted.org/sssd/ticket/2445
    Race condition while invalidating memory cache in client code
https://fedorahosted.org/sssd/ticket/2451
    sssd-ldap man page changes, add 'access_provider = ldap' as a requirement 
'ldap_access_order = for lockout'
https://fedorahosted.org/sssd/ticket/2454
    [RFE] Views: apply user SSH public key override
https://fedorahosted.org/sssd/ticket/2456
    Error message not helpful if extdom lookup fails
https://fedorahosted.org/sssd/ticket/2460
    service lookups returned in lowercase with case_sensitive=preserving
https://fedorahosted.org/sssd/ticket/2461
    Proxy Provider: Fails to lookup case sensitive users and groups with 
case_sensitive=preserving
https://fedorahosted.org/sssd/ticket/2462
    Manpage description of case_sensitive=preserving is incomplete
https://fedorahosted.org/sssd/ticket/2464
    Use ldap_extra_attrs when requesting attributes from extdom plugin
https://fedorahosted.org/sssd/ticket/2467
    Set the right permissions in Makefile.am when installing from source
https://fedorahosted.org/sssd/ticket/2468
    Don't set the umask in the utility function that creates sockets
https://fedorahosted.org/sssd/ticket/2470
    refactor create_pipe_fd()
https://fedorahosted.org/sssd/ticket/2473
    RFE: Add a configuration option to specify where a snippet with 
sssd_krb5_localauth_plugin.so is generated
https://fedorahosted.org/sssd/ticket/2475
    Wrong results returned with enumeration
https://fedorahosted.org/sssd/ticket/2477
    SSSD doesn't tell that it can't start because of no longer existent ID range
https://fedorahosted.org/sssd/ticket/2481
    ID Views implementation does not support IPA user&group overrides
https://fedorahosted.org/sssd/ticket/2484
    Password change over ssh doesn't work with OTP and FreeIPA
https://fedorahosted.org/sssd/ticket/2487
    sssd does not work with custom value of option re_expression
https://fedorahosted.org/sssd/ticket/2490
    dereferencing failure against openldap server
https://fedorahosted.org/sssd/ticket/2492
    Group membership gets lost in IPA server mode
https://fedorahosted.org/sssd/ticket/2498
    "debug_timestamps = false" and "debug_microseconds = true" do not work 
after enabling journald with sssd.
https://fedorahosted.org/sssd/ticket/2501
    pam_sss domains option: Untrusted users from the same domain are allowed to 
auth.
https://fedorahosted.org/sssd/ticket/2503
    Use the MEMORY ccache to pass around keytab contents
https://fedorahosted.org/sssd/ticket/2506
    Check unlink return values to silence Coverity warnings
https://fedorahosted.org/sssd/ticket/2510
    The Kerberos provider is not properly views-aware
https://fedorahosted.org/sssd/ticket/2512
    selinuxusermap rule does not apply to trusted AD users
https://fedorahosted.org/sssd/ticket/2514
    gid is overridden by uid in default trust view
https://fedorahosted.org/sssd/ticket/2516
    pam_sss domains option: User auth should fail when domains=<emtpy value>
https://fedorahosted.org/sssd/ticket/2518
    SSSD master doesn't build on RHEL-6
https://fedorahosted.org/sssd/ticket/2519
    SSSD should not fail authentication when only allow rules are used
https://fedorahosted.org/sssd/ticket/2520
    Crash in function get_object_from_cache
https://fedorahosted.org/sssd/ticket/2521
    be_ptask unit test fails sometimes
https://fedorahosted.org/sssd/ticket/2524
    getent fails for posix group with AD users after login
https://fedorahosted.org/sssd/ticket/2526
    User is unable to authenticate if the option krb5_fast_principal is NULL
https://fedorahosted.org/sssd/ticket/2529
    IPA: incomplete group memberships for AD users on IPA clients
https://fedorahosted.org/sssd/ticket/2530
    MAN: Document that only usernames are checked for pam_trusted_uids
https://fedorahosted.org/sssd/ticket/2535
    Access is not rejected for disabled domain
https://fedorahosted.org/sssd/ticket/2537
    sssd-libwbclient conflicts with Samba's and causes crash in wbinfo

== Detailed Changelog ==
Carlos A. Munoz (1):
      * Add zanata.xml file for integration with Zanata command line client

Dan Lavu (3):
      * MAN PAGE: modified sssd-ldap.5.xml for sssd ticket #2451
      * MAN: page edit for ldap_use_tokengroups
      * MAN: Clarify ad_gpo_map* options

Denis Kutin (1):
      * NSS: Possibility to use any shells in 'allowed_shells'

Jakub Hrozek (68):
      * Updating the version for the 1.12.3 development
      * SSSD: Add the options to specify a UID and GID to run as
      * SSSD: Chown the log files
      * UTIL: Use a custom PID_PATH and DB_PATH when unit testing server.c
      * TESTS: Unit tests can use confdb without using sysdb
      * TESTS: Unit tests for server_setup
      * RPM: Package the libsss_semanage.so library
      * IPA: Handle NULL members in process_members()
      * UTIL: Add a function to convert id_t from a number or a name
      * BUILD: Add a config option for sssd user, own private directories as 
the user
      * RPM: Change file ownership to sssd.sssd
      * SSSD: Load a user to run a service as from configuration
      * SBUS: Chown the sbus socket if needed
      * SBUS: Allow connections from other UIDs
      * BE: Own the sbus socket as the SSSD user
      * NSS: Run as a user specified by monitor
      * TEST: Unit test for create_pipe_fd
      * AUTOFS: Run the autofs responder as the SSSD user
      * PAC: Run the pac responder as the SSSD user
      * SUDO: Run the sudo responder as the SSSD user
      * SSH: Run the ssh responder as the SSSD user
      * GPO: Terminate request on error
      * TESTS: Add tests for the views-related option maps
      * IPA: Don't fail the request when BE doesn't find the object
      * IPA: Rename user_dom into obj_dom
      * BUILD: Install ldap_child and as setuid if running under non-privileged 
user
      * LDAP: Move sss_krb5_verify_keytab_ex to ldap_child
      * LDAP: read the correct data type from ldap_child's input buffer
      * LDAP: Drop privileges after kinit in ldap_child
      * UTIL: Remove code duplication of struct io
      * UTIL: Remove more code duplication setting up child processes
      * IPA: Move setting the SELinux context to a child process
      * BE: Make struct bet_queue_item private to sssd_be
      * BUILD: Install krb5_child as suid if running under non-privileged user
      * KRB5: Drop privileges in the child, not the back end
      * KRB5: Move ccache-related functions to krb5_ccache.c
      * KRB5: Move checking for illegal RE to krb5_utils.c
      * KRB5: Move all ccache operations to krb5_child.c
      * KRB5: Do not switch_creds() if already the specified user
      * BUILD: Use separate chown to make changing ownership to the sssd user 
non-fatal
      * BUILD: Make chown of files to sssd user non-fatal
      * BUILD: Touch files in DESTDIR
      * BE: Become a regular user after initialization
      * BE: Fix a debug message
      * IPA: Handle IPA groups returned from extop plugin
      * Hint about removing sysdb if initializing ID map fails
      * PAM: Make pam_forwarder_parse_data static
      * SBUS: Initialize DBusError before using it
      * PAM: Check for trusted domain before sending the request to BE
      * PAM: Move is_uid_trusted from pam_ctx to preq
      * TESTS: Basic child tests
      * Add extra_args to exec_child()
      * KRB5: Create the fast ccache in a child process
      * LDAP: Remove useless include
      * sss_atomic_write_s() return value is signed
      * KRB5: Relax DEBUG message
      * TESTS: Build test_child even without cmocka
      * Rename test-child to dummy-child
      * CI: Suppress memory errors from poptGetNextOpt
      * tests: Free popt_context
      * IFP: Return group names with the right case
      * KRB5: Check FAST kinit errors using get_tgt_times()
      * Skip CHAUTHTOK_PRELIM when using OTPs
      * PAM: Domain names are case-insensitive
      * PAM: Missing argument to domains= should fail auth
      * MAN: Misspelled username in pam_trusted_users is not fatal
      * RESPONDER: Log failures to resolve user names in csv_string_to_uid_array
      * Updating translations for the 1.12.3 release

Lukas Slebodnik (28):
      * BUILD: Fix automake warning
      * test_server: Fix waiting for background process
      * SPEC: Print testsuite log for failed test
      * SBUS: Fix error handling after closing container
      * BUILD: Fix linking cwrap tests with -Wl,--as-needed
      * test_sysdb_views: Use unique directory for cache
      * IPA: Store right username to selinux child context
      * PAM: Remove authtok from PAM stack with OTP
      * NSS: Fix warning enumerated type mixed with another type
      * Revert "LDAP: Change defaults for ldap_user/group_objectsid"
      * AD: Change level of debug message
      * CI: Build sssd on debian with samba support
      * LDAP: Disable token groups by default
      * sss_client: Extract destroying of mmap cache to function
      * sss_client: Fix race condition in memory cache
      * krb5: Check return value of krb5_principal_get_realm
      * krb5: Check return value of sss_krb5_princ_realm
      * AD: Set dp_error if gc was not used
      * TOOLS: sss_debuglevel should worh with ifp responder
      * CI: Update valgrind suppresion database for libselinux
      * IPA: Do not append domain name to fq name
      * sss_client: Work around glibc bug
      * MAKE: Fix linking of test_child_common
      * UTIL: Fix dependencies of internal sss libraries
      * BUILD: Install libsss_crypt after its dependencies
      * MONITOR: Disable inlining of function load_configuration
      * krb5_child: Initialize REALM earlier
      * IPA: properly handle groups from different domains

Michal Zidek (21):
      * util: Move semanage related functions to src/util
      * sss_semanage: Add mlsrange parameter to set_seuser
      * IPA: Use set_seuser instead of writing selinux login file
      * MONITOR: Allow confdb to be accessed by nonroot user
      * SYSDB: Allow calling chown on the sysdb file from monitor
      * responder_common: Create fd for pipe in helper
      * responders: Do not initialize pipe fd if already present
      * PAM: Create pipe file descriptors before privileges are dropped
      * PAM: Run pam responder as nonroot
      * nss: preserve service name in getsrv call
      * MONITOR: Fix warning may be used uninitialized
      * selinux_child: Do not ignore return values.
      * proxy: Do not try to store same alias twice
      * PROXY: Preserve service name in proxy provider
      * MAN: Update case_sensitive=Preserving in man pages.
      * Man: debug_timestamps and debug_microseconds
      * test: Wrong parameter type in sss_parse_name_check
      * util: Special-case PCRE_ERROR_NOMATCH in sss_parse_name
      * util: sss_get_domain_name regex mismatch not fatal
      * confdb: Make confdb_set_string accept const char pointer
      * AD: Never store case_sensitive as "true" to confdb

Nikolai Kondrashov (1):
      * CI: Remove Clang analyzer

Pavel Březina (8):
      * IPA: use ipaUserGroup object class for groups
      * be_ptask: create a private header file
      * be_ptask: handle OFFLINE_DISABLE mode before task execution
      * be_ptask: add next_execution time to struct be_ptask
      * be_ptask: do not store sync ctx to _task
      * tests: be_ptask
      * be_ptask: let backoff affect only period
      * be_ptask: use gettimeofday() instead of time()

Pavel Reichl (20):
      * TESTS: Add -std=gnu99 to cwrap tests CFLAGS
      * Fix debug messages - trailing '.'
      * pyhbac,pysss: fix reference leaks
      * RESPONDERS: refactor create_pipe_fd()
      * RESPONDERS: Don't hard-code umask value in utility function
      * RESPONDERS: Set default value for umask
      * CONFDB: Detect&fix misconf opt refresh_expired_interval
      * NSS: disable midpoint refresh for netgroups
      * SYSDB: sysdb_idmap_get_mappings returns ENOENT
      * Fix: always check return value of unlink()
      * BUILD: restrict perms. when installing from source
      * SYSDB: sysdb_get_bool() return ENOENT & unit tests
      * simple access provider: non-existing object
      * simple-access-provider: break matching allowed users
      * LDAP: retain external members
      * TESTS: sysdb_delete_by_sid() test return value
      * NSS: nss_cmd_getbysid_search return ENOENT
      * SYSDB: sysdb_search_object_by_sid returns ENOENT
      * CONFDB: Typo in debug message
      * TESTS: typo in 'assert message'

Stephen Gallagher (1):
      * monitor: Service restart fixes

Sumit Bose (48):
      * ipa: fix issues with older servers not supporting views
      * ipa: improve error reporting for extdom LDAP exop
      * ipa_subdomains_handler_master_done: initialize reply_count
      * nss: group enumeration fix
      * sdap_print_server: use getpeername() to get server address
      * IFP: Fix typo in debug message
      * memberof: check for empty arrays to avoid segfaults
      * Add add_strings_lists() utility function
      * IPA: inherit ldap_user_extra_attrs to AD subdomains
      * Add parse_attr_list_ex() helper function
      * nss: parse user_attributes option
      * nss: return user_attributes in origbyname request
      * sysdb_get_user_attr_with_views: add mandatory override attributes
      * sysdb_add_overrides_to_object: add new parameter and multi-value support
      * Views: apply user SSH public key override
      * Add test for sysdb_add_overrides_to_object()
      * Add ssh pubkey to origbyname request
      * Revert "LDAP: Remove unused option ldap_user_uuid"
      * Revert "LDAP: Remove unused option ldap_group_uuid"
      * Fix uuid defaults
      * sysdb: add sysdb_search_object_by_uuid()
      * ipa: add split_ipa_anchor()
      * LDAP: add support for lookups by UUID
      * LDAP: always store UUID if available
      * ipa: add get_be_acct_req_for_uuid()
      * IPA: make get_object_from_cache() public
      * IPA: check overrrides for IPA users as well
      * Enable views for all domains
      * Fix KRB5_CONF_PATH
      * AD/IPA: add krb5_confd_path configuration option
      * sysdb: add sysdb_delete_view_tree()
      * sysdb: add sysdb_invalidate_overrides()
      * views: allow view name change at startup
      * krb5: make krb5 provider view aware
      * IPA: only update view data if it really changed
      * krb5: do not fail if checking the old ccache failed
      * test: avoid leaks in leak tests
      * krb5: add copy_ccache_into_memory()
      * krb5: add copy_keytab_into_memory()
      * ldap_child: copy keytab into memory to drop privileges earlier
      * krb5_child: become user earlier
      * krb5: add wrapper for krb5_kt_have_content()
      * krb5: handle KRB5KRB_ERR_GENERIC as unspecific error
      * IPA: verify group memberships of trusted domain users
      * IPA: do not try to add override gid twice
      * IPA: handle GID overrides for MPG domains on clients
      * libwbclient: initialize some return values
      * Add test for sysdb_store_override

_______________________________________________
Freeipa-interest mailing list
Freeipa-interest@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-interest

Reply via email to