=== SSSD 1.12.3 ===

The SSSD team is proud to announce the release of version 1.12.3 of
the System Security Services Daemon.

As always, the source is available from https://fedorahosted.org/sssd

RPM packages will be made available for Fedora 21 and rawhide shortly.

== Feedback ==

Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:

== Highlights ==

 * This is mostly a bug fixing release with only minor enhancements visible
   to the end user
 * Contains many fixes and enhancements related to the ID views functionality of
   FreeIPA servers
   * SSSD now allows the IPA client to move from one ID view to another
     after SSSD restart
   * It is possible to apply ID views to IPA domains as well. Previous SSSD
     versions only allowed views to be applied to AD trusted domains
   * Overriding SSH public keys is supported in this release
 * This release contains several fixes and enhancements related to users
   and groups from trusted AD domains
   * When a trusted AD domain is disabled on the server side, access is
     denied for users logging in from these domains
   * External group memberships (i.e. memberships in IPA groups) are now
     resolved correctly for trusted AD users
   * The localauth plugin configuration is written into the pubconf directory
     which should be included from krb5.conf on IPA clients. As a result,
     the localauth plugin should be configured automatically on IPA clients.
 * Password change when One-Time-Passwords are used was fixed
 * The tokenGroups support was disabled by default in the LDAP provider. The
   tokenGroups support is still enabled by default in the AD provider
 * Simple access provider skips user or group names that can't be resolved
   if only allow rules are configured

== Packaging Changes ==

 * Support for running SSSD as a non-privileged user was added. SSSD's
   directories must be owned by this user, hence SSSD needs to be
   configured properly at build time, using the new configure option
   --with-sssd-user. Additionally, the non-privileged user must also be
   selected in sssd.conf using the "user" configuration option.

== Documentation Changes ==

 * A new configuration option "krb5_confd_path" was added. This option
   specifies the directory where SSSD places Kerberos configuration snippets.
 * The default value of "ldap_user_uuid" was changed to be "objectSID"
   for the AD back end and unset for all other back ends.
 * The option "ldap_use_tokengroups" changed its default value to True
   for AD and IPA providers only.
 * The "allowed_shells" option newly accepts the wildcard ("*") value, allowing 
any shell

== Tickets Fixed ==

    4 functions with reference leaks within sssd (src/python/pyhbac.c)
    Create unit test for be_ptask
    disable midpoint refresh for netgroups if ptask refresh is enabled
    Shell fallback mechanism in SSSD
    sssd should run under unprivileged user
    SELinux: Audit changes to the SELinux label files
    Remove password from the PAM stack if OTP is used
    sssd segfaults repeatedly with error 4 in memberof.so
    Return a different errno from client when sssd is not running.
    Race condition while invalidating memory cache in client code
    sssd-ldap man page changes, add 'access_provider = ldap' as a requirement 
'ldap_access_order = for lockout'
    [RFE] Views: apply user SSH public key override
    Error message not helpful if extdom lookup fails
    service lookups returned in lowercase with case_sensitive=preserving
    Proxy Provider: Fails to lookup case sensitive users and groups with 
    Manpage description of case_sensitive=preserving is incomplete
    Use ldap_extra_attrs when requesting attributes from extdom plugin
    Set the right permissions in Makefile.am when installing from source
    Don't set the umask in the utility function that creates sockets
    refactor create_pipe_fd()
    RFE: Add a configuration option to specify where a snippet with 
sssd_krb5_localauth_plugin.so is generated
    Wrong results returned with enumeration
    SSSD doesn't tell that it can't start because of no longer existent ID range
    ID Views implementation does not support IPA user&group overrides
    Password change over ssh doesn't work with OTP and FreeIPA
    sssd does not work with custom value of option re_expression
    dereferencing failure against openldap server
    Group membership gets lost in IPA server mode
    "debug_timestamps = false" and "debug_microseconds = true" do not work 
after enabling journald with sssd.
    pam_sss domains option: Untrusted users from the same domain are allowed to 
    Use the MEMORY ccache to pass around keytab contents
    Check unlink return values to silence Coverity warnings
    The Kerberos provider is not properly views-aware
    selinuxusermap rule does not apply to trusted AD users
    gid is overridden by uid in default trust view
    pam_sss domains option: User auth should fail when domains=<emtpy value>
    SSSD master doesn't build on RHEL-6
    SSSD should not fail authentication when only allow rules are used
    Crash in function get_object_from_cache
    be_ptask unit test fails sometimes
    getent fails for posix group with AD users after login
    User is unable to authenticate if the option krb5_fast_principal is NULL
    IPA: incomplete group memberships for AD users on IPA clients
    MAN: Document that only usernames are checked for pam_trusted_uids
    Access is not rejected for disabled domain
    sssd-libwbclient conflicts with Samba's and causes crash in wbinfo

== Detailed Changelog ==
Carlos A. Munoz (1):
      * Add zanata.xml file for integration with Zanata command line client

Dan Lavu (3):
      * MAN PAGE: modified sssd-ldap.5.xml for sssd ticket #2451
      * MAN: page edit for ldap_use_tokengroups
      * MAN: Clarify ad_gpo_map* options

Denis Kutin (1):
      * NSS: Possibility to use any shells in 'allowed_shells'

Jakub Hrozek (68):
      * Updating the version for the 1.12.3 development
      * SSSD: Add the options to specify a UID and GID to run as
      * SSSD: Chown the log files
      * UTIL: Use a custom PID_PATH and DB_PATH when unit testing server.c
      * TESTS: Unit tests can use confdb without using sysdb
      * TESTS: Unit tests for server_setup
      * RPM: Package the libsss_semanage.so library
      * IPA: Handle NULL members in process_members()
      * UTIL: Add a function to convert id_t from a number or a name
      * BUILD: Add a config option for sssd user, own private directories as 
the user
      * RPM: Change file ownership to sssd.sssd
      * SSSD: Load a user to run a service as from configuration
      * SBUS: Chown the sbus socket if needed
      * SBUS: Allow connections from other UIDs
      * BE: Own the sbus socket as the SSSD user
      * NSS: Run as a user specified by monitor
      * TEST: Unit test for create_pipe_fd
      * AUTOFS: Run the autofs responder as the SSSD user
      * PAC: Run the pac responder as the SSSD user
      * SUDO: Run the sudo responder as the SSSD user
      * SSH: Run the ssh responder as the SSSD user
      * GPO: Terminate request on error
      * TESTS: Add tests for the views-related option maps
      * IPA: Don't fail the request when BE doesn't find the object
      * IPA: Rename user_dom into obj_dom
      * BUILD: Install ldap_child and as setuid if running under non-privileged 
      * LDAP: Move sss_krb5_verify_keytab_ex to ldap_child
      * LDAP: read the correct data type from ldap_child's input buffer
      * LDAP: Drop privileges after kinit in ldap_child
      * UTIL: Remove code duplication of struct io
      * UTIL: Remove more code duplication setting up child processes
      * IPA: Move setting the SELinux context to a child process
      * BE: Make struct bet_queue_item private to sssd_be
      * BUILD: Install krb5_child as suid if running under non-privileged user
      * KRB5: Drop privileges in the child, not the back end
      * KRB5: Move ccache-related functions to krb5_ccache.c
      * KRB5: Move checking for illegal RE to krb5_utils.c
      * KRB5: Move all ccache operations to krb5_child.c
      * KRB5: Do not switch_creds() if already the specified user
      * BUILD: Use separate chown to make changing ownership to the sssd user 
      * BUILD: Make chown of files to sssd user non-fatal
      * BUILD: Touch files in DESTDIR
      * BE: Become a regular user after initialization
      * BE: Fix a debug message
      * IPA: Handle IPA groups returned from extop plugin
      * Hint about removing sysdb if initializing ID map fails
      * PAM: Make pam_forwarder_parse_data static
      * SBUS: Initialize DBusError before using it
      * PAM: Check for trusted domain before sending the request to BE
      * PAM: Move is_uid_trusted from pam_ctx to preq
      * TESTS: Basic child tests
      * Add extra_args to exec_child()
      * KRB5: Create the fast ccache in a child process
      * LDAP: Remove useless include
      * sss_atomic_write_s() return value is signed
      * KRB5: Relax DEBUG message
      * TESTS: Build test_child even without cmocka
      * Rename test-child to dummy-child
      * CI: Suppress memory errors from poptGetNextOpt
      * tests: Free popt_context
      * IFP: Return group names with the right case
      * KRB5: Check FAST kinit errors using get_tgt_times()
      * Skip CHAUTHTOK_PRELIM when using OTPs
      * PAM: Domain names are case-insensitive
      * PAM: Missing argument to domains= should fail auth
      * MAN: Misspelled username in pam_trusted_users is not fatal
      * RESPONDER: Log failures to resolve user names in csv_string_to_uid_array
      * Updating translations for the 1.12.3 release

Lukas Slebodnik (28):
      * BUILD: Fix automake warning
      * test_server: Fix waiting for background process
      * SPEC: Print testsuite log for failed test
      * SBUS: Fix error handling after closing container
      * BUILD: Fix linking cwrap tests with -Wl,--as-needed
      * test_sysdb_views: Use unique directory for cache
      * IPA: Store right username to selinux child context
      * PAM: Remove authtok from PAM stack with OTP
      * NSS: Fix warning enumerated type mixed with another type
      * Revert "LDAP: Change defaults for ldap_user/group_objectsid"
      * AD: Change level of debug message
      * CI: Build sssd on debian with samba support
      * LDAP: Disable token groups by default
      * sss_client: Extract destroying of mmap cache to function
      * sss_client: Fix race condition in memory cache
      * krb5: Check return value of krb5_principal_get_realm
      * krb5: Check return value of sss_krb5_princ_realm
      * AD: Set dp_error if gc was not used
      * TOOLS: sss_debuglevel should worh with ifp responder
      * CI: Update valgrind suppresion database for libselinux
      * IPA: Do not append domain name to fq name
      * sss_client: Work around glibc bug
      * MAKE: Fix linking of test_child_common
      * UTIL: Fix dependencies of internal sss libraries
      * BUILD: Install libsss_crypt after its dependencies
      * MONITOR: Disable inlining of function load_configuration
      * krb5_child: Initialize REALM earlier
      * IPA: properly handle groups from different domains

Michal Zidek (21):
      * util: Move semanage related functions to src/util
      * sss_semanage: Add mlsrange parameter to set_seuser
      * IPA: Use set_seuser instead of writing selinux login file
      * MONITOR: Allow confdb to be accessed by nonroot user
      * SYSDB: Allow calling chown on the sysdb file from monitor
      * responder_common: Create fd for pipe in helper
      * responders: Do not initialize pipe fd if already present
      * PAM: Create pipe file descriptors before privileges are dropped
      * PAM: Run pam responder as nonroot
      * nss: preserve service name in getsrv call
      * MONITOR: Fix warning may be used uninitialized
      * selinux_child: Do not ignore return values.
      * proxy: Do not try to store same alias twice
      * PROXY: Preserve service name in proxy provider
      * MAN: Update case_sensitive=Preserving in man pages.
      * Man: debug_timestamps and debug_microseconds
      * test: Wrong parameter type in sss_parse_name_check
      * util: Special-case PCRE_ERROR_NOMATCH in sss_parse_name
      * util: sss_get_domain_name regex mismatch not fatal
      * confdb: Make confdb_set_string accept const char pointer
      * AD: Never store case_sensitive as "true" to confdb

Nikolai Kondrashov (1):
      * CI: Remove Clang analyzer

Pavel Březina (8):
      * IPA: use ipaUserGroup object class for groups
      * be_ptask: create a private header file
      * be_ptask: handle OFFLINE_DISABLE mode before task execution
      * be_ptask: add next_execution time to struct be_ptask
      * be_ptask: do not store sync ctx to _task
      * tests: be_ptask
      * be_ptask: let backoff affect only period
      * be_ptask: use gettimeofday() instead of time()

Pavel Reichl (20):
      * TESTS: Add -std=gnu99 to cwrap tests CFLAGS
      * Fix debug messages - trailing '.'
      * pyhbac,pysss: fix reference leaks
      * RESPONDERS: refactor create_pipe_fd()
      * RESPONDERS: Don't hard-code umask value in utility function
      * RESPONDERS: Set default value for umask
      * CONFDB: Detect&fix misconf opt refresh_expired_interval
      * NSS: disable midpoint refresh for netgroups
      * SYSDB: sysdb_idmap_get_mappings returns ENOENT
      * Fix: always check return value of unlink()
      * BUILD: restrict perms. when installing from source
      * SYSDB: sysdb_get_bool() return ENOENT & unit tests
      * simple access provider: non-existing object
      * simple-access-provider: break matching allowed users
      * LDAP: retain external members
      * TESTS: sysdb_delete_by_sid() test return value
      * NSS: nss_cmd_getbysid_search return ENOENT
      * SYSDB: sysdb_search_object_by_sid returns ENOENT
      * CONFDB: Typo in debug message
      * TESTS: typo in 'assert message'

Stephen Gallagher (1):
      * monitor: Service restart fixes

Sumit Bose (48):
      * ipa: fix issues with older servers not supporting views
      * ipa: improve error reporting for extdom LDAP exop
      * ipa_subdomains_handler_master_done: initialize reply_count
      * nss: group enumeration fix
      * sdap_print_server: use getpeername() to get server address
      * IFP: Fix typo in debug message
      * memberof: check for empty arrays to avoid segfaults
      * Add add_strings_lists() utility function
      * IPA: inherit ldap_user_extra_attrs to AD subdomains
      * Add parse_attr_list_ex() helper function
      * nss: parse user_attributes option
      * nss: return user_attributes in origbyname request
      * sysdb_get_user_attr_with_views: add mandatory override attributes
      * sysdb_add_overrides_to_object: add new parameter and multi-value support
      * Views: apply user SSH public key override
      * Add test for sysdb_add_overrides_to_object()
      * Add ssh pubkey to origbyname request
      * Revert "LDAP: Remove unused option ldap_user_uuid"
      * Revert "LDAP: Remove unused option ldap_group_uuid"
      * Fix uuid defaults
      * sysdb: add sysdb_search_object_by_uuid()
      * ipa: add split_ipa_anchor()
      * LDAP: add support for lookups by UUID
      * LDAP: always store UUID if available
      * ipa: add get_be_acct_req_for_uuid()
      * IPA: make get_object_from_cache() public
      * IPA: check overrrides for IPA users as well
      * Enable views for all domains
      * Fix KRB5_CONF_PATH
      * AD/IPA: add krb5_confd_path configuration option
      * sysdb: add sysdb_delete_view_tree()
      * sysdb: add sysdb_invalidate_overrides()
      * views: allow view name change at startup
      * krb5: make krb5 provider view aware
      * IPA: only update view data if it really changed
      * krb5: do not fail if checking the old ccache failed
      * test: avoid leaks in leak tests
      * krb5: add copy_ccache_into_memory()
      * krb5: add copy_keytab_into_memory()
      * ldap_child: copy keytab into memory to drop privileges earlier
      * krb5_child: become user earlier
      * krb5: add wrapper for krb5_kt_have_content()
      * krb5: handle KRB5KRB_ERR_GENERIC as unspecific error
      * IPA: verify group memberships of trusted domain users
      * IPA: do not try to add override gid twice
      * IPA: handle GID overrides for MPG domains on clients
      * libwbclient: initialize some return values
      * Add test for sysdb_store_override

Freeipa-interest mailing list

Reply via email to