=== SSSD 1.12.4 ===

The SSSD team is proud to announce the release of version 1.12.4 of
the System Security Services Daemon.

As always, the source is available from https://fedorahosted.org/sssd

RPM packages will be made available for Fedora 21, 22 and rawhide shortly.

== Feedback ==

Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:

== Highlights ==

 * This is mostly a bug fixing release with only minor enhancements visible
   to the end user
 * Contains many fixes and enhancements related to the ID views functionality
   of FreeIPA servers
 * Several fixes related to retrieving AD group membership in an IPA-AD
   trust scenario
 * Fixes a bug where the GPO access control previously didn't work at all
   if debugging was enabled in smb.conf.
 * SSSD can now be pinned to a particular AD site instead of autodiscovering
   the site
 * A regression that caused setting the SELinux context for IPA users to
   fail, was fixed
 * Fixed a potential crash caused by a double-free error when an SSSD
   service was killed by the monitor process

== Packaging Changes ==

 * Several patches that allow building the Python code in SSSD with python3
   were merged

== Documentation Changes == 

 * A new option ad_site was added. When this option is set, SSSD will
   attempt to connect to DCs from this particular AD site instead of looking
   up the site via DNS
 * The ad_gpo_map_permit option now also includes the systemd-user service
   to avoid errors in processing of the PAM session stack

== Tickets Fixed ==

   Make return codes of basic sysdb operations consistent
   Write message to syslog about users with duplicated UID
   Investigate Kerberized NFS4 setup with the new NFS plugin
   [RFE] ad provider dns_discovery_domain option: kerberos discovery is not 
using this option
   sssd-ad: The man page description to enable GPO HBAC Policies are unclear
   Monitor SIGKILL timer issue and service restart failure
   sssd.conf(5) man page gives bad advice about domains parameter
   sssd_be crashes in nested LDAP code with a use-after-free error
   GPO offline processing rejects access if no applicable GPOs are find in the 
   GPO code fails if no LDAP URI can be resolved
   GPO: libsmbclient logs to stdout by default, cluttering gpo_child output
   gzip: stdin: file size changed while zipping when rotating logfile
   Document that dyndns_iface only supports a single interface
   libsss_simpleifp should pull sssd-dbus
   add systemd-user to default gpo list
   pam_sss(sshd:auth): authentication failure with user from AD
   PAC responder is called after krb5_child switches to the user logging in
   Users saved throug extop don't have the originalMemberOf attribute
   Need to set different umask in selinux_child
   selinux_child needs to setuid(0) to make libselinux work as non-root
   Uncached SIDs cannot be resolved
   Same member saved as ghost and as member in IPA server mode
   IPA initgroups don't work correctly in non-default view
   [abrt] sssd-common: talloc_abort(): sssd killed by SIGABRT
    user_attributes missing from ifp schema

== Detailed Changelog ==

Bohuslav Kabrda (1):
    * Python3 support in SSSD 

Jakub Hrozek (23):
    * Updating the version to the 1.12.4 release
    * GPO: Ignore ENOENT result from sysdb_gpo_get_gpo_result_setting()
    * TESTS: Cover sysdb_gpo.c with unit tests
    * GPO: Set libsmb debugging to stderr
    * UTIL: Allow dup-ing child pipe to a different FD
    * GPO: Don't use stdout for output in gpo_child
    * GPO: Extract server hostname after connecting
    * krb5_child: Return ERR_NETWORK_IO on KRB5_KDCREP_SKEW
    * Open the PAC socket from krb5_child before dropping root
    * IPA: Use attr's dom for users, too
    * SELINUX: Call setuid(0)/setgid(0) to also set the real IDs to root
    * SELINUX: Set and reset umask when caling set_seuser from deamon code
    * LDAP: Add UUID when saving incomplete groups
    * IPA: Resolve IPA user groups' overrideDN in non-default view
    * LDAP: Rename the _res output parameter to avoid clashing with libresolv 
in tests
    * RESOLV: Add an internal function to read TTL from a DNS packet
    * resolv: Fix a typo
    * SELINUX: Check the return value of setuid and setgid
    * BUILD: Include python-test.py in the tarball
    * GPO: Better debugging for gpo_child's mkdir
    * LDAP: Add better DEBUG messages to the cleanup task
    * LDAP: Handle ENOENT better in the cleanup task
    * Updating translations for the 1.12.4 release 

Lukas Slebodnik (11):
    * logrotate: Fix warning file size changed while zipping
    * PROXY: Fix use after free
    * pysss: Fix double free
    * MONITOR: Fix double free
    * SSSDConfig: Remove unused exception name
    * SSSDConfig: Port missing parts to python3
    * Remove strict requirements of python2
    * sbus_codegen: Port to python3
    * Add missing new lines to debug messages
    * CONFIGURE: Do not use macro AC_PROG_MKDIR_P twice
    * RESPONDERS: Warn to syslog about colliding objects 

Pavel Březina (1):
    * spec: sifp requires sssd-dbus 

Pavel Reichl (6):
    * GPO: add systemd-user to gpo default permit list
    * MAN: dyndns_iface supports only one interface
    * MAN: add dots as valid character in domain names
    * AD: add new option ad_site
    * AD: support for AD site override
    * MAN: amend sss_ssh_authorizedkeys 

Rob Crittenden (1):
    * Add user_attributes to ifp section of API schema

Sumit Bose (24):
    * IPA: add get_be_acct_req_for_user_name()
    * IPA: resolve ghost members if a non-default view is applied
    * sysdb: fix group members with overridden names
    * IPA: ipa_resolve_user_list_send() take care of overrides
    * IPA: do not look up overrides on client with default view
    * IPA: make version check more precise
    * IPA: add missing break
    * IPA: process_members() optionally return missing members list
    * IPA: rename ipa_s2n_get_groups_send() to ipa_s2n_get_fqlist_send()
    * IPA: resolve missing members
    * krb5: fix entry order in MEMORY keytab
    * nss: make fill_orig() multi-value aware
    * nss: refactor fill_orig()
    * nss: Add original DN and memberOf to origbyname request
    * views: fix GID overrride for mpg domains
    * IPA: properly handle mixed-case trusted domains
    * nss: fix SID lookups
    * sysdb: remove ghosts in all sub-domains as well
    * IPA: resolve IPA group-memberships for AD users
    * IPA: process_members() add ghosts only once
    * ipa_s2n_save_objects: properly handle fully-qualified group names
    * AD: use GC for SID requests as well
    * fill_id() fix LE/BE issue with wrong data type 

Freeipa-interest mailing list

Reply via email to