=== SSSD 1.12.4 === The SSSD team is proud to announce the release of version 1.12.4 of the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd RPM packages will be made available for Fedora 21, 22 and rawhide shortly. == Feedback == Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users == Highlights == * This is mostly a bug fixing release with only minor enhancements visible to the end user * Contains many fixes and enhancements related to the ID views functionality of FreeIPA servers * Several fixes related to retrieving AD group membership in an IPA-AD trust scenario * Fixes a bug where the GPO access control previously didn't work at all if debugging was enabled in smb.conf. * SSSD can now be pinned to a particular AD site instead of autodiscovering the site * A regression that caused setting the SELinux context for IPA users to fail, was fixed * Fixed a potential crash caused by a double-free error when an SSSD service was killed by the monitor process == Packaging Changes == * Several patches that allow building the Python code in SSSD with python3 were merged == Documentation Changes == * A new option ad_site was added. When this option is set, SSSD will attempt to connect to DCs from this particular AD site instead of looking up the site via DNS * The ad_gpo_map_permit option now also includes the systemd-user service to avoid errors in processing of the PAM session stack == Tickets Fixed == https://fedorahosted.org/sssd/ticket/1991 Make return codes of basic sysdb operations consistent https://fedorahosted.org/sssd/ticket/2203 Write message to syslog about users with duplicated UID https://fedorahosted.org/sssd/ticket/2376 Investigate Kerberized NFS4 setup with the new NFS plugin https://fedorahosted.org/sssd/ticket/2486 [RFE] ad provider dns_discovery_domain option: kerberos discovery is not using this option https://fedorahosted.org/sssd/ticket/2515 sssd-ad: The man page description to enable GPO HBAC Policies are unclear https://fedorahosted.org/sssd/ticket/2525 Monitor SIGKILL timer issue and service restart failure https://fedorahosted.org/sssd/ticket/2527 sssd.conf(5) man page gives bad advice about domains parameter https://fedorahosted.org/sssd/ticket/2531 sssd_be crashes in nested LDAP code with a use-after-free error https://fedorahosted.org/sssd/ticket/2542 GPO offline processing rejects access if no applicable GPOs are find in the cache https://fedorahosted.org/sssd/ticket/2543 GPO code fails if no LDAP URI can be resolved https://fedorahosted.org/sssd/ticket/2544 GPO: libsmbclient logs to stdout by default, cluttering gpo_child output https://fedorahosted.org/sssd/ticket/2547 gzip: stdin: file size changed while zipping when rotating logfile https://fedorahosted.org/sssd/ticket/2548 Document that dyndns_iface only supports a single interface https://fedorahosted.org/sssd/ticket/2550 libsss_simpleifp should pull sssd-dbus https://fedorahosted.org/sssd/ticket/2556 add systemd-user to default gpo list https://fedorahosted.org/sssd/ticket/2557 pam_sss(sshd:auth): authentication failure with user from AD https://fedorahosted.org/sssd/ticket/2559 PAC responder is called after krb5_child switches to the user logging in https://fedorahosted.org/sssd/ticket/2560 Users saved throug extop don't have the originalMemberOf attribute https://fedorahosted.org/sssd/ticket/2563 Need to set different umask in selinux_child https://fedorahosted.org/sssd/ticket/2564 selinux_child needs to setuid(0) to make libselinux work as non-root https://fedorahosted.org/sssd/ticket/2566 Uncached SIDs cannot be resolved https://fedorahosted.org/sssd/ticket/2567 Same member saved as ghost and as member in IPA server mode https://fedorahosted.org/sssd/ticket/2571 IPA initgroups don't work correctly in non-default view https://fedorahosted.org/sssd/ticket/2572 [abrt] sssd-common: talloc_abort(): sssd killed by SIGABRT https://fedorahosted.org/sssd/ticket/2586 user_attributes missing from ifp schema == Detailed Changelog == Bohuslav Kabrda (1): * Python3 support in SSSD Jakub Hrozek (23): * Updating the version to the 1.12.4 release * GPO: Ignore ENOENT result from sysdb_gpo_get_gpo_result_setting() * TESTS: Cover sysdb_gpo.c with unit tests * GPO: Set libsmb debugging to stderr * UTIL: Allow dup-ing child pipe to a different FD * GPO: Don't use stdout for output in gpo_child * GPO: Extract server hostname after connecting * krb5_child: Return ERR_NETWORK_IO on KRB5_KDCREP_SKEW * Open the PAC socket from krb5_child before dropping root * IPA: Use attr's dom for users, too * SELINUX: Call setuid(0)/setgid(0) to also set the real IDs to root * SELINUX: Set and reset umask when caling set_seuser from deamon code * LDAP: Add UUID when saving incomplete groups * IPA: Resolve IPA user groups' overrideDN in non-default view * LDAP: Rename the _res output parameter to avoid clashing with libresolv in tests * RESOLV: Add an internal function to read TTL from a DNS packet * resolv: Fix a typo * SELINUX: Check the return value of setuid and setgid * BUILD: Include python-test.py in the tarball * GPO: Better debugging for gpo_child's mkdir * LDAP: Add better DEBUG messages to the cleanup task * LDAP: Handle ENOENT better in the cleanup task * Updating translations for the 1.12.4 release Lukas Slebodnik (11): * logrotate: Fix warning file size changed while zipping * PROXY: Fix use after free * pysss: Fix double free * MONITOR: Fix double free * SSSDConfig: Remove unused exception name * SSSDConfig: Port missing parts to python3 * Remove strict requirements of python2 * sbus_codegen: Port to python3 * Add missing new lines to debug messages * CONFIGURE: Do not use macro AC_PROG_MKDIR_P twice * RESPONDERS: Warn to syslog about colliding objects Pavel Březina (1): * spec: sifp requires sssd-dbus Pavel Reichl (6): * GPO: add systemd-user to gpo default permit list * MAN: dyndns_iface supports only one interface * MAN: add dots as valid character in domain names * AD: add new option ad_site * AD: support for AD site override * MAN: amend sss_ssh_authorizedkeys Rob Crittenden (1): * Add user_attributes to ifp section of API schema Sumit Bose (24): * IPA: add get_be_acct_req_for_user_name() * IPA: resolve ghost members if a non-default view is applied * sysdb: fix group members with overridden names * IPA: ipa_resolve_user_list_send() take care of overrides * IPA: do not look up overrides on client with default view * IPA: make version check more precise * IPA: add missing break * IPA: process_members() optionally return missing members list * IPA: rename ipa_s2n_get_groups_send() to ipa_s2n_get_fqlist_send() * IPA: resolve missing members * IPA: set SYSDB_INITGR_EXPIRE for RESP_USER_GROUPLIST * krb5: fix entry order in MEMORY keytab * nss: make fill_orig() multi-value aware * nss: refactor fill_orig() * nss: Add original DN and memberOf to origbyname request * views: fix GID overrride for mpg domains * IPA: properly handle mixed-case trusted domains * nss: fix SID lookups * sysdb: remove ghosts in all sub-domains as well * IPA: resolve IPA group-memberships for AD users * IPA: process_members() add ghosts only once * ipa_s2n_save_objects: properly handle fully-qualified group names * AD: use GC for SID requests as well * fill_id() fix LE/BE issue with wrong data type _______________________________________________ Freeipa-interest mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-interest