=== SSSD 1.12.5 === The SSSD team is proud to announce the release of version 1.12.5 of the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd RPM packages will be made available for Fedora 21, 22 and rawhide shortly. == Feedback == Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users == Highlights == * This release adds several new enhancements and fixes many bugs * Notable new enhancements: * The background refresh tasks now supports refreshing users and groups as well. Please see the description of the `refresh_expired_interval` parameter in the `sssd.conf` man page. * A new option subdomain_inherit was added. Options included in the subdomain_inherit option also apply for trusted domains, if supported. This release supports inheriting ignore_group_members, ldap_purge_cache_timeout, ldap_use_tokengroups and ldap_user_principal. * When an expired account attempts to log in, a configurable error message can be displayed with sufficient pam_verbosity setting. Please see the description of the pam_account_expired_message option for more information. * OpenLDAP ppolicy can be honored even when an alternate login method (such as SSH key) is used. Please see the description of the new ppolicy value of the ldap_access_order option. * A new option krb5_map_user was added. This option allows the admin to map UNIX usernames to Kerberos principals. The option would be mostly useful for setups that wish to continue using UNIX file-based identities together with SSSD Kerberos authentication * The important bug fixes include: * Several AD-specific bugs that resulted in the incorrect set of groups being displayed after the initgroups operation were fixed * Many fixes related to the IPA ID views feature are included. Setups using the ID views feature should update the SSSD instance on both IPA servers and clients. * The AD provider now handles binary GUIDs correctly. This bug was manifested with an error message saying ldb_modify failed: Invalid attribute syntax. * The AD provider no longer downloads full group objects during initgroups request if POSIX attributes are used. This fix may speed up the login times significantly. * A bug that prevented the `ignore_group_members` parameter to be used with the AD provider was fixed * The fail over code now reads and honors TTL value for SRV queries as well. Previously, SRV queries used a hardcoded timeout * The SELinux context set up during login with an IPA provider is only called if the context had changed. This fixes a performance regression with the IPA provider. * Race condition between setting the timeout in the back ends and reading it in the front end during initgroup operation was fixed. This bug affected applications that perform the `initgroups(3)` operation in multiple processes simultaneously. * Setups that only want to use the domain SSSD is connected to, but not the autodiscovered trusted domains by setting `subdomains_provider=none` now work correctly as long as the domain SID is set manually in the config file * In case only allow rules are used, the simple access provider is now able to skip unresolvable groups. * The GPO access control code now handles situations where user and computer objects were in different domains. Previously, an attempt to log in as user from a different domain than computer always resulted in login failure. == Packaging Changes == * The cmocka unit tests now require cmocka version 1.0 or later * The libsss_krb5_common.so library had been moved to the sssd-common subpackage to avoid ordering issues between libsss_krb5_common and libsss_ldap_common * The proxy_child helper binary was marked as setuid in order for the proxy provider to work without root privileges. == Documentation Changes == * A new option subdomain_inherit was added. See the highlights section for more details. * A new option krb5_map_user was added. See the highlights section for more details. * The ldap_access_order option accepts new value ppolicy. * Account expiration message can be customized using a new option pam_account_expired_message == Tickets Fixed == https://fedorahosted.org/sssd/ticket/1884 [RFE] Read and use the TTL value when resolving a SRV query https://fedorahosted.org/sssd/ticket/2050 ssh login reject is abrupt https://fedorahosted.org/sssd/ticket/2167 [RFE] Allow SSSD to issue shadow expiration warning even if alternate authentication method is used https://fedorahosted.org/sssd/ticket/2346 [RFE] Implement background refresh for users and groups https://fedorahosted.org/sssd/ticket/2444 extop request marks dp_req as failed when an entry is not found https://fedorahosted.org/sssd/ticket/2507 Cyclic dependencies between sssd-ldap and krb5-common https://fedorahosted.org/sssd/ticket/2509 RFE: Handle setups with id_provider=proxy and auth_provider=krb5 better https://fedorahosted.org/sssd/ticket/2513 Add a hint on using DEBUG levels to the troubleshooting page https://fedorahosted.org/sssd/ticket/2528 Document that that libkrb5 and sssd use different expansion templates for principals https://fedorahosted.org/sssd/ticket/2534 [RFE] Lock out ssh keys when account naturally expires https://fedorahosted.org/sssd/ticket/2587 With empty ipaselinuxusermapdefault security context on client is staff_u https://fedorahosted.org/sssd/ticket/2588 Properly handle AD's binary objectGUID https://fedorahosted.org/sssd/ticket/2591 sssd nss bug update vs create cache https://fedorahosted.org/sssd/ticket/2592 ccname_file_dummy is not unlinked on error https://fedorahosted.org/sssd/ticket/2598 sssd_nss segfaults if initgroups request is by UPN and doesn't find anything https://fedorahosted.org/sssd/ticket/2601 SSSD downloads too much information when fetching information about groups https://fedorahosted.org/sssd/ticket/2604 sssd_be segfault on IPA(when auth with AD trusted domain) client at src/providers/ipa/ipa_s2n_exop.c:1605 https://fedorahosted.org/sssd/ticket/2606 GPO access control looks for computer object in user's domain only https://fedorahosted.org/sssd/ticket/2608 sssd crashes intermittently https://fedorahosted.org/sssd/ticket/2611 sssd_be dumping core if enumeration times out https://fedorahosted.org/sssd/ticket/2612 ldap_access_order=ppolicy: Explicitly mention in manpage that unsupported time specification will lead to sssd denying access https://fedorahosted.org/sssd/ticket/2613 sysdb sudo search doesn't escape special characters https://fedorahosted.org/sssd/ticket/2614 id lookup resolves "Domain Local" group and errors appear in domain log https://fedorahosted.org/sssd/ticket/2624 Only set the selinux context if the context differs from the local one https://fedorahosted.org/sssd/ticket/2629 sssd_be segfault id_provider = ad src/providers/ad/ad_gpo.c:843 https://fedorahosted.org/sssd/ticket/2630 Overrides with --login work in second attempt https://fedorahosted.org/sssd/ticket/2631 idoverridegroup for ipa group with --group-name does not work https://fedorahosted.org/sssd/ticket/2632 Overridde with --login fails trusted adusers group membership resolution https://fedorahosted.org/sssd/ticket/2633 Group resolution is inconsistent with group overrides https://fedorahosted.org/sssd/ticket/2634 sssd nss responder gets wrong number of secondary groups https://fedorahosted.org/sssd/ticket/2635 ID mapping does not wotk with disabled subdomains https://fedorahosted.org/sssd/ticket/2642 Override for IPA users with login does not list user all groups https://fedorahosted.org/sssd/ticket/2643 autofs provider fails when default_domain_suffix and use_fully_qualified_names set https://fedorahosted.org/sssd/ticket/2644 ignore_group_members doesn't work for subdomains https://fedorahosted.org/sssd/ticket/2646 Disapeared groups with ad providers and enabled ignore_group_members https://fedorahosted.org/sssd/ticket/2647 external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf https://fedorahosted.org/sssd/ticket/2649 /usr/libexec/sssd/selinux_child crashes and gets avc denial when ssh https://fedorahosted.org/sssd/ticket/2650 Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust https://fedorahosted.org/sssd/ticket/2654 sssd_be crashed if initialisation of proxy_child failed https://fedorahosted.org/sssd/ticket/2655 proxy provider does not work in non-root mode https://fedorahosted.org/sssd/ticket/2659 IPA enumeration provider crashes https://fedorahosted.org/sssd/ticket/2663 id lookup for non-root domain users doesn't return all groups on first attempt == Detailed changelog == Adam Tkac (1): * Option filter_users had no effect for retrieving sudo rules Aron Parsons (2): * IPA: fix segfault in ipa_s2n_exop * autofs: fix 'Cannot allocate memory' with FQDNs Daniel Hjorth (1): * LDAP: unlink ccname_file_dummy if there is an error Jakub Hrozek (34): * Updating the version for the 1.12.5 release * resolv: Use the same default timeout for SRV queries as previously * FO: Use SRV TTL in fail over code * selinux: Delete existing user mapping on empty default * NSS: Handle ENOENT when doing initgroups by UPN * selinux: Handle setup with empty default and no configured rules * tests: convert all unit tests to cmocka 1.0 or later * RPM: BuildRequire libcmocka >= 1.0 * build: Only run cmocka tests if cmocka 1.0 or newer is available * Resolv: re-read SRV query every time if its TTL is 0 * IPA: Use custom error codes when validating HBAC rules * IPA: Drop useless sysdb parameter * IPA: Only treat malformed HBAC rules as fatal if deny rules are enabled * IPA: Deprecate the ipa_hbac_treat_deny_as option * selinux: Disconnect before closing the handle * selinux: Begin and end the transaction on the same nesting level * selinux: Only call semanage if the context actually changes * tests: Use cmocka-1.0+ API in test_sysdb_utils * sysdb: Add cache_expire to the default sysdb_search_object_by_str_attr set * SELINUX: Avoid disconnecting disconnected handle * LDAP: return after tevent_req_error * MAN: refresh_expired_interval also supports users and groups * tests: ncache_hit must be an int to test UPNs * tests: Add a getpwnam-by-UPN test * Add unit tests for initgroups * Download complete groups if ignore_group_members is set with tokengroups * DP: Set extra_value to NULL for enum requests * Skip enumeration requests in IPA and AD providers as well * confdb: Add new option subdomain_inherit * DP: Add a function to inherit DP options, if set * SDAP: Add sdap_copy_map_entry * UTIL: Inherit ignore_group_members * subdomains: Inherit cleanup period and tokengroup settings from parent domain * Updating translations for the 1.12.5 release Lukas Slebodnik (19): * Log reason in debug message why ldb_modify failed * ipa_selinux: Fix warning may be used uninitialized * memberof: Do not create request with 0 attribute values * CLIENT: Clear errno with enabled sss-default-nss-plugin * GPO: Check return value of ad_gpo_store_policy_settings * SDAP: Do not set gid 0 twice * SDAP: Extract filtering AD group to function * SDAP: Filter ad groups in initgroups * GPO: Do not ignore missing attrs for GPOs * sss_nss_idmap-tests: Use different prepared buffers for big endian * SDAP: Fix id mapping with disabled subdomains * SPEC: Fix cyclic dependencies between sssd-{krb5,}-common * negcache: Soften condition for expired entries * test_nss_srv: Use right function for storing time_t * nss: Do not ignore default vaue of SYSDB_INITGR_EXPIRE * SDAP: Set initgroups expire attribute at the end * SDAP: Remove unnecessary argument from sdap_save_user * PROXY: proxy_child should work in non-root mode * PROXY: Do not register signal with SA_SIGINFO Michal Zidek (2): * DEBUG: Add missing strings for error messages * test: Check ERR_LAST Pavel Březina (8): * be_refresh: refresh all domains in backend * sdap_handle_acct_req_send: remove be_req * be_refresh: refactor netgroups refresh * be_refresh: add sdap_refresh_init * be_refresh: support users * be_refresh: support groups * enumeration: fix talloc context * sudo: sanitize filter values Pavel Reichl (18): * PAM: do not reject abruptly * PAM: new option pam_account_expired_message * PAM: warn all services about account expiration * PAM: check return value of confdb_get_string * SDAP: refactor pwexpire policy * SDAP: enable change phase of pw expire policy check * UTIL: convert GeneralizedTime to unix time * SDAP: Lock out ssh keys when account naturally expires * SDAP: fix minor neglect in is_account_locked() * ldap_child: fix coverity warning * MAN: libkrb5 and SSSD use different expansions * IPA: set EINVAL if dn can't be linearized * LDAP: remove unused code * LDAP: fix a typo in debug message * MAN: Update ppolicy description * simple-access-provider: make user grp res more robust * LDAP: warn about lockout option being deprecated * krb5: new option krb5_map_user Stephen Gallagher (3): * AD: Clean up ad_access_gpo * AD: Always get domain-specific ID connection * AD GPO: Always look up GPOs from machine domain Sumit Bose (25): * ldap_child: initialized ccname_file_dummy * PAM: use the logon_name as the key for the PAM initgr cache * pam_initgr_check_timeout: add debug output * ipa: do not treat missing sub-domain users as error * ipa: make sure extdom expo data is available * LDAP/AD: do not resolve group members during tokenGroups request * IPA idviews: check if view name is set * IPA: make sure output variable is set * GPO: error out instead of leaving array element uninitialized * sdap: properly handle binary objectGuid attribute * IPA: do not try to save override data for the default view * IPA: use sysdb_attrs_add_string_safe to add group member * IPA: check ghosts in groups found by uuid as well * IPA: allow initgroups by SID for AD users * IPA: do initgroups if extdom exop supports it * IPA: update initgr expire timestamp conditionally * IPA: enhance ipa_initgr_get_overrides_send() * IPA: search for overrides during initgroups in sever mode * IPA: do not add domain name unconditionally * NSS: check for overrides before calling backend * IPA: allow initgroups by UUID for FreeIPA users * SDAP: use DN to update entry * IPA: do not fail if view name lookup failed on older versions * libwbclient-sssd: update interface to version 0.12 * ldap: use proper sysdb name in groups_by_user_done() _______________________________________________ Freeipa-interest mailing list Freeipa-interest@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-interest