=== SSSD 1.12.5 ===

The SSSD team is proud to announce the release of version 1.12.5 of
the System Security Services Daemon.

As always, the source is available from https://fedorahosted.org/sssd

RPM packages will be made available for Fedora 21, 22 and rawhide shortly.

== Feedback ==

Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:

== Highlights ==
 * This release adds several new enhancements and fixes many bugs
 * Notable new enhancements:
    * The background refresh tasks now supports refreshing users and groups
      as well. Please see the description of the `refresh_expired_interval`
      parameter in the `sssd.conf` man page.
    * A new option subdomain_inherit was added. Options included in
      the subdomain_inherit option also apply for trusted domains, if
      supported. This release supports inheriting ignore_group_members,
      ldap_purge_cache_timeout, ldap_use_tokengroups and
    * When an expired account attempts to log in, a configurable error
      message can be displayed with sufficient pam_verbosity setting. Please
      see the description of the pam_account_expired_message option for
      more information.
    * OpenLDAP ppolicy can be honored even when an alternate login method
      (such as SSH key) is used. Please see the description of the new
      ppolicy value of the ldap_access_order option.
    * A new option krb5_map_user was added. This option allows the admin
      to map UNIX usernames to Kerberos principals. The option would be
      mostly useful for setups that wish to continue using UNIX file-based
      identities together with SSSD Kerberos authentication
 * The important bug fixes include:
    * Several AD-specific bugs that resulted in the incorrect set of groups
      being displayed after the initgroups operation were fixed
    * Many fixes related to the IPA ID views feature are included. Setups
      using the ID views feature should update the SSSD instance on both
      IPA servers and clients.
    * The AD provider now handles binary GUIDs correctly. This bug was
      manifested with an error message saying ldb_modify failed: Invalid
      attribute syntax.
    * The AD provider no longer downloads full group objects during
      initgroups request if POSIX attributes are used. This fix may speed
      up the login times significantly.
    * A bug that prevented the `ignore_group_members` parameter to be used
      with the AD provider was fixed
    * The fail over code now reads and honors TTL value for SRV queries
      as well. Previously, SRV queries used a hardcoded timeout
    * The SELinux context set up during login with an IPA provider is only
      called if the context had changed. This fixes a performance regression
      with the IPA provider.
    * Race condition between setting the timeout in the back ends and
      reading it in the front end during initgroup operation was fixed. This
      bug affected applications that perform the `initgroups(3)` operation
      in multiple processes simultaneously.
    * Setups that only want to use the domain SSSD is connected to, but not
      the autodiscovered trusted domains by setting `subdomains_provider=none`
      now work correctly as long as the domain SID is set manually in the
      config file
    * In case only allow rules are used, the simple access provider is
      now able to skip unresolvable groups.
    * The GPO access control code now handles situations where user and
      computer objects were in different domains. Previously, an attempt to
      log in as user from a different domain than computer always resulted
      in login failure.

== Packaging Changes ==
 * The cmocka unit tests now require cmocka version 1.0 or later
 * The libsss_krb5_common.so library had been moved to the sssd-common
   subpackage to avoid ordering issues between libsss_krb5_common and
 * The proxy_child helper binary was marked as setuid in order for the
   proxy provider to work without root privileges.

== Documentation Changes ==
 * A new option subdomain_inherit was added. See the highlights section
   for more details.
 * A new option krb5_map_user was added. See the highlights section for
   more details.
 * The ldap_access_order option accepts new value ppolicy.
 * Account expiration message can be customized using a new option

== Tickets Fixed ==
    [RFE] Read and use the TTL value when resolving a SRV query
    ssh login reject is abrupt
    [RFE] Allow SSSD to issue shadow expiration warning even if alternate
    authentication method is used
    [RFE] Implement background refresh for users and groups
    extop request marks dp_req as failed when an entry is not found
    Cyclic dependencies between sssd-ldap and krb5-common
    RFE: Handle setups with id_provider=proxy and auth_provider=krb5 better
    Add a hint on using DEBUG levels to the troubleshooting page
    Document that that libkrb5 and sssd use different expansion templates
    for principals
    [RFE] Lock out ssh keys when account naturally expires
    With empty ipaselinuxusermapdefault security context on client is staff_u
    Properly handle AD's binary objectGUID
    sssd nss bug update vs create cache
    ccname_file_dummy is not unlinked on error
    sssd_nss segfaults if initgroups request is by UPN and doesn't find
    SSSD downloads too much information when fetching information about groups
    sssd_be segfault on IPA(when auth with AD trusted domain) client at
    GPO access control looks for computer object in user's domain only
    sssd crashes intermittently
    sssd_be dumping core if enumeration times out
    ldap_access_order=ppolicy: Explicitly mention in manpage that unsupported
    time specification will lead to sssd denying access
    sysdb sudo search doesn't escape special characters
    id lookup resolves "Domain Local" group and errors appear in domain log
    Only set the selinux context if the context differs from the local one
    sssd_be segfault id_provider = ad src/providers/ad/ad_gpo.c:843
    Overrides with --login work in second attempt
    idoverridegroup for ipa group with --group-name does not work
    Overridde with --login fails trusted adusers group membership resolution
    Group resolution is inconsistent with group overrides
    sssd nss responder gets wrong number of secondary groups
    ID mapping does not wotk with disabled subdomains
    Override for IPA users with login does not list user all groups
    autofs provider fails when default_domain_suffix and
    use_fully_qualified_names set
    ignore_group_members doesn't work for subdomains
    Disapeared groups with ad providers and enabled ignore_group_members
    external users do not resolve with "default_domain_suffix" set in IPA
    server sssd.conf
    /usr/libexec/sssd/selinux_child crashes and gets avc denial when ssh
    Unable to resolve group memberships for AD users when using
    sssd-1.12.2-58.el7_1.6.x86_64 client in combination with
    ipa-server-3.0.0-42.el6.x86_64 with AD Trust
    sssd_be crashed if initialisation of proxy_child failed
    proxy provider does not work in non-root mode
    IPA enumeration provider crashes
    id lookup for non-root domain users doesn't return all groups on
    first attempt

== Detailed changelog ==
Adam Tkac (1):
      * Option filter_users had no effect for retrieving sudo rules

Aron Parsons (2):
      * IPA: fix segfault in ipa_s2n_exop
      * autofs: fix 'Cannot allocate memory' with FQDNs

Daniel Hjorth (1):
      * LDAP: unlink ccname_file_dummy if there is an error

Jakub Hrozek (34):
      * Updating the version for the 1.12.5 release
      * resolv: Use the same default timeout for SRV queries as previously
      * FO: Use SRV TTL in fail over code
      * selinux: Delete existing user mapping on empty default
      * NSS: Handle ENOENT when doing initgroups by UPN
      * selinux: Handle setup with empty default and no configured rules
      * tests: convert all unit tests to cmocka 1.0 or later
      * RPM: BuildRequire libcmocka >= 1.0
      * build: Only run cmocka tests if cmocka 1.0 or newer is available
      * Resolv: re-read SRV query every time if its TTL is 0
      * IPA: Use custom error codes when validating HBAC rules
      * IPA: Drop useless sysdb parameter
      * IPA: Only treat malformed HBAC rules as fatal if deny rules are enabled
      * IPA: Deprecate the ipa_hbac_treat_deny_as option
      * selinux: Disconnect before closing the handle
      * selinux: Begin and end the transaction on the same nesting level
      * selinux: Only call semanage if the context actually changes
      * tests: Use cmocka-1.0+ API in test_sysdb_utils
      * sysdb: Add cache_expire to the default
        sysdb_search_object_by_str_attr set
      * SELINUX: Avoid disconnecting disconnected handle
      * LDAP: return after tevent_req_error
      * MAN: refresh_expired_interval also supports users and groups
      * tests: ncache_hit must be an int to test UPNs
      * tests: Add a getpwnam-by-UPN test
      * Add unit tests for initgroups
      * Download complete groups if ignore_group_members is set with
      * DP: Set extra_value to NULL for enum requests
      * Skip enumeration requests in IPA and AD providers as well
      * confdb: Add new option subdomain_inherit
      * DP: Add a function to inherit DP options, if set
      * SDAP: Add sdap_copy_map_entry
      * UTIL: Inherit ignore_group_members
      * subdomains: Inherit cleanup period and tokengroup settings from
        parent domain
      * Updating translations for the 1.12.5 release

Lukas Slebodnik (19):
      * Log reason in debug message why ldb_modify failed
      * ipa_selinux: Fix warning may be used uninitialized
      * memberof: Do not create request with 0 attribute values
      * CLIENT: Clear errno with enabled sss-default-nss-plugin
      * GPO: Check return value of ad_gpo_store_policy_settings
      * SDAP: Do not set gid 0 twice
      * SDAP: Extract filtering AD group to function
      * SDAP: Filter ad groups in initgroups
      * GPO: Do not ignore missing attrs for GPOs
      * sss_nss_idmap-tests: Use different prepared buffers for big endian
      * SDAP: Fix id mapping with disabled subdomains
      * SPEC: Fix cyclic dependencies between sssd-{krb5,}-common
      * negcache: Soften condition for expired entries
      * test_nss_srv: Use right function for storing time_t
      * nss: Do not ignore default vaue of SYSDB_INITGR_EXPIRE
      * SDAP: Set initgroups expire attribute at the end
      * SDAP: Remove unnecessary argument from sdap_save_user
      * PROXY: proxy_child should work in non-root mode
      * PROXY: Do not register signal with SA_SIGINFO

Michal Zidek (2):
      * DEBUG: Add missing strings for error messages
      * test: Check ERR_LAST

Pavel Březina (8):
      * be_refresh: refresh all domains in backend
      * sdap_handle_acct_req_send: remove be_req
      * be_refresh: refactor netgroups refresh
      * be_refresh: add sdap_refresh_init
      * be_refresh: support users
      * be_refresh: support groups
      * enumeration: fix talloc context
      * sudo: sanitize filter values

Pavel Reichl (18):
      * PAM: do not reject abruptly
      * PAM: new option pam_account_expired_message
      * PAM: warn all services about account expiration
      * PAM: check return value of confdb_get_string
      * SDAP: refactor pwexpire policy
      * SDAP: enable change phase of pw expire policy check
      * UTIL: convert GeneralizedTime to unix time
      * SDAP: Lock out ssh keys when account naturally expires
      * SDAP: fix minor neglect in is_account_locked()
      * ldap_child: fix coverity warning
      * MAN: libkrb5 and SSSD use different expansions
      * IPA: set EINVAL if dn can't be linearized
      * LDAP: remove unused code
      * LDAP: fix a typo in debug message
      * MAN: Update ppolicy description
      * simple-access-provider: make user grp res more robust
      * LDAP: warn about lockout option being deprecated
      * krb5: new option krb5_map_user

Stephen Gallagher (3):
      * AD: Clean up ad_access_gpo
      * AD: Always get domain-specific ID connection
      * AD GPO: Always look up GPOs from machine domain

Sumit Bose (25):
      * ldap_child: initialized ccname_file_dummy
      * PAM: use the logon_name as the key for the PAM initgr cache
      * pam_initgr_check_timeout: add debug output
      * ipa: do not treat missing sub-domain users as error
      * ipa: make sure extdom expo data is available
      * LDAP/AD: do not resolve group members during tokenGroups request
      * IPA idviews: check if view name is set
      * IPA: make sure output variable is set
      * GPO: error out instead of leaving array element uninitialized
      * sdap: properly handle binary objectGuid attribute
      * IPA: do not try to save override data for the default view
      * IPA: use sysdb_attrs_add_string_safe to add group member
      * IPA: check ghosts in groups found by uuid as well
      * IPA: allow initgroups by SID for AD users
      * IPA: do initgroups if extdom exop supports it
      * IPA: update initgr expire timestamp conditionally
      * IPA: enhance ipa_initgr_get_overrides_send()
      * IPA: search for overrides during initgroups in sever mode
      * IPA: do not add domain name unconditionally
      * NSS: check for overrides before calling backend
      * IPA: allow initgroups by UUID for FreeIPA users
      * SDAP: use DN to update entry
      * IPA: do not fail if view name lookup failed on older versions
      * libwbclient-sssd: update interface to version 0.12
      * ldap: use proper sysdb name in groups_by_user_done()

Freeipa-interest mailing list

Reply via email to