=== SSSD 1.13 Alpha ===

The SSSD team is proud to announce the release of version 1.13 Alpha of
the System Security Services Daemon.

As always, the source is available from https://fedorahosted.org/sssd

RPM packages will be made available for Fedora rawhide shortly.

== Feedback ==

Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:

== Highlights ==
 * The Active Directory provider has changed the default value of the
   ad_gpo_access_control option from permissive to enforcing. As a consequence,
   the GPO access control now affects all clients that set access_provider to
   ad. In order to restore the previous behaviour, set ad_gpo_access_control
   to permissive or use a different access_provider type.
 * Group Policy objects defined in a different AD domain that the computer
   object is defined in are now supported.
 * Support for separate prompts when using two-factor authentication was added
 * Credential caching and Offline authentication are also available when
   using two-factor authentication
 * Added support for one-way trusts between an IPA and Active Directory
   environment. Please note that this SSSD functionality depends on IPA code
   that will be released in the IPA 4.2 version
 * Many enhancements to the InfoPipe D-Bus API. Notably, the SSSD users
   and groups are now exposed as first-class objects. The users and groups
   can also be marked as cached and would subsequently show up in the
   Introspection output
 * The DBus interface is now also able to look up User objects by
   certificate. This is a first part of work that will eventually allow
   smart-card authentication in SSSD.
 * The LDAP cleanup task is now disabled by default, unless enumeration
   is enabled. Please refer to the ldap_purge_cache_timeout option in case
   your environment requires the cleanup task
 * The Python bindings are now built for both Python2 and Python3
 * The LDAP bind timeout, StartTLS timeout and password change timeout
   are now configurable using the ldap_opt_timeout option

== Packaging Changes ==
 * A new directory /var/lib/sss/keytabs is present and owned by the sssd-ipa
   subpackage. The SSSD stores keytabs for one-way trust relationships in
   this directory. Downstreams should make sure that the directory is only
   readable to the user who runs the SSSD service.
 * Several packaging changes are present in this release to support the
   Python3 bindings, notably new python-sss and python-sss-murmur subpackages
   are introduced in upstream RPM packaging
 * All python bindings now have a Python3 and a Python2 version in the
   upstream RPM packaging scheme
 * The OpenSSL development library such as openssl-devel on RHEL/Fedora or
   Debian/Ubuntu? libssl-dev is now required to support certificate operations
 * A new internal library libsss_cert.so is present in this release. 

== Documentation Changes ==
 * The ad_gpo_access_control option default has changed from permissive
   to enforcing
 * The default value of ldap_purge_cache_timeout changed to 0, thus
   effectivelly disabling the cleanup task.
 * A new option cache_credentials_minimal_first_factor_length was added. This
   option sets constraints on the password length if One-Time passwords
   are used and credentials are to be cached. Please see the sssd.conf(5)
   man page for more details

== Tickets Fixed ==

    sssd should pass -d to nsupdate when running with high log level
    Make the LDAP bind operation timeout configurable
    [RFE] Expose listing calls over D-BUS
    nsupdate stderr is not captured
    The cleanup task has no DEBUG statements
    SBUS: Flush the UID cache when we receive NameOwnerChanged
    [RFE] Implement object caching on the bus
    IFP: support multiple interfaces for object
    SSSD does not update Dynamic DNS records if the IPA domain differs
    from machine hostname's domain
    In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA
    user are not able to log unless use_fully_qualified_names is set
    SSSD should be able to build python2 and python3 bindings in a one build
    [RFE] Homedir is always overwritten with subdomain_homedir value in
    server mode
    Does sssd-ad use the most suitable attribute for group name?
    Make SSSD's HBAC validation more permissive if deny rules are not used
    [bug] sssd always appends default_domain_suffix when checking for host keys
    Man sssd-ad(5) lists Group Policy Management Editor naming for some
    policies but not for all
    id_provider=proxy with auth_provider=ldap does not work reliably
    Sudo responder does not respect filter_users and filter_groups
    Disable the cleanup task by default
    RFE: Fetch keytabs for one-way trusts in IPA subdomain code
    RFE: Change ad_id_ctx instantiation in the IPA subdomain code to
    support one-way trusts
    [RFE] Support GPOs from different domain controllers
    RFE: Change AD GPO default to enforcing
    sssd with ldap backend throws error domain log

== Detailed Changelog ==

Jakub Hrozek (68):
    * MAN: Fix a typo
    * SYSDB: Reduce code duplication in sysdb_gpo.c
    * UTIL: Make two child_common.c functions static
    * TESTS: Cover child_common.c with unit tests
    * LDAP: Use child_io_destructor instead of child_cleanup in a custom 
    * UTIL: Remove child_cleanup
    * UTIL: Unify the fd_nonblocking implementation
    * RESOLV: Remove obsolete in-tree implementation of SRV and TXT parsing
    * PAM: print the pam status as string, too
    * KRB5: More debugging for create_ccache()
    * SDAP: Make simple bind timeout configurable
    * SDAP: Make password change timeout configurable with ldap_opt_timeout
    * SDAP: Make StartTLS bind configurable with ldap_opt_timeout
    * SDAP: Decorate the sdap_op functions with DEBUG messages
    * IPA: Remove the ipa_hbac_treat_deny_as option
    * MAN: Clarify debug_level a bit
    * SSH: Ignore the default_domain_suffix
    * LDAP: Set sdap handle as explicitly connected in LDAP auth
    * tests: Revert strcmp condition
    * ncache: Fix sss_ncache_reset_permanent
    * ncache: Silence critical error from filter_users when 
default_domain_suffix is set
    * ncache: Add sss_ncache_reset_repopulate_permanent
    * responders: reset ncache after domains are discovered during startup
    * NSS: Reset negcache after checking domains
    * MAN: Clarify how are GPO mappings called in GPO editor
    * UTIL: Add a simple function to get the fd of debug_file
    * dyndns: Log nsupdate stderr with a high debug level
    * nsupdate: Append -d/-D to nsupdate with a high debug level
    * subdom: Remove unused function get_flat_name_from_subdomain_name
    * nss: Use negcache for getbysid requests
    * tests: Add NSS responder tests for bysid requests
    * LDAP: disable the cleanup task by default
    * TESTS: Use the right testcase
    * TESTS: Add test for get_next_domain
    * LDAP: Do not print verbose DEBUG messages from providers that don't set 
    * SYSDB: Store trust direction for subdomains
    * UTIL/SYSDB: Move new_subdomain() to sysdb_subdomains.c and make it private
    * TESTS: Add a test for sysdb_subdomains.c
    * SYSDB: Add realm to sysdb_master_domain_add_info
    * SYSDB: Add a forest root attribute to sss_domain_info
    * IPA: Add ipa_subdomains_handler_get_{start,cont} wrappers
    * IPA: Check master domain record before subdomain records
    * IPA: Fold ipa_subdom_enumerates into ipa_subdom_store
    * IPA: Also update master domain when initializing subdom handler
    * IPA: Move server-mode functions to a separate module
    * IPA: Split two functions to new module ipa_subdomains_utils.c
    * IPA: Include ipaNTTrustDirection in the attribute set for trusted domains
    * IPA: Read forest name for trusted forest roots as well
    * IPA: Make constructing an IPA server mode context async
    * TESTS: Split off keytab creation into a common module
    * TESTS: Add a common mock_be_ctx function
    * TESTS: Add a common function to set up sdap_id_ctx
    * TESTS: Move krb5_try_kdcip to nested group test
    * TESTS: Add unit test for the subdomain_server.c module
    * IPA: Fetch keytab for 1way trusts
    * AD: Rename ad_set_ad_id_options to ad_set_sdap_options
    * AD: Rename ad_create_default_options to ad_create_2way_trust_options
    * AD: Split off ad_create_default_options
    * IPA/AD: Set up AD domain in ad_create_2way_trust_options
    * IPA: Do not set AD_KRB5_REALM twice
    * AD: Add ad_create_1way_trust_options
    * IPA: Utility function for setting up one-way trust context
    * LDAP: Do not set keytab through environment variable
    * LDAP: Consolidate SDAP_SASL_REALM/SDAP_KRB5_REALM behaviour
    * CONFIG: Add SSS_STATEDIR as VARDIR/lib/sss
    * BUILD: Store keytabs in /var/lib/sss/keytabs
    * Updating the translations for the 1.13 Alpha release
    * Updating the version.m4 file for the 1.13 Beta release 

John Dickerson (1):
    * MAN: Amend the description of ignore_group_members 

Lukas Slebodnik (59):
    * MAN: Remove indentation in element programlistening
    * Fix warning: for loop has empty body
    * Bump version to track 1.13 development
    * SPEC: Use libnl3 for epel6
    * MAKE: Don't include autoconf generated file to tarball
    * TESTS: Mock return value of sdap_get_generic_recv
    * test_nested_groups: Additional unit tests
    * Fix warning: equality comparison with extraneous parentheses
    * LDAP: Conditional jump depends on uninitialised value
    * BUILD: Remove unused libraries for pysss.so
    * BUILD: Remove unused variables
    * BUILD: Remove detection of type Py_ssize_t
    * UTIL: Remove python wrapper sss_python_set_new
    * UTIL: Remove python wrapper sss_python_set_add
    * UTIL: Remove python wrapper sss_python_set_check
    * UTIL: Remove compatibility macro PyModule_AddIntMacro
    * UTIL: Remove python wrapper sss_python_unicode_from_string
    * BUILD: Use python-config for detection *FLAGS
    * SPEC: Use new convention for python packages
    * SPEC: Move python bindings to separate packages
    * BUILD: Add possibility to build python{2,3} bindings
    * TESTS: Run python tests with all supported python versions
    * SPEC: Replace python_ macros with python2_
    * SPEC: Build python3 bindings on available platforms
    * BUILD: Uninstall also symbolic links to python bindings
    * Remove unused argument from be_nsupdate_create_fwd_msg
    * IPA: Remove unused argument from ipa_id_get_group_uuids
    * Remove useless assignment to function parameter
    * PAC: Fix memory leak
    * responder_cache: Fix warning may be used uninitialized
    * debug-tests: Fix test with new line in debug message
    * BUILD: Add missing header file to tarball
    * pam_client: fix casting to const pointer
    * test_expire: Use right assertion macro for standard functions
    * test_ldap_auth: Use right assertion for integer comparison
    * test_resolv_fake: Fix alignment warning
    * PAC: Remove unused function
    * KRB5: Unify prototype and definition
    * util-tests: Initialize boolean variable to default value
    * SPEC: Drop workaround for old libtool
    * SPEC: Drop workarounds for old rpmbuild
    * SPEC: Remove unused option
    * SPEC: Few cosmetic changes
    * simple_access-tests: Simplify assertion
    * sysdb-tests: Add missing assertions
    * sysdb-tests: test return value before output arguments
    * ad_opts: Use different default attribute for group name
    * BUILD: Write hints about optional python bindings
    * sss_client: Fix mixed enums
    * LDAP: Remove dead assignment
    * sss_client: Fix warning "_" redefined
    * SSSDConfigTest: Use unique temporary directory
    * util-tests: Add validation of internal error messages
    * SDAP: Check return value before using output arguments
    * SDAP: Log failure from sysdb_handle_original_uuid
    * test_ipa_subdomains_server: Run clean-up after success
    * IFP: Fix warnings with enabled optimisation
    * SDAP: Remove user from cache for missing user in LDAP
    * test_ipa_subdom_server: Add missing assert 

Michal Zidek (2):
    * Use FQDN if default domain was set
    * MAN: default_domain_suffix with use_fully_qualified_names. 

Nikolai Kondrashov (3):
    * BUILD: Add AM_PYTHON2_MODULE macro
    * Add integration tests
    * BUILD: Fix variable substitution in cwrap.m4 

Pavel Březina (53):
    * tests: refactor create_dom_test_ctx()
    * tests: add create_multidom_test_ctx()
    * tests: add test_multidom_suite_cleanup()
    * tests: remove code duplication in single domain cleanup
    * responders: new interface for cache request
    * responders: enable views in cache request
    * IFP: use new cache interface
    * server-tests: use strtouint32 instead strtol
    * sbus: add new iface via sbus_conn_register_iface()
    * sbus: move iface and object path code to separate file
    * sbus: use 'path/*' to represent a D-Bus fallback
    * sbus: support multiple interfaces on single path
    * sbus: add object path to sbus request
    * sbus: add sbus_opath_hash_lookup_supported()
    * sbus: support org.freedesktop.DBus.Introspectable
    * sbus: support org.freedesktop.DBus.Properties
    * sbus: unify naming of handler data variable
    * sbus: move common opath functions from ifp to sbus code
    * sbus: add sbus_opath_get_object_name()
    * ifp: fix potential memory leak in check_and_get_component_from_path()
    * sbus: use hard coded getters instead of generated
    * sbus: remove unused 'reply as' functions
    * IFP: move interface definitions from ifpsrv.c into separate file
    * IFP: unify generated interfaces names
    * sbus codegen: do not prefix getters with iface name
    * IFP: simplify object path constant names
    * sbus: add constant to represent subtree
    * be_refresh: get rid of callback pointers
    * sysdb: use sysdb_user/group_dn
    * cache_req tests: rename test_user to test_user_by_name
    * cache_req tests: define user name constant
    * cache_req: preparations for different input type
    * cache_req: add support for user by uid
    * cache_req: add support for group by name
    * cache_req: remove default branch from switches
    * cache_req: add support for group by id
    * cmocka: include mock_parse_inp in header file
    * cache_req: parse input name if needed
    * cache_req: return ERR_INTERNAL if more than one entry is found
    * sbus: provide custom error names
    * sbus: add sbus_opath_decompose[_exact]
    * sbus: add a{sas} get invoker
    * IFP: add org.freedesktop.sssd.infopipe.Users
    * IFP: add org.freedesktop.sssd.infopipe.Users.User
    * IFP: add org.freedesktop.sssd.infopipe.Groups
    * IFP: add org.freedesktop.sssd.infopipe.Groups.Group
    * IFP: deprecate GetUserAttr?
    * IFP: Implement org.freedesktop.sssd.infopipe.Cache[.Object]
    * SBUS: Use default GetAll? invoker if none is set
    * SBUS: Add support for <node /> in introspection
    * IFP: Export nodes
    * sbus: add support for incoming signals
    * sbus: listen to NameOwnerChanged? 

Pavel Reichl (17):
    * add missing '\n' in debug messages
    * PROXY: add missing space in debug message
    * BUILD: fix chmake not to generate warning
    * SDAP: log expired accounts at lower severity level
    * KRB5: add debug hint
    * TESTS: test expiration
    * ldap: refactor check_pwexpire_kerberos to use util func
    * ldap: refactor nds_check_expired to use util func
    * Fix a few typos in comments
    * sbus: sbus_opath_hash_add_iface free tmp talloc ctx
    * krb5: remove field run_as_user
    * localauth plugin: fix coverity warning
    * dyndns: remove dupl declaration of ipa_dyndns_update
    * dyndns: don't pass zone directive to nsupdate
    * dyndns: ipa_dyndns.h missed declaration of used data
    * krb: remove duplicit decl. of write_krb5info_file
    * IPA: Don't override homedir with subdomain_homedir 

Stephen Gallagher (4):
    * LDAP: Support returning referral information
    * AD GPO: Support processing referrals
    * AD GPO: Change default to "enforcing"
    * Add Vagrant configuration for SSSD 

Sumit Bose (22):
    * Add leak check and command line option to test_authtok
    * utils: add sss_authtok_[gs]et_2fa
    * pam: handle 2FA authentication token in the responder
    * Add pre-auth request
    * krb5-child: add preauth and split 2fa token support
    * IPA: create preauth indicator file at startup
    * pam_sss: add pre-auth and 2fa support
    * Add cache_credentials_minimal_first_factor_length config option
    * sysdb: add sysdb_cache_password_ex()
    * krb5: save hash of the first authentication factor to the cache
    * krb5: try delayed online authentication only for single factor auth
    * 2FA offline auth
    * pam_sss: move message encoding into separate file
    * PAM: add PAM responder unit test
    * adding ldap_user_auth_type where missing
    * LDAP: add ldap_user_certificate option
    * certs: add PEM/DER conversion utilities
    * sysdb: add sysdb_search_user_by_cert() and sysdb_search_object_by_cert()
    * LDAP/IPA: add user lookup by certificate
    * ncache: add calls for certificate based searches
    * utils: add get_last_x_chars()
    * IFP: add FindByCertificate? method for User objects 

Freeipa-interest mailing list

Reply via email to