== SSSD 1.13.1 ===

The SSSD team is proud to announce the release of version 1.13.1 of
the System Security Services Daemon.

As always, the source is available from https://fedorahosted.org/sssd

RPM packages will be made available for Fedora shortly.

== Feedback ==

Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:

== Highlights ==
  * Initial support for Smart Card authentication was added. The feature
    can be activated with the new pam_cert_auth option
  * The PAM prompting was enhanced so that when Two-Factor Authentication
    is used, both factors (password and token) can be entered separately
    on separate prompts. At the same time, only the long-term password is
    cached, so offline access would still work using the long term password
  * A new command line tool sss_override is present in this release. The
    tools allows to override attributes on the SSSD side. It's helpful in
    environment where e.g. some hosts need to have a different view of POSIX
    attributes than others. Please note that the overrides are stored in
    the cache as well, so removing the cache will also remove the overrides
  * New methods were added to the SSSD D-Bus interface. Notably support
    for looking up a user by certificate and looking up multiple users
    using a wildcard was added. Please see the interface introspection or
    the design pages for full details
  * Several enhancements to the dynamic DNS update code. Notably, clients
    that update multiple interfaces work better with this release
  * This release supports authenticating againt a KDC proxy
  * The fail over code was enhanced so that if a trusted domain is not
    reachable, only that domain will be marked as inactive but the backed
    would stay in online mode
  * Several fixes to the GPO access control code are present 

== Packaging Changes ==
  * The Smart Card authentication feature requires a helper process
    p11_child that needs to be marked as setgid if SSSD needs to be able
    to. Please note the p11_child requires the NSS crypto library at the moment
  * The sss_override tool was added along with its own manpage
  * The upstream RPM can now build on RHEL/CentOS 6.7 

== Documentation Changes ==
  * The config_file_version configuration option now defaults to 2. As
    an effect, this option doesn't have to be set anymore unless the config
    file format is changed again by SSSD upstream
  * It is now possible to specify a comma-separated list of interfaces in
    the dyndns_iface option
  * The InfoPipe responder and the LDAP provider gained a new option
    wildcard_lookup that specifies an upper limit on the number of entries
    that can be returned with a wildcard lookup
  * A new option dyndns_server was added. This option allows to attempt
    a fallback DNS update against a specific DNS server. Please note this
    option only works as a fallback, the first attempt will always be
    performed against autodiscovered servers.
  * The PAM responder gained a new option ca_db that allows the storage
    of trusted CA certificates to be specified
  * The time the p11_child is allowed to operate can be specified using
    a new option p11_child_timeout

== Tickets Fixed ==

    [RFE] Support for smart cards
    sssd: incorrect checks on length values during packet decoding
    [RFE] Start the dynamic DNS update after the SSSD has been setup for
    the first time
    Complain loudly if backend doesn't start due to missing or invalid keytab
    nested netgroups do not work in IPA provider
    test dyndns failed.
    Investigate using the krb5 responder for driving the PAM conversation
    with OTPs
    Pass error messages via the extdom plugin
    [RFE]Allow sssd to add a new option that would specify which server
    to update DNS with
    RFE: Support multiple interfaces with the dyndns_iface option
    RFE: Add support for wildcard-based cache updates
    Add dualstack and multihomed support
    Too much logging
    TRACKER: Support one-way trusts for IPA
    Re-check memcache after acquiring the lock in the client code
    RFE: Support client-side overrides
    Add index for 'objectSIDString' and maybe to other cache attributes
    RFE: Don't mark the main domain as offline if SSSD can't connect to
    a subdomain
    RFE: Detect re-established trusts in the IPA subdomain code
    KDC proxy not working with SSSD krb5_use_kdcinfo enabled
    Group members are not turned into ghost entries when the user is purged
    from the SSSD cache
    sudoOrder not honored as expected
    Default to config_file_version=2
    GPO: PAM system error returned for PAM_ACCT_MGMT and offline mode
    GPO: Access denied due to using wrong sam_account_name
    CI: Fix ramshackle test_ipa_subdomains_server (FAIL:
    SSSDConfig: wrong return type returned on python3
    krb5_child should always consider online state to allow use of
    MS-KKDC proxy
    Logging messages from user point of view
    [RFE] Provide interface for SSH to fetch user certificate
    Initgroups memory cache does not work with fq names
    Initgroups mmap cache needs update after db changes
    well-known SID check is broken for NetBIOS prefixes
    SSSD keytab validation check expects root ownership
    IPA: returned unknown dp error code with disabled migration mode
    Missing config options in gentoo init script
    Could not resolve AD user from root domain
    getgrgid for user's UID on a trust client prevents getpw*
    If AD site detection fails, not even ad_site override skipped
    Do not send SSS_OTP if both factors were entered separately
    searching SID by ID always checks all domains
    Don't use deprecated libraries (libsystemd-*)
    sss_override: add import and export commands
    Cannot build rpms from upstream spec file on rawhide
    When certificate is added via user-add-cert, it cannot be looked up
    via org.freedesktop.sssd.infopipe.Users.FindByCertificate
    memory cache can work intermittently
    cleanup_groups should sanitize dn of groups
    the PAM srv test often fails on RHEL-7
    test_memory_cache failed in invalidation cache before stop
    Fix crash in nss responder
    Clear environment and set restrictive umask in p11_child
    sss_override does not work correctly when 'use_fully_qualified_names
    = True'
    sss_override contains an extra parameter --debug but is not listed in
    the man page or in the arguments help
    [RFE] sssd: better feedback form constraint password change
    Test 'test_id_cleanup_exp_group' failed
    sssd cannot resolve user names containing backslash with ldap provider
    Make p11_child timeout configurable
    Fix memory leak in GPO
    sss_override : The local override user is not found
    REGRESSION: Dyndns soes not update reverse DNS records
    sss_override --name doesn't work with RFC2307 and ghost users
    unit tests do not link correctly on Debian
    Memory leak / possible DoS with krb auth.
    AD: Conditional jump or move depends on uninitialised value

== Detailed Changelog ==

Jakub Hrozek (52):
    * Updating the version for 1.13.1 development
    * tests: Move N_ELEMENTS definition to tests/common.h
    * SYSDB: Add functions to look up multiple entries including name and
      custom filter
    * cache_req: Extend cache_req with wildcard lookups
    * UTIL: Add sss_filter_sanitize_ex
    * LDAP: Fetch users and groups using wildcards
    * LDAP: Add sdap_get_and_parse_generic_send
    * LDAP: Use sdap_get_and_parse_generic_/_recv
    * LDAP: Add sdap_lookup_type enum
    * LDAP: Add the wildcard_limit option
    * IFP: Add wildcard requests
    * Use NSCD path in execl()
    * KRB5: Use the right domain for case-sensitive flag
    * IPA: Better debugging
    * UTIL: Lower debug level in perform_checks()
    * IPA: Handle sssd-owned keytabs when running as root
    * IPA: Remove MPG groups if getgrgid was called before getpw()
    * LDAP: use ldb_binary_encode when printing attribute values
    * IPA: Change the default of ldap_user_certificate to
    * UTIL: Provide a common interface to safely create temporary files
    * IPA: Always re-fetch the keytab from the IPA server
    * DYNDNS: Add a new option dyndns_server
    * p11child: set restrictive umask and clear environment
    * KRB5: Use sss_unique file in krb5_child
    * KRB5: Use sss_unique_file when creating kdcinfo files
    * LDAP: Use sss_unique_filename in ldap_child
    * SSH: Use sss_unique_file_ex to create the known hosts file
    * SYSDB: Index the objectSIDString attribute
    * sbus: Initialize errno if constructing message fails and add debug
    * sbus: Add a special error code for messages sent by the bus itself
    * GPO: Use sss_unique_file and close fd on failure
    * SDAP: Remove unused function
    * KRB5: Don't error out reading a minimal krb5.conf
    * UTIL: Convert domain->disabled into tri-state with domain states
    * DP: Provide a way to mark subdomain as disabled and auto-enable it
      later with offline_timeout
    * SDAP: Do not set is_offline if ignore_mark_offline is set
    * AD: Only ignore errors from SDAP lookups if there's another connection
      to fallback to
    * KRB5: Offline operation with disabled domain
    * AD: Do not mark the whole back end as offline if subdomain lookup fails
    * AD: Set ignore_mark_offline=false when resolving AD root domain
    * IPA: Do not allow the AD lookup code to set backend as offline in
      server mode
    * BUILD: link dp tests with LDB directly to fix builds on Debian
    * LDAP: imposing sizelimit=1 for single-entry searches breaks
      overlapping domains
    * tests: Move named_domain from test_utils to common test code
    * LDAP: Move sdap_create_search_base from ldap to sdap code
    * LDAP: Filter out multiple entries when searching overlapping domains
    * IPA: Change ipa_server_trust_add_send request to be reusable from ID code
    * FO: Add an API to reset all servers in a single service
    * FO: Also reset the server common data in addition to SRV
    * IPA: Retry fetching keytab if IPA user lookup fails
    * Updating translations for the 1.13.1 release 

Lukas Slebodnik (49):
    * KRB5: Return right data provider error code
    * Update few debug messages
    * intg: Invalidate memory cache before removing files
    * SPEC: Update spec file for krb5_local_auth_plugin
    * SSSDConfig: Return correct types in python3
    * intg: Modernize 'except' clauses
    * mmap_cache: Rename variables
    * mmap_cache: "Override" functions for initgr mmap cache
    * mmap: Invalidate initgroups memory cache after any change
    * sss_client: Update integrity check of records in mmap cache
    * intg_test: Add module for simulation of utility id
    * intg_test: Add integration test for memory cache
    * NSS: Initgr memory cache should work with fq names
    * test_memory_cache: Add test for initgroups mc with fq names
    * SPEC: Workaround for build with rpm 4.13
    * KRB5: Do not try to remove missing ccache
    * test_memory_cache: Test mmap cache after initgroups
    * test_memory_cache: Test invalidation with sss_cache
    * krb5_utils-tests: Remove unused variables
    * sss_cache: Wait a while for invalidation of mc by nss responder
    * test_memory_cache: Fix few python issues
    * NSS: Fix use after free
    * NSS: Don't ignore backslash in usernames with ldap provider
    * intg_tests: Add regression test for 2163
    * BUILD: Build libdlopen_test_providers.la as a dynamic library
    * BUILD: Speed up build of some tests
    * BUILD: Simplify build of simple_access_tests
    * CI: Set env variable for all tabs in screen
    * dyndns-tests: Simulate job in wrapped execv
    * AUTOMAKE: Disable portability warnings
    * tests: Use unique name for TEST_PATH
    * tests: Move test_dom_suite_setup to different module
    * test_ipa_subdomains_server: Use unique dorectory for keytabs
    * test_copy_keytab: Create keytabs in unique directory
    * test_ad_common: Use unique directory for keytabs
    * Revert "LDAP: end on ENOMEM"
    * Partially revert "LDAP: sanitize group name when used in filter"
    * LDAP: Sanitize group dn before using in filter
    * test_ldap_id_cleanup: Fix coding style issues
    * DYNDNS: Return right error code in case of failure
    * BUILD: Simplify build of test_data_provider_be
    * BUILD: Remove unused variable CHECK_OBJ
    * BUILD: Do not build libsss_ad_common.la as library
    * BUILD: Remove unused variable SSSD_UTIL_OBJ
    * CONFIGURE: Remove bashism
    * IFP: Suppress warning from static analyzer
    * BUILD: Link test_data_provider_be with -ldl
    * sysdb-tests: Use valid base64 encoded certificate for search
    * test_pam_srv: Run cert test only with NSS 

Michal Židek (13):
    * DEBUG: Add new debug category for fail over.
    * pam: Incerease p11 child timeout
    * sdap_async: Use specific errmsg when available
    * TESTS: ldap_id_cleanup timeouts
    * sssd: incorrect checks on length values during packet decoding
    * CONFDB: Assume config file version 2 if missing
    * Makefile.am: Add missing AM_CFLAGS
    * SYSDB: Add function to expire entry
    * cleanup task: Expire all memberof targets when removing user
    * CI: Add regression test for #2676
    * intg: Fix some PEP 8 violations
    * PAM: Make p11_child timeout configurable
    * tests: Set p11_child_timeout to 30 in tests 

Nikolai Kondrashov (1):
    * TESTS: Add trailing whitespace test 

Pavel Březina (18):
    * VIEWS TEST: add null-check
    * SYSDB: prepare for LOCAL view
    * TOOLS: add common command framework
    * TOOLS: add sss_override for local overrides
    * AD: Use ad_site also when site search fails
    * IFP: use default limit if provided is 0
    * sudo: use "higher value wins" when ordering rules
    * sss_override: print input name if unable to parse it
    * sss_override: support domains that require fqname
    * TOOLS: add sss_colondb API
    * sss_override: decompose code better
    * sss_override: support import and export
    * sss_override: document --debug options
    * sss_override: support fqn in override name
    * views: do not require overrideDN in grous when LOCAL view is set
    * views: fix two typos in debug messages
    * views: allow ghost members for LOCAL view
    * sss_override: remove -d from manpage 

Pavel Reichl (23):
    * DYNDNS: sss_iface_addr_list_get return ENOENT
    * DYNDNS: support mult. interfaces for dyndns_iface opt
    * DYNDNS: special value '*' for dyndns_iface option
    * TESTS: dyndns tests support AAAA addresses
    * DYNDNS: support for dualstack
    * TESTS: fix compiler warnings
    * IPA: Improve messages about failures
    * DYNDNS: Don't use server cmd in nsupdate by default
    * DYNDNS: remove redundant talloc_steal()
    * DYNDNS: remove zone command
    * DYNDNS: rename field of sdap_dyndns_update_state
    * DYNDNS: remove code duplication
    * TESTS: UT for sss_iface_addr_list_as_str_list()
    * LDAP: sanitize group name when used in filter
    * LDAP: minor improvements in ldap id cleanup
    * TESTS: fix fail in test_id_cleanup_exp_group
    * LDAP: end on ENOMEM
    * AD: send less logs to syslog
    * Remove trailing whitespace
    * GPO: fix memory leak
    * DDNS: execute nsupdate for single update of PTR rec
    * AD: inicialize root_domain_attrs field 

Petr Cech (6):
    * BUILD: Repair dependecies on deprecated libraries
    * TESTS: Removing part of responder_cache_req-tests
    * UTIL: Function 2string for enum sss_cli_command
    * UTIL: Fixing Makefile.am for util/sss_cli_cmd.h
    * DATA_PROVIDER: BE_REQ as string in log message
    * IPA PROVIDER: Resolve nested netgroup membership 

Robin McCorkell (1):
    * man: List alternative schema defaults for LDAP AutoFS parameters 

Stephen Gallagher (1):
    * AD: Handle cases where no GPOs apply 

Sumit Bose (17):
    * test common: sss_dp_get_account_recv() fix assignment
    * nss_check_name_of_well_known_sid() improve name splitting
    * negcache: allow domain name for UID and GID
    * nss: use negative cache for sid-by-id requests
    * krb5: do not send SSS_OTP if two factors were used
    * utils: add NSS version of cert utils
    * Add NSS version of p11_child
    * pack_message_v3: allow empty name
    * authok: add support for Smart Card related authtokens
    * PAM: add certificate support to PAM (pre-)auth requests
    * pam_sss: add sc support
    * ssh: generate public keys from certificate
    * krb5 utils: add sss_krb5_realm_has_proxy()
    * krb5: do not create kdcinfo file if proxy configuration exists
    * krb5: assume online state if KDC proxy is configured
    * GPO: use SDAP_SASL_AUTHID as samAccountName
    * utils: make sss_krb5_get_primary() private 

Thomas Oulevey (1):
    * Fix memory leak in sssdpac_verify() 

Tyler Gates (1):
    * CONTRIB: Gentoo daemon startup options as declared in conf.d/sssd 

Yuri Chornoivan (1):
    * Fix minor typos 

Freeipa-interest mailing list

Reply via email to