== SSSD 1.13.1 === The SSSD team is proud to announce the release of version 1.13.1 of the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd RPM packages will be made available for Fedora shortly. == Feedback == Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users == Highlights == * Initial support for Smart Card authentication was added. The feature can be activated with the new pam_cert_auth option * The PAM prompting was enhanced so that when Two-Factor Authentication is used, both factors (password and token) can be entered separately on separate prompts. At the same time, only the long-term password is cached, so offline access would still work using the long term password * A new command line tool sss_override is present in this release. The tools allows to override attributes on the SSSD side. It's helpful in environment where e.g. some hosts need to have a different view of POSIX attributes than others. Please note that the overrides are stored in the cache as well, so removing the cache will also remove the overrides * New methods were added to the SSSD D-Bus interface. Notably support for looking up a user by certificate and looking up multiple users using a wildcard was added. Please see the interface introspection or the design pages for full details * Several enhancements to the dynamic DNS update code. Notably, clients that update multiple interfaces work better with this release * This release supports authenticating againt a KDC proxy * The fail over code was enhanced so that if a trusted domain is not reachable, only that domain will be marked as inactive but the backed would stay in online mode * Several fixes to the GPO access control code are present == Packaging Changes == * The Smart Card authentication feature requires a helper process p11_child that needs to be marked as setgid if SSSD needs to be able to. Please note the p11_child requires the NSS crypto library at the moment * The sss_override tool was added along with its own manpage * The upstream RPM can now build on RHEL/CentOS 6.7 == Documentation Changes == * The config_file_version configuration option now defaults to 2. As an effect, this option doesn't have to be set anymore unless the config file format is changed again by SSSD upstream * It is now possible to specify a comma-separated list of interfaces in the dyndns_iface option * The InfoPipe responder and the LDAP provider gained a new option wildcard_lookup that specifies an upper limit on the number of entries that can be returned with a wildcard lookup * A new option dyndns_server was added. This option allows to attempt a fallback DNS update against a specific DNS server. Please note this option only works as a fallback, the first attempt will always be performed against autodiscovered servers. * The PAM responder gained a new option ca_db that allows the storage of trusted CA certificates to be specified * The time the p11_child is allowed to operate can be specified using a new option p11_child_timeout == Tickets Fixed == https://fedorahosted.org/sssd/ticket/546 [RFE] Support for smart cards https://fedorahosted.org/sssd/ticket/1697 sssd: incorrect checks on length values during packet decoding https://fedorahosted.org/sssd/ticket/1926 [RFE] Start the dynamic DNS update after the SSSD has been setup for the first time https://fedorahosted.org/sssd/ticket/1994 Complain loudly if backend doesn't start due to missing or invalid keytab https://fedorahosted.org/sssd/ticket/2275 nested netgroups do not work in IPA provider https://fedorahosted.org/sssd/ticket/2283 test dyndns failed. https://fedorahosted.org/sssd/ticket/2335 Investigate using the krb5 responder for driving the PAM conversation with OTPs https://fedorahosted.org/sssd/ticket/2463 Pass error messages via the extdom plugin https://fedorahosted.org/sssd/ticket/2495 [RFE]Allow sssd to add a new option that would specify which server to update DNS with https://fedorahosted.org/sssd/ticket/2549 RFE: Support multiple interfaces with the dyndns_iface option https://fedorahosted.org/sssd/ticket/2553 RFE: Add support for wildcard-based cache updates https://fedorahosted.org/sssd/ticket/2558 Add dualstack and multihomed support https://fedorahosted.org/sssd/ticket/2561 Too much logging https://fedorahosted.org/sssd/ticket/2579 TRACKER: Support one-way trusts for IPA https://fedorahosted.org/sssd/ticket/2581 Re-check memcache after acquiring the lock in the client code https://fedorahosted.org/sssd/ticket/2584 RFE: Support client-side overrides https://fedorahosted.org/sssd/ticket/2597 Add index for 'objectSIDString' and maybe to other cache attributes https://fedorahosted.org/sssd/ticket/2637 RFE: Don't mark the main domain as offline if SSSD can't connect to a subdomain https://fedorahosted.org/sssd/ticket/2639 RFE: Detect re-established trusts in the IPA subdomain code https://fedorahosted.org/sssd/ticket/2652 KDC proxy not working with SSSD krb5_use_kdcinfo enabled https://fedorahosted.org/sssd/ticket/2676 Group members are not turned into ghost entries when the user is purged from the SSSD cache https://fedorahosted.org/sssd/ticket/2682 sudoOrder not honored as expected https://fedorahosted.org/sssd/ticket/2688 Default to config_file_version=2 https://fedorahosted.org/sssd/ticket/2691 GPO: PAM system error returned for PAM_ACCT_MGMT and offline mode https://fedorahosted.org/sssd/ticket/2692 GPO: Access denied due to using wrong sam_account_name https://fedorahosted.org/sssd/ticket/2694 CI: Fix ramshackle test_ipa_subdomains_server (FAIL: test_ipa_subdom_server) https://fedorahosted.org/sssd/ticket/2699 SSSDConfig: wrong return type returned on python3 https://fedorahosted.org/sssd/ticket/2700 krb5_child should always consider online state to allow use of MS-KKDC proxy https://fedorahosted.org/sssd/ticket/2708 Logging messages from user point of view https://fedorahosted.org/sssd/ticket/2711 [RFE] Provide interface for SSH to fetch user certificate https://fedorahosted.org/sssd/ticket/2712 Initgroups memory cache does not work with fq names https://fedorahosted.org/sssd/ticket/2716 Initgroups mmap cache needs update after db changes https://fedorahosted.org/sssd/ticket/2717 well-known SID check is broken for NetBIOS prefixes https://fedorahosted.org/sssd/ticket/2718 SSSD keytab validation check expects root ownership https://fedorahosted.org/sssd/ticket/2719 IPA: returned unknown dp error code with disabled migration mode https://fedorahosted.org/sssd/ticket/2722 Missing config options in gentoo init script https://fedorahosted.org/sssd/ticket/2723 Could not resolve AD user from root domain https://fedorahosted.org/sssd/ticket/2724 getgrgid for user's UID on a trust client prevents getpw* https://fedorahosted.org/sssd/ticket/2725 If AD site detection fails, not even ad_site override skipped https://fedorahosted.org/sssd/ticket/2729 Do not send SSS_OTP if both factors were entered separately https://fedorahosted.org/sssd/ticket/2731 searching SID by ID always checks all domains https://fedorahosted.org/sssd/ticket/2733 Don't use deprecated libraries (libsystemd-*) https://fedorahosted.org/sssd/ticket/2737 sss_override: add import and export commands https://fedorahosted.org/sssd/ticket/2738 Cannot build rpms from upstream spec file on rawhide https://fedorahosted.org/sssd/ticket/2742 When certificate is added via user-add-cert, it cannot be looked up via org.freedesktop.sssd.infopipe.Users.FindByCertificate https://fedorahosted.org/sssd/ticket/2743 memory cache can work intermittently https://fedorahosted.org/sssd/ticket/2744 cleanup_groups should sanitize dn of groups https://fedorahosted.org/sssd/ticket/2746 the PAM srv test often fails on RHEL-7 https://fedorahosted.org/sssd/ticket/2748 test_memory_cache failed in invalidation cache before stop https://fedorahosted.org/sssd/ticket/2749 Fix crash in nss responder https://fedorahosted.org/sssd/ticket/2754 Clear environment and set restrictive umask in p11_child https://fedorahosted.org/sssd/ticket/2757 sss_override does not work correctly when 'use_fully_qualified_names = True' https://fedorahosted.org/sssd/ticket/2758 sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help https://fedorahosted.org/sssd/ticket/2762 [RFE] sssd: better feedback form constraint password change https://fedorahosted.org/sssd/ticket/2768 Test 'test_id_cleanup_exp_group' failed https://fedorahosted.org/sssd/ticket/2772 sssd cannot resolve user names containing backslash with ldap provider https://fedorahosted.org/sssd/ticket/2773 Make p11_child timeout configurable https://fedorahosted.org/sssd/ticket/2777 Fix memory leak in GPO https://fedorahosted.org/sssd/ticket/2782 sss_override : The local override user is not found https://fedorahosted.org/sssd/ticket/2783 REGRESSION: Dyndns soes not update reverse DNS records https://fedorahosted.org/sssd/ticket/2790 sss_override --name doesn't work with RFC2307 and ghost users https://fedorahosted.org/sssd/ticket/2799 unit tests do not link correctly on Debian https://fedorahosted.org/sssd/ticket/2803 Memory leak / possible DoS with krb auth. https://fedorahosted.org/sssd/ticket/2805 AD: Conditional jump or move depends on uninitialised value == Detailed Changelog == Jakub Hrozek (52): * Updating the version for 1.13.1 development * tests: Move N_ELEMENTS definition to tests/common.h * SYSDB: Add functions to look up multiple entries including name and custom filter * DP: Add DP_WILDCARD and SSS_DP_WILDCARD_USER/SSS_DP_WILDCARD_GROUP * cache_req: Extend cache_req with wildcard lookups * UTIL: Add sss_filter_sanitize_ex * LDAP: Fetch users and groups using wildcards * LDAP: Add sdap_get_and_parse_generic_send * LDAP: Use sdap_get_and_parse_generic_/_recv * LDAP: Add sdap_lookup_type enum * LDAP: Add the wildcard_limit option * IFP: Add wildcard requests * Use NSCD path in execl() * KRB5: Use the right domain for case-sensitive flag * IPA: Better debugging * UTIL: Lower debug level in perform_checks() * IPA: Handle sssd-owned keytabs when running as root * IPA: Remove MPG groups if getgrgid was called before getpw() * LDAP: use ldb_binary_encode when printing attribute values * IPA: Change the default of ldap_user_certificate to userCertificate;binary * UTIL: Provide a common interface to safely create temporary files * IPA: Always re-fetch the keytab from the IPA server * DYNDNS: Add a new option dyndns_server * p11child: set restrictive umask and clear environment * KRB5: Use sss_unique file in krb5_child * KRB5: Use sss_unique_file when creating kdcinfo files * LDAP: Use sss_unique_filename in ldap_child * SSH: Use sss_unique_file_ex to create the known hosts file * SYSDB: Index the objectSIDString attribute * sbus: Initialize errno if constructing message fails and add debug messages * sbus: Add a special error code for messages sent by the bus itself * GPO: Use sss_unique_file and close fd on failure * SDAP: Remove unused function * KRB5: Don't error out reading a minimal krb5.conf * UTIL: Convert domain->disabled into tri-state with domain states * DP: Provide a way to mark subdomain as disabled and auto-enable it later with offline_timeout * SDAP: Do not set is_offline if ignore_mark_offline is set * AD: Only ignore errors from SDAP lookups if there's another connection to fallback to * KRB5: Offline operation with disabled domain * AD: Do not mark the whole back end as offline if subdomain lookup fails * AD: Set ignore_mark_offline=false when resolving AD root domain * IPA: Do not allow the AD lookup code to set backend as offline in server mode * BUILD: link dp tests with LDB directly to fix builds on Debian * LDAP: imposing sizelimit=1 for single-entry searches breaks overlapping domains * tests: Move named_domain from test_utils to common test code * LDAP: Move sdap_create_search_base from ldap to sdap code * LDAP: Filter out multiple entries when searching overlapping domains * IPA: Change ipa_server_trust_add_send request to be reusable from ID code * FO: Add an API to reset all servers in a single service * FO: Also reset the server common data in addition to SRV * IPA: Retry fetching keytab if IPA user lookup fails * Updating translations for the 1.13.1 release Lukas Slebodnik (49): * KRB5: Return right data provider error code * Update few debug messages * intg: Invalidate memory cache before removing files * SPEC: Update spec file for krb5_local_auth_plugin * SSSDConfig: Return correct types in python3 * intg: Modernize 'except' clauses * mmap_cache: Rename variables * mmap_cache: "Override" functions for initgr mmap cache * mmap: Invalidate initgroups memory cache after any change * sss_client: Update integrity check of records in mmap cache * intg_test: Add module for simulation of utility id * intg_test: Add integration test for memory cache * NSS: Initgr memory cache should work with fq names * test_memory_cache: Add test for initgroups mc with fq names * SPEC: Workaround for build with rpm 4.13 * KRB5: Do not try to remove missing ccache * test_memory_cache: Test mmap cache after initgroups * test_memory_cache: Test invalidation with sss_cache * krb5_utils-tests: Remove unused variables * sss_cache: Wait a while for invalidation of mc by nss responder * test_memory_cache: Fix few python issues * NSS: Fix use after free * NSS: Don't ignore backslash in usernames with ldap provider * intg_tests: Add regression test for 2163 * BUILD: Build libdlopen_test_providers.la as a dynamic library * BUILD: Speed up build of some tests * BUILD: Simplify build of simple_access_tests * CI: Set env variable for all tabs in screen * dyndns-tests: Simulate job in wrapped execv * AUTOMAKE: Disable portability warnings * tests: Use unique name for TEST_PATH * tests: Move test_dom_suite_setup to different module * test_ipa_subdomains_server: Use unique dorectory for keytabs * test_copy_keytab: Create keytabs in unique directory * test_ad_common: Use unique directory for keytabs * Revert "LDAP: end on ENOMEM" * Partially revert "LDAP: sanitize group name when used in filter" * LDAP: Sanitize group dn before using in filter * test_ldap_id_cleanup: Fix coding style issues * DYNDNS: Return right error code in case of failure * BUILD: Simplify build of test_data_provider_be * BUILD: Remove unused variable CHECK_OBJ * BUILD: Do not build libsss_ad_common.la as library * BUILD: Remove unused variable SSSD_UTIL_OBJ * CONFIGURE: Remove bashism * IFP: Suppress warning from static analyzer * BUILD: Link test_data_provider_be with -ldl * sysdb-tests: Use valid base64 encoded certificate for search * test_pam_srv: Run cert test only with NSS Michal Židek (13): * DEBUG: Add new debug category for fail over. * pam: Incerease p11 child timeout * sdap_async: Use specific errmsg when available * TESTS: ldap_id_cleanup timeouts * sssd: incorrect checks on length values during packet decoding * CONFDB: Assume config file version 2 if missing * Makefile.am: Add missing AM_CFLAGS * SYSDB: Add function to expire entry * cleanup task: Expire all memberof targets when removing user * CI: Add regression test for #2676 * intg: Fix some PEP 8 violations * PAM: Make p11_child timeout configurable * tests: Set p11_child_timeout to 30 in tests Nikolai Kondrashov (1): * TESTS: Add trailing whitespace test Pavel Březina (18): * VIEWS TEST: add null-check * SYSDB: prepare for LOCAL view * TOOLS: add common command framework * TOOLS: add sss_override for local overrides * AD: Use ad_site also when site search fails * IFP: use default limit if provided is 0 * sudo: use "higher value wins" when ordering rules * sss_override: print input name if unable to parse it * sss_override: support domains that require fqname * TOOLS: add sss_colondb API * sss_override: decompose code better * sss_override: support import and export * sss_override: document --debug options * sss_override: support fqn in override name * views: do not require overrideDN in grous when LOCAL view is set * views: fix two typos in debug messages * views: allow ghost members for LOCAL view * sss_override: remove -d from manpage Pavel Reichl (23): * DYNDNS: sss_iface_addr_list_get return ENOENT * DYNDNS: support mult. interfaces for dyndns_iface opt * DYNDNS: special value '*' for dyndns_iface option * TESTS: dyndns tests support AAAA addresses * DYNDNS: support for dualstack * TESTS: fix compiler warnings * SDAP: rename SDAP_CACHE_PURGE_TIMEOUT * IPA: Improve messages about failures * DYNDNS: Don't use server cmd in nsupdate by default * DYNDNS: remove redundant talloc_steal() * DYNDNS: remove zone command * DYNDNS: rename field of sdap_dyndns_update_state * DYNDNS: remove code duplication * TESTS: UT for sss_iface_addr_list_as_str_list() * LDAP: sanitize group name when used in filter * LDAP: minor improvements in ldap id cleanup * TESTS: fix fail in test_id_cleanup_exp_group * LDAP: end on ENOMEM * AD: send less logs to syslog * Remove trailing whitespace * GPO: fix memory leak * DDNS: execute nsupdate for single update of PTR rec * AD: inicialize root_domain_attrs field Petr Cech (6): * BUILD: Repair dependecies on deprecated libraries * TESTS: Removing part of responder_cache_req-tests * UTIL: Function 2string for enum sss_cli_command * UTIL: Fixing Makefile.am for util/sss_cli_cmd.h * DATA_PROVIDER: BE_REQ as string in log message * IPA PROVIDER: Resolve nested netgroup membership Robin McCorkell (1): * man: List alternative schema defaults for LDAP AutoFS parameters Stephen Gallagher (1): * AD: Handle cases where no GPOs apply Sumit Bose (17): * test common: sss_dp_get_account_recv() fix assignment * nss_check_name_of_well_known_sid() improve name splitting * negcache: allow domain name for UID and GID * nss: use negative cache for sid-by-id requests * krb5: do not send SSS_OTP if two factors were used * utils: add NSS version of cert utils * Add NSS version of p11_child * pack_message_v3: allow empty name * authok: add support for Smart Card related authtokens * PAM: add certificate support to PAM (pre-)auth requests * pam_sss: add sc support * ssh: generate public keys from certificate * krb5 utils: add sss_krb5_realm_has_proxy() * krb5: do not create kdcinfo file if proxy configuration exists * krb5: assume online state if KDC proxy is configured * GPO: use SDAP_SASL_AUTHID as samAccountName * utils: make sss_krb5_get_primary() private Thomas Oulevey (1): * Fix memory leak in sssdpac_verify() Tyler Gates (1): * CONTRIB: Gentoo daemon startup options as declared in conf.d/sssd Yuri Chornoivan (1): * Fix minor typos _______________________________________________ Freeipa-interest mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-interest