== SSSD 1.13.3 === The SSSD team is proud to announce the release of version 1.13.3 of the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd RPM packages will be made available for Fedora shortly. == Feedback == Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users == Highlights == * A bug that prevented user lookups and logins after migration from winsync to IPA-AD trusts was fixed * The OCSP certificate validation checks are enabled for smartcard logins if SSSD was compiled with the NSS crypto library. * A bug that prevented the ignore_group_members option from working correctly in AD provider setups that use a dedicated primary group (as opposed to a user-private group) was fixed * Offline detection and offline login timeouts were improved for AD users logging in from a domain trusted by an IPA server * The AD provider supports setting up autofs_provider=ad * Several usability improvements to our debug messages == Packaging Changes == * The p11_child helper binary is able to run completely unprivileged and no longer requires the setgid bit to be set == Documentation Changes == * A new option certificate_verification was added. This option allows the administrator to disable OCSP checks in case the OCSP server is not reachable == Tickets Fixed == https://fedorahosted.org/sssd/ticket/1632 [RFE] Unable to use AD provider for automount lookups https://fedorahosted.org/sssd/ticket/1943 convert sudo timer to be_ptask https://fedorahosted.org/sssd/ticket/2672 sudo: reload hostinfo when going online https://fedorahosted.org/sssd/ticket/2732 Add Integration tests for local views feature https://fedorahosted.org/sssd/ticket/2747 get_object_from_cache() does not handle services https://fedorahosted.org/sssd/ticket/2755 Review p11_child hardening https://fedorahosted.org/sssd/ticket/2787 We should mention SSS_NSS_USE_MEMCACHE in man sssd.conf(5) as well https://fedorahosted.org/sssd/ticket/#2796 fix man page for sssd-ldap https://fedorahosted.org/sssd/ticket/2801 Check next certificate on smart card if first is not valid https://fedorahosted.org/sssd/ticket/2812 Smartcard login when certificate on the card is revoked and ocsp check enabled is not supported https://fedorahosted.org/sssd/ticket/2830 Try to suppress "Could not parse domain SID from [(null)]" for IPA users https://fedorahosted.org/sssd/ticket/2846 Inform about SSSD PAC timeout better https://fedorahosted.org/sssd/ticket/2868 AD provider and ignore_group_members=True might cause flaky group memberships https://fedorahosted.org/sssd/ticket/2874 sssd: [sysdb_add_user] (0x0400): Error: 17 (File exists) == Detailed Changelog == Dan Lavu (1): * Clarify that subdomains always use service discovery Jakub Hrozek (7): * Upgrading the version for the 1.13.3 release * DP: Do not confuse static analysers with dead code * BUILD: Only install polkit rules if the directory is available * IPA: Use search timeout, not enum timeout for searching overrides * AD: Add autofs provider * MAN: Clarify when should TGs be disabled for group nesting restriction * Update translations for the 1.13.3 release Lukas Slebodnik (2): * sbus_codegen_tests: Use portable definition of large constants * DEBUG: Add missing new lines Michal Židek (1): * MAN: sssd.conf should mention SSS_NSS_USE_MEMCACHE Pavel Březina (22): * SYSDB: Add missing include to sysdb_services.h * LDAP: Mark globals in ldap_opts.h as extern * AD: Mark globals in ad_opts.h as extern * IPA: Mark globals in ipa_opts.h as extern * KRB5: Mark globals in krb5_opts.h as extern * SUDO: convert periodical refreshes to be_ptask * SUDO: move refreshes from sdap_sudo.c to sdap_sudo_refresh.c * SUDO: move offline check to handler * SUDO: simplify error handling * SUDO: fix sdap_id_op logic * SUDO: fix tevent style * SUDO: fix sdap_sudo_smart_refresh_recv() * SUDO: sdap_sudo_load_sudoers improve iterator * SUDO: set USN inside sdap_sudo_refresh request * SUDO: built host filter inside sdap_sudo_refresh request * SUDO: do not imitate full refresh if usn is unknown in smart refresh * SUDO: fix potential memory leak in sdap_sudo_init * SUDO: obtain host information when going online * SUDO: remove finalizer * SUDO: make sdap_sudo_handler static * SUDO: use size_t instead of int in for cycles * SUDO: get srv_opts after we are connected Pavel Reichl (1): * sysdb-tests: Fix warning - incompatible pointer type Petr Cech (2): * IPA_PROVIDER: Explicit no handle of services * KRB5_CHILD: Debug logs for PAC timeout Sumit Bose (7): * IPA: fix override with the same name * p11: allow p11_child to run completely unprivileged * p11: check if cert is valid before selecting it * p11: enable ocsp checks * ldap: skip sdap_save_grpmem() if ignore_group_members is set * initgr: only search for primary group if it is not already cached * LDAP: check early for missing SID in mapping check _______________________________________________ Freeipa-interest mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-interest