== SSSD 1.13.3 ===

The SSSD team is proud to announce the release of version 1.13.3 of
the System Security Services Daemon.

As always, the source is available from https://fedorahosted.org/sssd

RPM packages will be made available for Fedora shortly.

== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:

== Highlights ==
 * A bug that prevented user lookups and logins after migration from
   winsync to IPA-AD trusts was fixed
 * The OCSP certificate validation checks are enabled for smartcard logins
   if SSSD was compiled with the NSS crypto library.
 * A bug that prevented the ignore_group_members option from working
   correctly in AD provider setups that use a dedicated primary group (as
   opposed to a user-private group) was fixed
 * Offline detection and offline login timeouts were improved for AD users
   logging in from a domain trusted by an IPA server
 * The AD provider supports setting up autofs_provider=ad
 * Several usability improvements to our debug messages 

== Packaging Changes ==
 * The p11_child helper binary is able to run completely unprivileged and
   no longer requires the setgid bit to be set

== Documentation Changes ==
 * A new option certificate_verification was added. This option allows
   the administrator to disable OCSP checks in case the OCSP server is
   not reachable

== Tickets Fixed ==
    [RFE] Unable to use AD provider for automount lookups
    convert sudo timer to be_ptask
    sudo: reload hostinfo when going online
    Add Integration tests for local views feature
    get_object_from_cache() does not handle services
    Review p11_child hardening
    We should mention SSS_NSS_USE_MEMCACHE in man sssd.conf(5) as well
    fix man page for sssd-ldap
    Check next certificate on smart card if first is not valid
    Smartcard login when certificate on the card is revoked and ocsp check 
enabled is not supported
    Try to suppress "Could not parse domain SID from [(null)]" for IPA users
    Inform about SSSD PAC timeout better
    AD provider and ignore_group_members=True might cause flaky group 
    sssd: [sysdb_add_user] (0x0400): Error: 17 (File exists)

== Detailed Changelog ==
Dan Lavu (1):
    * Clarify that subdomains always use service discovery 

Jakub Hrozek (7):
    * Upgrading the version for the 1.13.3 release
    * DP: Do not confuse static analysers with dead code
    * BUILD: Only install polkit rules if the directory is available
    * IPA: Use search timeout, not enum timeout for searching overrides
    * AD: Add autofs provider
    * MAN: Clarify when should TGs be disabled for group nesting restriction
    * Update translations for the 1.13.3 release 

Lukas Slebodnik (2):
    * sbus_codegen_tests: Use portable definition of large constants
    * DEBUG: Add missing new lines 

Michal Židek (1):
    * MAN: sssd.conf should mention SSS_NSS_USE_MEMCACHE 

Pavel Březina (22):
    * SYSDB: Add missing include to sysdb_services.h
    * LDAP: Mark globals in ldap_opts.h as extern
    * AD: Mark globals in ad_opts.h as extern
    * IPA: Mark globals in ipa_opts.h as extern
    * KRB5: Mark globals in krb5_opts.h as extern
    * SUDO: convert periodical refreshes to be_ptask
    * SUDO: move refreshes from sdap_sudo.c to sdap_sudo_refresh.c
    * SUDO: move offline check to handler
    * SUDO: simplify error handling
    * SUDO: fix sdap_id_op logic
    * SUDO: fix tevent style
    * SUDO: fix sdap_sudo_smart_refresh_recv()
    * SUDO: sdap_sudo_load_sudoers improve iterator
    * SUDO: set USN inside sdap_sudo_refresh request
    * SUDO: built host filter inside sdap_sudo_refresh request
    * SUDO: do not imitate full refresh if usn is unknown in smart refresh
    * SUDO: fix potential memory leak in sdap_sudo_init
    * SUDO: obtain host information when going online
    * SUDO: remove finalizer
    * SUDO: make sdap_sudo_handler static
    * SUDO: use size_t instead of int in for cycles
    * SUDO: get srv_opts after we are connected 

Pavel Reichl (1):
    * sysdb-tests: Fix warning - incompatible pointer type 

Petr Cech (2):
    * IPA_PROVIDER: Explicit no handle of services
    * KRB5_CHILD: Debug logs for PAC timeout 

Sumit Bose (7):
    * IPA: fix override with the same name
    * p11: allow p11_child to run completely unprivileged
    * p11: check if cert is valid before selecting it
    * p11: enable ocsp checks
    * ldap: skip sdap_save_grpmem() if ignore_group_members is set
    * initgr: only search for primary group if it is not already cached
    * LDAP: check early for missing SID in mapping check 

Freeipa-interest mailing list

Reply via email to