== SSSD 1.14 Alpha ===

The SSSD team is proud to announce the release of version 1.14 Alpha of
the System Security Services Daemon.

As always, the source is available from https://fedorahosted.org/sssd

== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:

== Highlights ==
    * Several internal interfaces were refactored, providing cleaner
      code and better memory hierarchy. This change will allow the code to
      be easier to maintain and extend and get rid of sssd_be crashes on
      service restarts while active requests are running.
    * The IPA provider allows looking up users from trusted Active Directory
      domains by certificates that are included in the IPA ID-views. Please
      note that this functionality requires a recent IPA server.
    * The AD provider is now able to look up users from Active Directory
      domains by certificate. This change enables logins for Active Directory
      users with the help of a smart card.
    * The sss_override tool is now able to add certificates as local
      overrides in the SSSD cache. Please note that the certificate overrides
      are stored in the local cache, so removing the cache also removes all
      the certificates!
    * Invalid certificates are skipped instead of aborting the whole
      operation when logging in with a smart card using SSH.
    * A new option local_negative_timeout was added. This option allows
      the admin to specify the time during which lookups for users that
      are not handled by SSSD but are present on the system (typically in
      /etc/passwd and /etc/group) and prevents repeated lookups of local
      users on the remote server during initgroups operation.
    * This version allows several OCSP-related options such as the OCSP
      responder to be configured during smart card authentication
    * SSSD is now able to determine the name of the user who logs in from
      the inserted smart card without having to type in the username. Please
      note that this functionality must be enabled with the allow_missing_name
      pam_sss option.
    * The sss_cache command line tool is now able to invalidate SUDO rules
      with its new -r/-R switches. Please note that the sudo rules are not
      refreshed with the sss_cache tool immediately. Refer to the sssd-sudo
      man page for the existing refresh timeouts.
    * The AD provider as well as the IPA provider part that handles AD
      users is able to use the PAC blob attached to the Kerberos ticket to
      resolve group memberships for a user if available. If the PAC blob is
      not available, other methods such as tokenGroups are used instead.
    * The libipa_hbac library was decorated with debug statements, allowing
      the administrator to see individual parts of the HBAC rules as well
      as the request passed to the evaluator
    * Several systemtap probes were added across the SSSD codebase as well
      as example systemtap scripts that use these probes. The scripts allow
      the administrator to observe the performance of some operations such
      as saving a group or the 'id' command with systemtap.

== Packaging Changes ==
    * The libsss_sudo.so and libsss_autofs.so libraries were moved to
      individual subpackage. This change allows the sudo and autofs libraries
      to be installed in containers when the SSSD deamon is running on the
      host or in another container.
    * The PolicyKit rules used by the p11 child during smartcard
      authentication were moved into their own subpackage to prevent conflict
      in ownership with the polkit package
    * The upstream RPMs no longer run as an unprivileged user, because
      there are several known issues related to running SSSD completely
      unprivileged. It it still possible to switch to a non-privileged user
      in the sssd.conf file.
    * If no configuration file exists on SSSD startup, the SSSD is now able
      to read a default sssd.conf on first start. Downstreams are encouraged
      to ship a default sssd.conf to allow SSSD to be enabled by default.

== Documentation Changes ==
    * It is possible to configure SSSD debugging with the debug option
      which is an alias to the existing debug_level option.
    * A new local_negative_timeout option was added to configure the time
      during which lookups for users that exist on the system but are not
      handled by SSSD are negatively cached.
    * The PAC responder allows the time during which data read from the
      PAC bloc is considered valid with a new pac_lifetime option.
    * Several PAM services were added to the default list of Group
      Policy mappings. These include adding the unity login manager to
      the ad_gpo_map_interactive list and the polkit-1 service to the
      ad_gpo_map_allow list.
    * The p11 responder allows configuring the default OCSP responder with
      its new option ocsp_default_responder and the certificate expected to
      sign the OCSP response with the new ocsp_default_responder_signing_cert
    * The pam_sss.so PAM module has a new option allow_missing_name that
      allows looking up the user (typically with the help of a certificate
      on a smartcard) during login.
    * The sss_override tool gained a new option -x/--certificate that can
      be used to specify a local (as in the local cache) certificate for a
      particular user.
    * The sss_cache tool gained new options -r/-R that allow the
      administrator to invalidate the sudo rules in the cache.

== Tickets Fixed ==
    Name-space add_string and make it clear it can also remove string
    [RFE] sss_cache: invalidate sudo rules
    [RFE] Integrate SSSD with containers
    PAC responder needs much time to process large group lists
    make the negcache timeout part of nc_ctx
    check correct usage of talloc_realloc
    review the use of umask() in sssd code
    man sssd.conf should clarify details about subdomain_inherit option.
    Need better libhbac debuging added to sssd
    Make it possible to lookup user via UPN / Kerberos principal
    CI: whitespace_test FAILED without any output
    cache_req: add SID lookups
    Move libsss_sudo.so outside sssd-common
    Cannot authenticate AD trust users after disconnecting network
    cache_req tests don't use leak_check_push/leak_check_pop in fixtures
    AD GPO fails if the machine account belongs to a domain controller
    Smart Cards: Certificate in the ID View
    Review and update wiki pages for 1.14 Alpha
    Incorrect mapping for locked vs expired accounts with the krb provider
    NSS responder should negatively cache local users for a longer time
    Screen locks and smart card is removed - must show a message to insert the 
correct smartcard
    Abstract async connect functions from sss_ldap
    Common responder code closes socket to early on client shutdown
    ssh with Smartcards - skip invalid certificates
    RFE - alias log_level to debug_level
    [Patch] Vague error message: [sss_ldap_init_sys_connect_done] (0x0020): 
ldap_install_tls failed: Connect error
    SSSD doesn't fail over to next GC if authentication fails

== Detailed Changelog ==

Alexander Bokovoy (1):
    * SPEC: Move polkit rules into sssd-polkit-rules subpackage 

Dan Lavu (5):
    * sss_override: Add restart requirements to man page
    * MAN: Clarify that subdomain_inherit only works for IPA and AD
    * URL in BUILD.txt is incorrect
    * Clarify that subdomains always use service discovery
    * PAM: Fix man for pam_account_{expired,locked}_message 

David Disseldorp (1):
    * build: detect endianness at configure time 

Fabiano Fidêncio (4):
    * sysdb: move add_string() convenience to sysdb.c
    * sysdb: add sysdb_{add,replace,delete}_string()
    * sysdb: move add_ulong() convenience to sysdb.c
    * sysdb: add sysdb_{add,replace,delete}_ulong() 

Graham Leggett (1):
    * Add underlying diagnostic message for SSL errors. 

Jakub Hrozek (72):
    * Updating the version to track 1.14 development
    * MAN: Clarify pam_trusted_users option description
    * MAN: proxy and krb5 are valid access control modules
    * contrib: Add a pre-push hook to warn about commits without Reviewed-By
    * AD: Provide common connection list construction functions
    * AD: Consolidate connection list construction on ad_common.c
    * tests: Fix compilation warning
    * FO: Don't free rc-allocated structure
    * tests: Reduce failover code duplication
    * FO: Use refcount to keep track of servers returned to callers
    * tools: Don't shadow 'exit'
    * IFP: Skip non-POSIX groups properly
    * SSSD: Add a new option diag_cmd
    * DP: Drop dp_pam_err_to_string
    * DP: Check callback messages for valid UTF-8
    * sbus: Check string arguments for valid UTF-8 strings
    * DP: Do not confuse static analysers with dead code
    * CONTRIB: Add a gdb pretty-printer for ldb and sysdb_attrs
    * BUILD: Only install polkit rules if the directory is available
    * AD: Add autofs provider
    * KRB5: Handle preauth request timeout more gracefully
    * FO: Use tevent_req_defer_callback() when notifying callers
    * IPA: Use search timeout, not enum timeout for searching overrides
    * DP: Reduce code duplication in the callback handlers
    * DP: Reduce code duplication in Data Provider handlers
    * MAN: Clarify when should TGs be disabled for group nesting restriction
    * DP: Print warning when the handler is not configured
    * tests: use unittest.TestCase?.assertCountEqual if possible
    * Fix pep8 warnings in pyhbac-test.py
    * SDAP: Make it possible to silence errors from dereference
    * Add a new option ldap_group_external_member
    * IPA: Add interface to call into IPA provider from LDAP provider
    * LDAP: Use the IPA provider interface to resolve external group members
    * IPA: Use the common if-else coding style
    * tests: Extend test_child_common.c to include tests for the 
only_extra_args functionality
    * NSS: Move a DEBUG message so that it's less confusing
    * MAN: Move subdomain_inherit to the correct man section
    * MAN: Move proxy_fast_alias to the correct man section
    * memberof: Don't allocate on a NULL context
    * tests: Add a unit test for the external groups resolution
    * libipa_hbac: Do not use C99
    * libipa_hbac: Add more debug messages
    * libipa_hbac: Fix typo in constant name
    * libipa_hbac: Move the library to src/lib/ipa_hbac
    * MAN: Remove duplicate description of the pam_account_locked_message option
    * AD: Recognize Windows Server 2016
    * memberof: Fix a memory leak when removing ghost users
    * memberof: Don't allocate on NULL when deleting memberUids
    * tests: Check NULL context in sysdb-tests when removing group members
    * MAN: Drop the reference to IPAv2 in the man page
    * Make sdap_process_group_send() static
    * MAN: Remove references to the obsolete PubkeyAgent? ssh option
    * IFP: Do not crash on invalid arguments to GetUserAttr?
    * UTIL: exit() the forked process if exec()-ing a child process fails
    * AD: Do not schedule the machine renewal task if adcli is not executable
    * AD: Do not leak file descriptors during machine password renewal
    * Do not leak fds in case of failures setting up a child process
    * LDAP: Try also the AD access control for IPA users
    * RESPONDER: Fix error check in cache_req.c
    * UTIL: Add a PROBE macro into probes.h
    * BUILD: Add build infrastructure for systemtap scripts
    * SYSDB: Track transaction nesting in sysdb_ctx
    * SYSDB: Add systemtap probes to track sysdb transactions
    * STAP: Add helper functions to for human-readable account request 
    * LDAP: Decorate the hot paths in the LDAP provider with systemtap probes
    * CONTRIB: Add a systemtap script to analyze the performance of the 'id' 
    * CONTRIB: Add a systemstap script to measure nested group code performance
    * BUILD: Enable systemtap during RPM build and CI
    * Updating the translations for the 1.14 alpha release
    * Updating the version for the 1.14 beta release 

Lukas Slebodnik (107):
    * CONTRIB: pre-push hook could work with python3
    * BUILD: Link just libsss_crypto with crypto libraries
    * BUILD: Link crypto_tests with existing library
    * BUILD: Remove unused variable TEST_MOCK_OBJ
    * BUILD: Avoid symlinks with python modules
    * SSSDConfigTest: Try load saved config
    * SSSDConfigTest: Test real config without config_file_version
    * intg_tests: Fix PEP8 warnings
    * responder_common_tests: Removed unused libraries
    * BUILD: Remove unused variables
    * BUILD: Remove SSS_CRYPTO_LIBS from common libraries
    * BUILD: Accept krb5 1.14 for building the PAC plugin
    * BUILD: Fix detection of pthread with strict CFLAGS
    * sbus_codegen_tests: Suppress warning Wmaybe-uninitialized
    * BUILD: Fix cleanup without NLS
    * SDAP: Remove unused sdap_id_ctx from sdap_id_conn_cache_create
    * BUILD: Fix doc directory for sss_simpleifp
    * LDAP: Fix leak of file descriptors
    * BUILD: Remove sudo doxygen file
    * CI: Workaroung for code coverage with old gcc
    * FAIL_OVER: Fix warning value computed is not used
    * cache_req: Fix warning -Wshadow
    * SBUS: Fix warnings -Wshadow
    * TESTS: Fix warnings -Wshadow
    * INIT: Drop syslog.target from service file
    * AD: Remove unused memory context from ad_user_conn_list
    * DP_PTASK: Fix warning may be used uninitialized
    * UTIL: Fix memory leak in switch_creds
    * TESTS: Initialize leak check
    * TESTS: Check return value of check_leaks_pop
    * TESTS: Make check_leaks static function
    * TESTS: Add warning for unused result of leak check functions
    * sss_client: Fix underflow of active_threads
    * sssd_client: Do not use removed memory cache
    * test_memory_cache: Test removing mc without invalidation
    * Revert "intg: Invalidate memory cache before removing files"
    * test_sysdb_subdomains: Do not use assignment in assertions
    * ldap_local_override_test: Fix failure with python2.6
    * sbus_codegen_tests: Use portable definition of large constants
    * CI: Update suppression file for 32bit el6
    * DEBUG: Add missing new lines
    * AD: Log SID in debug message
    * SPEC: Change package ownership of %{pubconfpath}/krb5.include.d
    * SPEC: Move libsss_sudo.so outside sssd-common
    * SPEC: Fix unowned directories
    * SPEC: Use systemd macros
    * pam-srv-tests: Reuse test directory for IO tests
    * FAILOVER: Improve reporting of errors
    * TOOLS: Fix warning Wsign-compare
    * pysss_murmur: Fix warning Wsign-compare
    * pyhbac: Fix warning Wsign-compare
    * SPEC: Remove unnecessary clean-up of buildroot
    * SPEC: Fix packaging of libsss_simpleifp
    * CONFIGURE: Replace obsoleted macro AC_PROG_LIBTOOL
    * TESTS: Fix race condition in python test
    * server-tests: Fix clean-up after successful test
    * PYTHON: sss_obfuscate should work with python3
    * PYTHON: Fix pep8 errors in sss_obfuscate
    * intg: Change preference of openldap module path
    * SPEC: Move libsss_autofs.so outside sssd-common
    * SPEC: Remove unnecessary requirements
    * sss_idmap-tests: Fix segmentation fault
    * krb5_child: Warn if user cannot read krb5.conf
    * Fix typos reported by lintian
    * UTIL: Use prefix for debug function
    * UTIL: Provide varargs version of debug_fn
    * IPA: Use sss_vdebug_fn in hbac_debug_messages
    * IPA: log real hbac function
    * HBAC: Check format string in hbac log function
    * UTIL: Use sss_vdebug_fn for callbacks
    * Revert "DEBUG: Preventing chown_debug_file if journald on"
    * DEBUG: Ignore ENOENT for change owner of log files
    * TOOLS: Fix minor memory leak in sss_colondb_writeline
    * CI: Use yum-deprecated instead of dnf
    * BUILD: Remove unused include directories
    * BUILD: Simplify build of cwrap tests
    * UTIL: Fix indentation in dlinklist.h
    * UTIL: Fix warning misleading-indentation
    * CLIENT: Reduce code duplication
    * CLIENT: Retry request after EPIPE
    * libipa_hbac: Ensure we always build with C90
    * UTIL: Do not call stderr with negative number
    * UTIL: Move debug part from util.h -> new debug.h
    * UTIL: Allow to append new line in sss_vdebug_fn
    * AUTOMAKE: Force usage of parallel test harness
    * CI: Use make check instead of make-check-wrap
    * IPA: Remove unused parameter from ipa_ext_group_member_check
    * SDAP: Remove unused parameter talloc context
    * test_ipa_subdom_server: Workaround for slow krb5 + SELinux
    * SPEC: Run extra unit tests with epel
    * GPO: Soften umask in gpo_child
    * GPO_CHILD: Create directories in gpo_cache with right permissions
    * GPO: Process GPOS in offline mode if ldap search failed
    * IPA: Check RDN in ipa_add_ad_memberships_get_next
    * dp_ptask: Fix memory leak in synchronous ptask
    * test_be_ptask: Check leaks in tests
    * test_ad_common: Include missing header if building with NSS
    * SYSDB_SUDO: Remove useless test
    * IPA_SUDO: Prevent dereference of NULL pointer
    * intg: Use different uid range for add_remove tests
    * LDAP: Print port in sdap_print_server
    * TOOLS: Fix warning maybe-uninitialized
    * pam-srv-tests: Increase cached_auth_timeout
    * CI: Exclude files in /tmp during coverage runs
    * pam-srv-tests: Fix warning unused-function
    * SPEC: Run sssd as privileged user 

Mathieu Deaudelin-Lemay (1):
    * Changes to allow SSSD to be used for access control with a machine
      account belonging to a domain controller.

Michal Židek (15):
    * SSSDConfig: Do not raise exception if config_file_version is missing
    * spec: Missing initgroups mmap file
    * util: Update get_next_domain's interface
    * tests: Add get_next_domain_flags test
    * sysdb: Include disabled domains in link_forest_roots
    * sysdb: Use get_next_domain instead of dom->next
    * Refactor some conditions
    * util: Continue if setlocale fails
    * server_setup: Log failed attempt to set locale
    * tests: Run intgcheck without libsemanage
    * tests: Regression test with wrong LC_ALL
    * ldap_local_override_test: Remove sss_cache from teardown
    * MAN: sssd.conf should mention SSS_NSS_USE_MEMCACHE
    * NSS: do not skip cache check for netgoups
    * GPO: log specific ini parse error messages 

Nikolai Kondrashov (15):
    * CI: Exclude whitespace_test from Valgrind checks
    * TESTS: Make whitespace_test pass without whitespace
    * man: Mention groups in filter_groups description
    * man: Note filter_groups are not affecting nesting
    * intg: Get base DN from LDAP connection object
    * intg: Add support for specifying all user attrs
    * intg: Split LDAP test fixtures for flexibility
    * intg: Reduce sssd.conf duplication in test_ldap.py
    * intg: Fix RFC2307bis group member creation
    * intg: Do not use non-existent pre-increment
    * CI: Do not skip tests not checked with Valgrind
    * CI: Handle dashes in valgrind-condense
    * intg: Fix all PEP8 issues
    * CI: Enforce coverage make check failures
    * intg: Add more LDAP tests 

Pavel Březina (131):
    * sbus codegen tests: free ctx
    * sss tools: improve option handling
    * cache_req: provide extra flag for oob request
    * cache_req: add support for UPN
    * cache_req tests: reduce code duplication
    * cache_req: remove raw_name and do not touch orig_name
    * intg: fix typos
    * sss_override: fix comment describing format
    * sss_override: explicitly set ret = EOK
    * sss_override: steal msgs string to objs
    * nss: send original name and id with local views if possible
    * sudo: search with view even if user is found
    * sudo: send original name and id with local views if possible
    * sss_tools: always show common and help options
    * sss_override: fix exporting multiple domains
    * sss_override: add user-find
    * sss_override: add group-find
    * sss_override: add user-show
    * sss_override: add group-show
    * sss_override: do not free ldb_dn in get_object_dn()
    * sss_override: use more generic help text
    * sss_tools: do not allow unexpected free argument
    * BE: Add IFP to known clients
    * AD: remove annoying debug message
    * man sssd-ad: fix typo
    * SYSDB: Add missing include to sysdb_services.h
    * LDAP: Mark globals in ldap_opts.h as extern
    * AD: Mark globals in ad_opts.h as extern
    * IPA: Mark globals in ipa_opts.h as extern
    * KRB5: Mark globals in krb5_opts.h as extern
    * SUDO: convert periodical refreshes to be_ptask
    * SUDO: move refreshes from sdap_sudo.c to sdap_sudo_refresh.c
    * SUDO: move offline check to handler
    * SUDO: simplify error handling
    * SUDO: fix sdap_id_op logic
    * SUDO: fix tevent style
    * SUDO: fix sdap_sudo_smart_refresh_recv()
    * SUDO: sdap_sudo_load_sudoers improve iterator
    * SUDO: set USN inside sdap_sudo_refresh request
    * SUDO: built host filter inside sdap_sudo_refresh request
    * SUDO: do not imitate full refresh if usn is unknown in smart refresh
    * SUDO: fix potential memory leak in sdap_sudo_init
    * SUDO: obtain host information when going online
    * SUDO: remove finalizer
    * SUDO: make sdap_sudo_handler static
    * SUDO: use size_t instead of int in for cycles
    * SUDO: get srv_opts after we are connected
    * AD SRV: prefer site-local DCs in LDAP ping
    * SDAP: handle ret properly in ldap_get_options()
    * SDAP: do not fail if refs are found but not processed
    * SDAP: Add request that iterates over all search bases
    * SDAP: rename sdap_get_id_specific_filter
    * SDAP: support empty filters in sdap_combine_filters()
    * SUDO: use sdap_search_bases instead custom sb iterator
    * SUDO: make sudo sysdb interface more reusable
    * SUDO: move code shared between ldap and ipa to separate module
    * SUDO: allow to disable ptask
    * SUDO: fail on failed request that cannot be retry
    * IPA: add ipa_get_rdn and ipa_check_rdn
    * SDAP: use ipa_get_rdn() in nested groups
    * IPA SUDO: choose between IPA and LDAP schema
    * IPA SUDO: Add ipasudorule mapping
    * IPA SUDO: Add ipasudocmdgrp mapping
    * IPA SUDO: Add ipasudocmd mapping
    * IPA SUDO: Implement sudo handler
    * IPA SUDO: Implement full refresh
    * IPA SUDO: Implement rules refresh
    * IPA SUDO: Remember USN
    * SDAP: Add sdap_or_filters
    * IPA SUDO: Implement smart refresh
    * SUDO: sdap_sudo_set_usn() do not steal usn
    * SUDO: remove full_refresh_in_progress
    * SUDO: assume zero if usn is unknown
    * SUDO: allow disabling full refresh
    * SUDO: remember usn as number instead of string
    * SUDO: simplify usn filter
    * IPA SUDO: Add support for ipaSudoRunAsExt* attributes
    * sdap_connect_send: fail if uri or sockaddr is NULL
    * MAKE: Do not compile generated header files
    * cache_req: simplify cache_req_cache_check()
    * cache_req: do not lookup views if possible
    * remove user certificate if not found on the server
    * IPA SUDO: download externalUser attribute
    * cache_req: bring together search parameters
    * cache_req: fix typo in debug message
    * cache_req: break cache_req_input_create into more functions
    * cache_req: rename debug_fqn to debugobj
    * cache_req: improve debugging
    * cache_req tests: remove unused users and groups
    * mock domain: reset ldb errors
    * cache_req tests: use leak check in test fixtures
    * cache_req tests: improve user and group creation
    * utils: return const char from dup_string_list
    * cache_req: add SID lookups
    * cache_req test: add lookup by sid
    * cache_req: hide input and pass parameters in struct
    * cache_req: rename cache_req_input to cache_req
    * cache_req: remove old comment
    * IPA SUDO: fix typo
    * IPA SUDO: support old ipasudocmd rdn
    * SUDO: be able to parse modifyTimestamp correctly
    * sudo: remove unused structure sudo_dp_request
    * sudo: use cache_req for initgroups
    * sudo: do not use tevent when parsing query
    * sudo: convert get_sudorules to tevent
    * Inform about (un)successful connection
    * Failover to next server if authentication fails
    * Remove braces from DEBUG statements
    * Rename dp_ptask to be_ptask
    * Rename dp_refresh.h to be_refresh.h
    * Rename dp_refresh.c to be_refresh.c
    * Rename dp_dyndns.h to be_dyndns.h
    * Rename dp_dyndns.c to be_dyndns.c
    * Rename dp_backend.h to backend.h
    * SBUS: Add sbus_conn_register_iface_map
    * SBUS: Add data provider errors
    * SBUS: Print debug message when handler fails
    * sdap_search_bases: allow map to be NULL
    * sdap_search_bases: allow returning only the first reply
    * sdap ops: add support for deref
    * DP: Introduce new interface for backend
    * DP: Add callback for backward compatibility
    * DP TESTS: Mock data_provider
    * DP TESTS: Add unit tests for dp_request_table.c
    * DP: Switch to new interface
    * RESPONDER: New interface for client registration
    * DP: Move be_req_acct and remove discard_const 

Pavel Reichl (39):
    * SDAP: Relax POSIX check
    * AD: fix minor memory leak
    * IPA: fix minor memory leak
    * SDAP: fix minor memory leak
    * PROXY: fix minor memory leak
    * sss_override: amend man page - overrides do not stack
    * DYNDNS: use realm and server commands only as fallback
    * DYNDNS: improve nsupdate_msg_add_fwd()
    * intg: fix assert messages in test_memory_cache
    * HBAC: remove misleading comment about deny rules
    * sudo: remove unused param. in ldap_get_sudo_options
    * autofs: remove unused params in del_autofs_entries
    * LDAP: remove unused param. in sdap_fallback_local_user
    * PAM: remove unused parameter cdb
    * sss_override: Remove unused parameter tool_ctx
    * SDAP: optional warning - sizelimit exceeded in POSIX check
    * SDAP: allow_paging in sdap_get_generic_ext_send()
    * SDAP: change type of attrsonly in sdap_get_generic_ext_state
    * SDAP: pass params in sdap_get_and_parse_generic_send
    * sss_override: Removed overrides might be in memcache
    * sudo: remove unused param name in sdap_sudo_get_usn()
    * pam-srv-tests: split pam_test_setup() so it can be reused
    * pam-srv-tests: Add UT for cached 'online' auth.
    * intg: Add test for user and group local overrides
    * sysdb-tests: Fix warning - incompatible pointer type
    * IDMAP: Fix computing max id for slice range
    * IDMAP: New structure for domain range params
    * IDMAP: Add support for automatic adding of ranges
    * IDMAP: Fix minor memory leak
    * IDMAP: Man change for ldap_idmap_range_size option
    * NSS: Fix memory leak netgroup
    * SDAP: Add error code to debug message
    * IDMAP: Add test to validate off by one bug
    * SDAP: Add return code ERR_ACCOUNT_LOCKED
    * PAM: Pass account lockout status and display message
    * IDMAP: Add minor performance improvements
    * IDMAP: Make parameter names more descriptive
    * DP TESTS: Add unit tests for dp_request.c
    * DP TESTS: Add unit tests for dp_builtin.c 

Petr Cech (56):
    * TESTS: Fixing of uninitialized pointer.
    * HBAC: Better libhbac debugging
    * REFACTOR: umask(0177) --> umask(SSS_DFL_UMASK)
    * REFACTOR: DFL_RSP_UMASK constant in responder code
    * REFACTOR: umask(077) --> umask(SSS_DFL_X_UMASK)
    * REFACTOR: SCKT_RSP_UMASK constant in responder code
    * P11_CHILD_NSS: More restrictive permissions
    * UTILS: More restrictive permissions in domain_info
    * UTIL-TESTS: More restrictive permissions
    * TESTS: More restrictive permissions in debug_tests
    * TESTS: Restrictive permissions in check_and_open
    * DEBUG: Preventing chown_debug_file if journald on
    * KRB5_CHILD: More restrictive umask
    * UTIL: More restrictive umask on sss_unique_file()
    * TEST: Add test_user_by_recent_filter_valid
    * TEST: Refactor of test_responder_cache_req.c
    * TEST: Refactor of test_responder_cache_req.c
    * TEST: Add common function are_values_in_array()
    * TEST: Add test_users_by_recent_filter_valid
    * TEST: Add test_group_by_recent_filter_valid
    * TEST: Refactor of test_responder_cache_req.c
    * TEST: Add test_groups_by_recent_filter_valid
    * IPA_PROVIDER: Explicit no handle of services
    * KRB5_CHILD: Debug logs for PAC timeout
    * KRB5: Adding DNS SRV lookup for krb5 provider
    * TOOLS: Fix memory leak after getline() failed
    * TOOLS: Add comments on functions in colondb
    * TEST_TOOLS_COLONDB: Add tests for sss_colondb_*
    * TESTS: global_talloc_context push/pop remove
    * NEGCACHE: Fixing typo in test_sss_ncache_gid()
    * NEGCACHE: Removing of condition for ttl = -1
    * SYSDB: Add new funtions into sysdb_sudo
    * TESTS: Test of sysdb_search_sudo_rules
    * SSS_CACHE: Refactor
    * TOOL: Invalidation of sudo rules at sss_cache
    * AUTOFS: Removing of redudant debug message
    * TEST: Removing duplication of mock_rctx
    * NEGCACHE: Adding timeout to struct sss_nc_ctx
    * NEGCACHE: Removing timeout from sss_ncache_check_*
    * NEGCACHE: Adding getter for timeout
    * RESPONDER: Removing neg_timeout from pam responder
    * RESPONDER: Removing neg_timeout from pac_ctx
    * RESPONDER: Removing neg_timeout from sudo resp.
    * RESPONDER: Removing neg_timeout from ifp repsonder
    * RESPONDER: Removing neg_timeout from nss responder
    * RESPONDERS: Negcache in resp_ctx preparing
    * RESPONDER: Removing ncache from nss_ctx
    * RESPONDER: Removing ncache from ifp_ctx
    * RESPONDER: Removing ncache from pac_ctx
    * RESPONDER: Removing ncache from pam_ctx
    * RESPONDER: Removing ncache from sudo_ctx
    * RESPONDER: Removing of redudant function
    * AD_PROVIDER: Fix constant char *
    * RESPONDERS: Negative caching of local users
    * TEST: New tests for negative caching of locals 

Robert Antoni Buj Gelonch (1):
    * Add Catalan translation to LINGUAS 

Simo Sorce (6):
    * Krb5/PAM: Fix account lockout error handling
    * Util: Improve code to get connection credentials
    * Util: Move socket setup in a common utility file
    * Util: Set socket options and flags separately
    * Util Sockets: Tidy up connect() handling
    * Responders: Fix client destructor 

Stephen Gallagher (11):
    * LDAP: Inform about small range size
    * Monitor: Show service pings at debug level 8
    * GPO: Add Cockpit to the Remote Interactive defaults
    * GPO: Add other display managers to interactive logon
    * Netlink: Ignore RTM_NEWADDR signals from link-local
    * GPO: Add "unity" to ad_gpo_map_interactive
    * UTIL: Add secure copy function
    * CONFIG: Use default config when none provided
    * GPO: Add "polkit-1" to ad_gpo_map_allow
    * DEBUG: Add debug alias for debug_level 

Sumit Bose (69):
    * PAM: only allow missing user name for certificate authentication
    * fix ldb_search usage
    * fix upn cache_req for sub-domain users
    * nss: fix UPN lookups for sub-domain users
    * DP: successful authentication sets explicitly PAM_SUCCESSS
    * NSS: fix a use-after-free issue
    * pam-srv-tests: Change service name
    * cache_req: check all domains for lookups by certificate
    * IPA: fix override with the same name
    * p11: allow p11_child to run completely unprivileged
    * p11: check if cert is valid before selecting it
    * p11: enable ocsp checks
    * ldap: skip sdap_save_grpmem() if ignore_group_members is set
    * initgr: only search for primary group if it is not already cached
    * LDAP: check early for missing SID in mapping check
    * nfs idmap: fix infinite loop
    * ipa_s2n_save_objects(): use configured user and group timeout
    * Use right domain for user lookups
    * sdap_save_grpmem: determine domain by SID if possible
    * ldap: remove originalMeberOf if there is no memberOf
    * UTIL: allow to skip default options for child processes
    * DP_TASK: add be_ptask_get_timeout()
    * AD: add task to renew the machine account password if needed
    * FO: add fo_get_active_server()
    * FO: add be_fo_get_active_server_name()
    * AD: try to use current server in the renewal task
    * p11: add gnome-screensaver to list of allowed services
    * Just return NULL if tevent_req_create() fails
    * subdomains: inherit ldap_krb5_keytab
    * IPA: lookup idview name even if there is no master domain record
    * IPA: invalidate override data if original view is missing
    * sdap: improve filtering of multiple results in GC lookups
    * pam_sss: reorder pam_message array
    * SDAP: make some AD specific calls public
    * LDAP: refactor sdap_ad_tokengroups_initgr_mapping_done()
    * util: make concatenate_string_array() reusable
    * AD: process PAC during initgroups request
    * IPA: rename ipa_s2n_get_fqlist* to ipa_s2n_get_list*
    * IPA: ipa_s2n_get_list_send() allow other list types
    * IPA: resolve PAC for trusted users on IPA clients
    * PAC: only save PAC blob into the cache
    * sss_override: do not generate DN, search object
    * tools: read additional data of the master domain
    * sss_override: only add domain if name is not fully qualified
    * intg: local override for user with mixed case name
    * krb5_auth_store_creds: silence spurious debug message
    * build: move ndr_krb5pac check to the other Samba checks
    * IPA: terminate properly if view name lookup fails
    * IPA: use forest name when looking up the Global Catalog
    * libwbclient: wbcSidsToUnixIds() don't fail on errors
    * AD: use krb5_keytab for subdomain initialization
    * p11: add missing man page entry and config API
    * p11: add no_verification option
    * p11: add OCSP default responder options
    * PAM: add pam_sss option allow_missing_name
    * p11: add PKCS11_LOGIN_TOKEN_NAME environment variable
    * sysdb: add sysdb_attrs_add_base64_blob()
    * sysdb: add searches by certificate with overrides
    * cache_req: use overide aware call for lookup by certificate
    * ipa: add support for certificate overrides
    * nss: include certificates in full result list
    * ipa: save cert as blob in the cache
    * AD: read user certificate if available
    * nss: return user certificate base64 encoded
    * sss_override: add certificate support
    * IPA: allow lookups by cert in sub-domains on the client
    * NSS: add SSS_NSS_GETNAMEBYCERT request
    * nss-idmap: add sss_nss_getnamebycert()
    * ssh: skip invalid certificates 

Freeipa-interest mailing list

Reply via email to