Congratulations! Very solid work here. On Sat, Mar 4, 2017 at 1:50 PM, Jakub Hrozek <jhro...@redhat.com> wrote:
> SSSD 1.15.1 > =========== > > The SSSD team is proud to announce the release of version 1.15.1 of the > System Security Services Daemon. > > This is the first release that is available from SSSD's new home > at https://pagure.io/SSSD/sssd The tarball can be downloaded from > https://releases.pagure.org/SSSD/sssd/ > RPM packages will be made available for Fedora shortly. > > Feedback > -------- > Please provide comments, bugs and other feedback via the sssd-devel or > sssd-users mailing lists: > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel > https://lists.fedorahosted.org/mailman/listinfo/sssd-users > > Highlights > ---------- > * Several issues related to starting the SSSD services on-demand via > socket activation were fixed. In particular, it is no longer possible > to have a service started both by sssd and socket-activated. Another > bug which might have caused the responder to start before SSSD started > and cause issues especially on system startup was fixed. > * A new 'files' provider was added. This provider mirrors the contents > of '/etc/passwd' and '/etc/shadow' into the SSSD database. The purpose > of this new provider is to make it possible to use SSSD's interfaces, > such as the D-Bus interface for local users and enable leveraging the > in-memory fast cache for local users as well, as a replacement for > `nscd`. > In future, we intend to extend the D-Bus interface to also provide > setting > and retrieving additional custom attributes for the files users. > * SSSD now autogenerates a fallback configuration that enables the > files domain if no SSSD configuration exists. This allows distributions > to enable the 'sssd' service when the SSSD package is installed. Please > note that SSSD must be build with the configuration option > '--enable-files-domain' for this functionality to be enabled. > * Support for public-key authentication with Kerberos (PKINIT) was > added. This support will enable users who authenticate with a Smart Card > to obtain a Kerberos ticket during authentication. > > Packaging Changes > ----------------- > * The new files provider comes as a new shared library 'libsss_files.so' > and a new manual page > * A new helper binary called 'sssd_check_socket_activated_responders' > was added. This binary is used in the 'ExecStartPre' directive to check > if the service that corresponds to socket about to be started was also > started explicitly and abort the socket startup if it was. > > Documentation Changes > --------------------- > * A new PAM module option 'prompt_always' was added. This option is > related to fixing https://pagure.io/SSSD/sssd/issue/2984 which > changed the behaviour of the PAM module so that 'pam_sss' always > uses an auth token that was on stack. The new 'prompt_always' option > makes it possible to restore the previous behaviour. > > Tickets Fixed > ------------- > * https://pagure.io/SSSD/sssd/issue/3112 - When sssd.conf is missing, > create one with id_provider=files > * https://pagure.io/SSSD/sssd/issue/3220 - Improve successful Dynamic > DNS update log messages > * https://pagure.io/SSSD/sssd/issue/3227 - sssd doesn't update PTR > records if A/PTR zones are configured as non-secure and secure > * https://pagure.io/SSSD/sssd/issue/3230 - Use the same logic for > matching GC results in initgroups and user lookups > * https://pagure.io/SSSD/sssd/issue/3260 - handle default_domain_suffix > for ssh requests with default_domain_suffix > * https://pagure.io/SSSD/sssd/issue/3262 - Implement a files provider to > mirror the contents of /etc/passwd and /etc/groups > * https://pagure.io/SSSD/sssd/issue/3270 - [RFE] Add PKINIT support to > SSSD Kerberos proivder > * https://pagure.io/SSSD/sssd/issue/3298 - Socket activation of SSSD > doesn't work and leads to chaos > * https://pagure.io/SSSD/sssd/issue/3299 - SSSD does not start if using > only the local provider and services line is empty > * https://pagure.io/SSSD/sssd/issue/3300 - Avoid running two instances > of the same service > * https://pagure.io/SSSD/sssd/issue/3309 - Coverity warns about an > unused value in IPA sudo code > * https://pagure.io/SSSD/sssd/issue/3313 - cache_req should use an > negative cache entry for UPN based lookups > * https://pagure.io/SSSD/sssd/issue/2984 - Don't prompt for password if > there is already one on the stack > * https://pagure.io/SSSD/sssd/issue/1126 - Reuse cache_req() in > responder code > > Detailed Changelog > ------------------ > * Fabiano Fidêncio (11): > > * IFP: Update ifp_iface_generated.c > * MONITOR: Wrap up sending sd_notify "ready" into a new function > * MONITOR: Don't timeout if using local provider + socket-activated > responders > * MONITOR: Don't return an error in case we fail to register a service > * SYSTEMD: Add "After=sssd.service" to the responders' sockets units > * SYSTEMD: Avoid starting a responder socket in case SSSD is not started > * SYSTEMD: Don't mix up responders' socket and monitor activation > * SYSTEMD: Force responders to refuse manual start > * CACHE_REQ: Add cache_req_data_set_bypass_cache() > * PAM: Use cache_req to perform initgroups lookups > * TESTS: Adapt pam-srv-tests to deal with cache_req related changes > > * Jakub Hrozek (42): > > * Updating the version to track the 1.15.1 release > * AD: Use ad_domain to match forest root domain, not the configured > domain from sssd.conf > * SUDO: Only store lowercased attribute value once > * NEGCACHE: Add API to reset all users and groups > * NSS: Add sbus interface to clear memory cache > * UTIL: Add a new domain state called DOM_INCONSISTENT > * RESPONDER: Add a responder sbus interface to set domain state > * RESPONDER: A sbus interface to reset negatively cached users and > groups > * DP: Add internal DP interface to set domain state > * DP: Add internal interface to reset negative cache from DP > * DP: Add internal interface to invalidate memory cache from DP > * RESPONDER: Use the NEED_CHECK_DOMAIN macro > * RESPONDER: Include the files provider in NEEDS_CHECK_PROVIDER > * RESPONDER: Contact inconsistent domains > * UTIL: Add a generic inotify module > * CONFDB: Re-enable the files provider > * FILES: Add the files provider > * CONFDB: Make pwfield configurable per-domain > * CONFDB: The files domain defaults to "x" as pwfield > * MAN: Document the pwfield configuration option > * TESTS: move helper fixtures to back up and restore a file to a > utility module > * TESTS: add a helper module with shared NSS constants > * TESTS: Add a module to call nss_sss's getpw* from tests > * TESTS: Add a module to call nss_sss's getgr* from tests > * TESTS: Add files provider integration tests > * MONITOR: Remove checks for sssd.conf changes > * MONITOR: Use the common inotify code to watch resolv.conf > * MAN: Add documentation for the files provider > * EXAMPLES: Do not point to id_provider=local > * SBUS: Document how to free the result of sbus_create_message > * FILES: Fix reallocation logic > * TESTS: Remove unused import > * DOC: Deprecate README, add README.md > * MONITOR: Enable an implicit files domain if one is not configured > * TESTS: Enable the files domain for all integration tests > * TESTS: Test the files domain autoconfiguration > * CONFDB: Refactor reading the config file > * CONFDB: If no configuration file is provided, create a fallback > configuration > * UTIL: Store UPN suffixes when creating a new subdomain > * SYSDB: When searching for UPNs, search either the whole DB or only > the given domain > * CACHE_REQ: Only search the given domain when looking up entries by UPN > * Updating translations for the 1.15.1 release > > * Justin Stephenson (5): > > * FAILOVER: Improve port status log messages > * SUDO: Add skip_entry boolean to sudo conversions > * TESTS: Add to IPA DN test > * DYNDNS: Update PTR record after non-fatal error > * DYNDNS: Correct debug log message of realm > > * Lukas Slebodnik (13): > > * BUILD: Fix linking of test_wbc_calls > * Suppres implicit-fallthrough from gcc 7 > * pam_sss: Suppress warning format-truncation > * TOOLS: Fix warning format-truncation > * sssctl: Fix warning may be used uninitialized > * ldap_child: Fix use after free > * SYSTEMD: Update journald drop-in file > * Partially revert "CONFIG: Use default config when none provided" > * BUILD: Fix linking of test_sdap_initgr > * intg: Fix python3 issues > * FILES: Remove unnecessary check > * Update link to commit template > * Use pagure links as a reference to upstream > > * Pavel Březina (17): > > * SBUS: remove unused symbols > * SBUS: use sss_ptr_hash for opath table > * SBUS: use sss_ptr_hash for nodes table > * SBUS: use sss_ptr_hash for signals table > * ssh: fix number of output certificates > * ssh: do not create again fq name > * sss_parse_inp_send: provide default_domain as parameter > * cache_req: add ability to not use default domain suffix > * cache_req: search user by name with attrs > * cache_req: add api to create ldb_result from message > * cache_req: move dp request to plugin > * cache_req: add host by name search > * ssh: rewrite ssh responder to use cache_req > * ssh: fix typo > * cache_req: always go to dp first when looking up host > * NSS: Rename the interface to invalidate memory cache initgroup > records for consistency > * CONFDB: The files provider always enumerates > > * Petr Čech (5): > > * LDAP: Better logging message > * SYSDB: Removing of sysdb_try_to_find_expected_dn() > * TEST: create_multidom_test_ctx() extending > * TESTS: Tests for sdap_search_initgr_user_in_batch > * IPA_SUDO: Unused value fix > > * Sumit Bose (17): > > * sdap_extend_map: make sure memory can be freed > * check_duplicate: check name member before using it > * pam_sss: check conversation callback > * PAM: store user object in the preq context > * PAM: fix memory leak in pam_sss > * PAM: use sentinel error code in PAM tests > * utils: new error codes > * LDAP/proxy: tell frontend that Smartcard auth is not supported > * authtok: enhance support for Smartcard auth blobs > * PAM: forward Smartcard credentials to backends > * p11: return name of PKCS#11 module and key id to pam_sss > * pam: enhance Smartcard authentication token > * KRB5: allow pkinit pre-authentication > * authtok: fix tests on big-endian > * pam: use authtok from PAM stack if available > * cache_req: use own namespace for UPNs > * PAM: Improve debugging on smartcard creds forward > > _______________________________________________ > Freeipa-interest mailing list > Freeipa-interest@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-interest
_______________________________________________ Freeipa-interest mailing list Freeipa-interest@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-interest