Big win for many: Local files and fallback... I've socialized. Thank you!

Regards,

David Sirrine
Principal Technical Account Manager, Public Sector
Strategic Customer Engagement
804-343-6037 (Office)
804-212-7510 (Cell)

On Mon, Mar 6, 2017 at 2:13 PM, Ellen Newlands <enewl...@redhat.com> wrote:

> Congratulations!  Very solid work here.
>
> On Sat, Mar 4, 2017 at 1:50 PM, Jakub Hrozek <jhro...@redhat.com> wrote:
>
>> SSSD 1.15.1
>> ===========
>>
>> The SSSD team is proud to announce the release of version 1.15.1 of the
>> System Security Services Daemon.
>>
>> This is the first release that is available from SSSD's new home
>> at https://pagure.io/SSSD/sssd The tarball can be downloaded from
>> https://releases.pagure.org/SSSD/sssd/
>> RPM packages will be made available for Fedora shortly.
>>
>> Feedback
>> --------
>> Please provide comments, bugs and other feedback via the sssd-devel or
>> sssd-users mailing lists:
>>     https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
>>     https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>>
>> Highlights
>> ----------
>>  * Several issues related to starting the SSSD services on-demand via
>>    socket activation were fixed. In particular, it is no longer possible
>>    to have a service started both by sssd and socket-activated. Another
>>    bug which might have caused the responder to start before SSSD started
>>    and cause issues especially on system startup was fixed.
>>  * A new 'files' provider was added. This provider mirrors the contents
>>    of '/etc/passwd' and '/etc/shadow' into the SSSD database. The purpose
>>    of this new provider is to make it possible to use SSSD's interfaces,
>>    such as the D-Bus interface for local users and enable leveraging the
>>    in-memory fast cache for local users as well, as a replacement for
>> `nscd`.
>>    In future, we intend to extend the D-Bus interface to also provide
>> setting
>>    and retrieving additional custom attributes for the files users.
>>  * SSSD now autogenerates a fallback configuration that enables the
>>    files domain if no SSSD configuration exists. This allows distributions
>>    to enable the 'sssd' service when the SSSD package is installed. Please
>>    note that SSSD must be build with the configuration option
>>    '--enable-files-domain' for this functionality to be enabled.
>>  * Support for public-key authentication with Kerberos (PKINIT) was
>>    added. This support will enable users who authenticate with a Smart
>> Card
>>    to obtain a Kerberos ticket during authentication.
>>
>> Packaging Changes
>> -----------------
>>  * The new files provider comes as a new shared library 'libsss_files.so'
>>    and a new manual page
>>  * A new helper binary called 'sssd_check_socket_activated_responders'
>>    was added. This binary is used in the 'ExecStartPre' directive to check
>>    if the service that corresponds to socket about to be started was also
>>    started explicitly and abort the socket startup if it was.
>>
>> Documentation Changes
>> ---------------------
>>  * A new PAM module option 'prompt_always' was added. This option is
>>    related to fixing https://pagure.io/SSSD/sssd/issue/2984 which
>>    changed the behaviour of the PAM module so that 'pam_sss' always
>>    uses an auth token that was on stack. The new 'prompt_always' option
>>    makes it possible to restore the previous behaviour.
>>
>> Tickets Fixed
>> -------------
>>  * https://pagure.io/SSSD/sssd/issue/3112 - When sssd.conf is missing,
>> create one with id_provider=files
>>  * https://pagure.io/SSSD/sssd/issue/3220 - Improve successful Dynamic
>> DNS update log messages
>>  * https://pagure.io/SSSD/sssd/issue/3227 - sssd doesn't update PTR
>> records if A/PTR zones are configured as non-secure and secure
>>  * https://pagure.io/SSSD/sssd/issue/3230 - Use the same logic for
>> matching GC results in initgroups and user lookups
>>  * https://pagure.io/SSSD/sssd/issue/3260 - handle default_domain_suffix
>> for ssh requests with default_domain_suffix
>>  * https://pagure.io/SSSD/sssd/issue/3262 - Implement a files provider
>> to mirror the contents of /etc/passwd and /etc/groups
>>  * https://pagure.io/SSSD/sssd/issue/3270 - [RFE] Add PKINIT support to
>> SSSD Kerberos proivder
>>  * https://pagure.io/SSSD/sssd/issue/3298 - Socket activation of SSSD
>> doesn't work and leads to chaos
>>  * https://pagure.io/SSSD/sssd/issue/3299 - SSSD does not start if using
>> only the local provider and services line is empty
>>  * https://pagure.io/SSSD/sssd/issue/3300 - Avoid running two instances
>> of the same service
>>  * https://pagure.io/SSSD/sssd/issue/3309 - Coverity warns about an
>> unused value in IPA sudo code
>>  * https://pagure.io/SSSD/sssd/issue/3313 - cache_req should use an
>> negative cache entry for UPN based lookups
>>  * https://pagure.io/SSSD/sssd/issue/2984 - Don't prompt for password if
>> there is already one on the stack
>>  * https://pagure.io/SSSD/sssd/issue/1126 - Reuse cache_req() in
>> responder code
>>
>> Detailed Changelog
>> ------------------
>>  * Fabiano Fidêncio (11):
>>
>>    * IFP: Update ifp_iface_generated.c
>>    * MONITOR: Wrap up sending sd_notify "ready" into a new function
>>    * MONITOR: Don't timeout if using local provider + socket-activated
>> responders
>>    * MONITOR: Don't return an error in case we fail to register a service
>>    * SYSTEMD: Add "After=sssd.service" to the responders' sockets units
>>    * SYSTEMD: Avoid starting a responder socket in case SSSD is not
>> started
>>    * SYSTEMD: Don't mix up responders' socket and monitor activation
>>    * SYSTEMD: Force responders to refuse manual start
>>    * CACHE_REQ: Add cache_req_data_set_bypass_cache()
>>    * PAM: Use cache_req to perform initgroups lookups
>>    * TESTS: Adapt pam-srv-tests to deal with cache_req related changes
>>
>>  * Jakub Hrozek (42):
>>
>>    * Updating the version to track the 1.15.1 release
>>    * AD: Use ad_domain to match forest root domain, not the configured
>> domain from sssd.conf
>>    * SUDO: Only store lowercased attribute value once
>>    * NEGCACHE: Add API to reset all users and groups
>>    * NSS: Add sbus interface to clear memory cache
>>    * UTIL: Add a new domain state called DOM_INCONSISTENT
>>    * RESPONDER: Add a responder sbus interface to set domain state
>>    * RESPONDER: A sbus interface to reset negatively cached users and
>> groups
>>    * DP: Add internal DP interface to set domain state
>>    * DP: Add internal interface to reset negative cache from DP
>>    * DP: Add internal interface to invalidate memory cache from DP
>>    * RESPONDER: Use the NEED_CHECK_DOMAIN macro
>>    * RESPONDER: Include the files provider in NEEDS_CHECK_PROVIDER
>>    * RESPONDER: Contact inconsistent domains
>>    * UTIL: Add a generic inotify module
>>    * CONFDB: Re-enable the files provider
>>    * FILES: Add the files provider
>>    * CONFDB: Make pwfield configurable per-domain
>>    * CONFDB: The files domain defaults to "x" as pwfield
>>    * MAN: Document the pwfield configuration option
>>    * TESTS: move helper fixtures to back up and restore a file to a
>> utility module
>>    * TESTS: add a helper module with shared NSS constants
>>    * TESTS: Add a module to call nss_sss's getpw* from tests
>>    * TESTS: Add a module to call nss_sss's getgr* from tests
>>    * TESTS: Add files provider integration tests
>>    * MONITOR: Remove checks for sssd.conf changes
>>    * MONITOR: Use the common inotify code to watch resolv.conf
>>    * MAN: Add documentation for the files provider
>>    * EXAMPLES: Do not point to id_provider=local
>>    * SBUS: Document how to free the result of sbus_create_message
>>    * FILES: Fix reallocation logic
>>    * TESTS: Remove unused import
>>    * DOC: Deprecate README, add README.md
>>    * MONITOR: Enable an implicit files domain if one is not configured
>>    * TESTS: Enable the files domain for all integration tests
>>    * TESTS: Test the files domain autoconfiguration
>>    * CONFDB: Refactor reading the config file
>>    * CONFDB: If no configuration file is provided, create a fallback
>> configuration
>>    * UTIL: Store UPN suffixes when creating a new subdomain
>>    * SYSDB: When searching for UPNs, search either the whole DB or only
>> the given domain
>>    * CACHE_REQ: Only search the given domain when looking up entries by
>> UPN
>>    * Updating translations for the 1.15.1 release
>>
>>  * Justin Stephenson (5):
>>
>>    * FAILOVER: Improve port status log messages
>>    * SUDO: Add skip_entry boolean to sudo conversions
>>    * TESTS: Add to IPA DN test
>>    * DYNDNS: Update PTR record after non-fatal error
>>    * DYNDNS: Correct debug log message of realm
>>
>>  * Lukas Slebodnik (13):
>>
>>    * BUILD: Fix linking of test_wbc_calls
>>    * Suppres implicit-fallthrough from gcc 7
>>    * pam_sss: Suppress warning format-truncation
>>    * TOOLS: Fix warning format-truncation
>>    * sssctl: Fix warning may be used uninitialized
>>    * ldap_child: Fix use after free
>>    * SYSTEMD: Update journald drop-in file
>>    * Partially revert "CONFIG: Use default config when none provided"
>>    * BUILD: Fix linking of test_sdap_initgr
>>    * intg: Fix python3 issues
>>    * FILES: Remove unnecessary check
>>    * Update link to commit template
>>    * Use pagure links as a reference to upstream
>>
>>  * Pavel Březina (17):
>>
>>    * SBUS: remove unused symbols
>>    * SBUS: use sss_ptr_hash for opath table
>>    * SBUS: use sss_ptr_hash for nodes table
>>    * SBUS: use sss_ptr_hash for signals table
>>    * ssh: fix number of output certificates
>>    * ssh: do not create again fq name
>>    * sss_parse_inp_send: provide default_domain as parameter
>>    * cache_req: add ability to not use default domain suffix
>>    * cache_req: search user by name with attrs
>>    * cache_req: add api to create ldb_result from message
>>    * cache_req: move dp request to plugin
>>    * cache_req: add host by name search
>>    * ssh: rewrite ssh responder to use cache_req
>>    * ssh: fix typo
>>    * cache_req: always go to dp first when looking up host
>>    * NSS: Rename the interface to invalidate memory cache initgroup
>> records for consistency
>>    * CONFDB: The files provider always enumerates
>>
>>  * Petr Čech (5):
>>
>>    * LDAP: Better logging message
>>    * SYSDB: Removing of sysdb_try_to_find_expected_dn()
>>    * TEST: create_multidom_test_ctx() extending
>>    * TESTS: Tests for sdap_search_initgr_user_in_batch
>>    * IPA_SUDO: Unused value fix
>>
>>  * Sumit Bose (17):
>>
>>    * sdap_extend_map: make sure memory can be freed
>>    * check_duplicate: check name member before using it
>>    * pam_sss: check conversation callback
>>    * PAM: store user object in the preq context
>>    * PAM: fix memory leak in pam_sss
>>    * PAM: use sentinel error code in PAM tests
>>    * utils: new error codes
>>    * LDAP/proxy: tell frontend that Smartcard auth is not supported
>>    * authtok: enhance support for Smartcard auth blobs
>>    * PAM: forward Smartcard credentials to backends
>>    * p11: return name of PKCS#11 module and key id to pam_sss
>>    * pam: enhance Smartcard authentication token
>>    * KRB5: allow pkinit pre-authentication
>>    * authtok: fix tests on big-endian
>>    * pam: use authtok from PAM stack if available
>>    * cache_req: use own namespace for UPNs
>>    * PAM: Improve debugging on smartcard creds forward
>>
>> _______________________________________________
>> Freeipa-interest mailing list
>> Freeipa-interest@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-interest
>
>
>
> _______________________________________________
> Freeipa-interest mailing list
> Freeipa-interest@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-interest
>
_______________________________________________
Freeipa-interest mailing list
Freeipa-interest@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-interest

Reply via email to