=== SSSD 1.13.0 ===

The SSSD team is proud to announce the release of version 1.13.0 of
the System Security Services Daemon.

As always, the source is available from https://fedorahosted.org/sssd

RPM packages will be made available for Fedora rawhide shortly.

== Feedback ==

Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
    https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
    https://lists.fedorahosted.org/mailman/listinfo/sssd-users

== Highlights ==

* Support for separate prompts when using two-factor authentication was added
* Added support for one-way trusts between an IPA and Active Directory
  environment. Please note that this SSSD functionality depends on IPA code
  that is not released at the moment.
* The fast memory cache now also supports the initgroups operation.
* The PAM responder is now capable of caching authentication for configurable
  period, which might reduce server load in cases where accounts authenticate
  very frequently. Please refer to the cached_auth_timeout option in the
  sssd.conf manual page.
* The Active Directory provider has changed the default value of the
  ad_gpo_access_control option from permissive to enforcing. As a consequence,
  the GPO access control now affects all clients that set access_provider to
  ad. In order to restore the previous behaviour, set ad_gpo_access_control
  to permissive or use a different access_provider type.
* Group Policy objects defined in a different AD domain that the computer
  object is defined in are now supported.
* Credential caching and Offline authentication are also available when
  using two-factor authentication
* Many enhancements to the InfoPipe D-Bus API. Notably, the SSSD users
  and groups are now exposed as first-class objects. The users and groups
  can also be marked as cached and would subsequently show up in the
  Introspection output
* The DBus interface is now also able to look up User objects by
  certificate. This is a first part of work that will eventually allow
  smart-card authentication in SSSD.
* The LDAP cleanup task is now disabled by default, unless enumeration is
  enabled. Please refer to the ldap_purge_cache_timeout option in case your
  environment requires the cleanup task
* The Python bindings are now built for both Python2 and Python3
* The LDAP bind timeout, StartTLS timeout and password change timeout are
  now configurable using the ldap_opt_timeout option

== Packaging Changes ==

* A new directory /var/lib/sss/keytabs is present and owned by the sssd-ipa
  subpackage. The SSSD stores keytabs for one-way trust relationships in
  this directory. Downstreams should make sure that the directory is only
  readable to the user who runs the SSSD service.
* Several packaging changes are present in this release to support the
  Python3 bindings, notably new python-sss and python-sss-murmur subpackages
  are introduced in upstream RPM packaging
* All python bindings now have a Python3 and a Python2 version in the
  upstream RPM packaging scheme
* The OpenSSL development library such as openssl-devel on RHEL/Fedora or
  Debian/Ubuntu? libssl-dev is now required to support certificate operations
* A new internal library libsss_cert.so is present in this release.
* The fast initgroups memcache is represented by a new file
  /var/lib/sss/mc/initgroups

== Documentation Changes ==

* The ad_gpo_access_control option default has changed from permissive
  to enforcing
* The default value of ldap_purge_cache_timeout changed to 0, thus
  effectivelly disabling the cleanup task.
* A new option cache_credentials_minimal_first_factor_length was added. This
  option sets constraints on the password length if One-Time passwords
  are used and credentials are to be cached. Please see the sssd.conf(5)
  man page for more details
* The cached authentication is controlled by new option
  cached_auth_timeout. By default the cached authentication is disabled.

== Tickets Fixed ==

https://fedorahosted.org/sssd/ticket/897
    sssd should pass -d to nsupdate when running with high log level
https://fedorahosted.org/sssd/ticket/1501
    Make the LDAP bind operation timeout configurable
https://fedorahosted.org/sssd/ticket/2150
    [RFE] Expose listing calls over D-BUS
https://fedorahosted.org/sssd/ticket/2224
    nsupdate stderr is not captured
https://fedorahosted.org/sssd/ticket/2236
    The cleanup task has no DEBUG statements
https://fedorahosted.org/sssd/ticket/2326
    SBUS: Flush the UID cache when we receive NameOwnerChanged
https://fedorahosted.org/sssd/ticket/2338
    [RFE] Implement object caching on the bus
https://fedorahosted.org/sssd/ticket/2339
    IFP: support multiple interfaces for object
https://fedorahosted.org/sssd/ticket/2540
    SSSD does not update Dynamic DNS records if the IPA domain differs
    from machine hostname's domain
https://fedorahosted.org/sssd/ticket/2569
    In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA
    user are not able to log unless use_fully_qualified_names is set
https://fedorahosted.org/sssd/ticket/2574
    SSSD should be able to build python2 and python3 bindings in a one build
https://fedorahosted.org/sssd/ticket/2583
    [RFE] Homedir is always overwritten with subdomain_homedir value in
    server mode
https://fedorahosted.org/sssd/ticket/2593
    Does sssd-ad use the most suitable attribute for group name?
https://fedorahosted.org/sssd/ticket/2603
    Make SSSD's HBAC validation more permissive if deny rules are not used
https://fedorahosted.org/sssd/ticket/2609
    [bug] sssd always appends default_domain_suffix when checking for host keys
https://fedorahosted.org/sssd/ticket/2618
    Man sssd-ad(5) lists Group Policy Management Editor naming for some
    policies but not for all
https://fedorahosted.org/sssd/ticket/2620
    id_provider=proxy with auth_provider=ldap does not work reliably
https://fedorahosted.org/sssd/ticket/2625
    Sudo responder does not respect filter_users and filter_groups
https://fedorahosted.org/sssd/ticket/2627
    Disable the cleanup task by default
https://fedorahosted.org/sssd/ticket/2636
    RFE: Fetch keytabs for one-way trusts in IPA subdomain code
https://fedorahosted.org/sssd/ticket/2638
    RFE: Change ad_id_ctx instantiation in the IPA subdomain code to
    support one-way trusts
https://fedorahosted.org/sssd/ticket/2645
    [RFE] Support GPOs from different domain controllers
https://fedorahosted.org/sssd/ticket/2661
    RFE: Change AD GPO default to enforcing
https://fedorahosted.org/sssd/ticket/2666
    sssd with ldap backend throws error domain log
https://fedorahosted.org/sssd/ticket/1807
    [RFE] authenticate against cache in SSSD
https://fedorahosted.org/sssd/ticket/2485
    [RFE] The fast memory cache should cache initgroups
https://fedorahosted.org/sssd/ticket/2590
    SSSD doesn't re-read resolv.conf if the file doesn't exist during boot
https://fedorahosted.org/sssd/ticket/2641
    Add a IS_DEFAULT_VIEW macro
https://fedorahosted.org/sssd/ticket/2701
    Kerberos-based providers other than krb5 do not queue requests

== Detailed Changelog ==

Jakub Hrozek (73):
    * MAN: Fix a typo
    * SYSDB: Reduce code duplication in sysdb_gpo.c
    * UTIL: Make two child_common.c functions static
    * TESTS: Cover child_common.c with unit tests
    * LDAP: Use child_io_destructor instead of child_cleanup in a custom 
desctructor
    * UTIL: Remove child_cleanup
    * UTIL: Unify the fd_nonblocking implementation
    * RESOLV: Remove obsolete in-tree implementation of SRV and TXT parsing
    * PAM: print the pam status as string, too
    * KRB5: More debugging for create_ccache()
    * SDAP: Make simple bind timeout configurable
    * SDAP: Make password change timeout configurable with ldap_opt_timeout
    * SDAP: Make StartTLS bind configurable with ldap_opt_timeout
    * SDAP: Decorate the sdap_op functions with DEBUG messages
    * IPA: Remove the ipa_hbac_treat_deny_as option
    * MAN: Clarify debug_level a bit
    * SSH: Ignore the default_domain_suffix
    * LDAP: Set sdap handle as explicitly connected in LDAP auth
    * tests: Revert strcmp condition
    * ncache: Fix sss_ncache_reset_permanent
    * ncache: Silence critical error from filter_users when 
default_domain_suffix is set
    * ncache: Add sss_ncache_reset_repopulate_permanent
    * responders: reset ncache after domains are discovered during startup
    * NSS: Reset negcache after checking domains
    * MAN: Clarify how are GPO mappings called in GPO editor
    * UTIL: Add a simple function to get the fd of debug_file
    * dyndns: Log nsupdate stderr with a high debug level
    * nsupdate: Append -d/-D to nsupdate with a high debug level
    * subdom: Remove unused function get_flat_name_from_subdomain_name
    * nss: Use negcache for getbysid requests
    * tests: Add NSS responder tests for bysid requests
    * LDAP: disable the cleanup task by default
    * TESTS: Use the right testcase
    * TESTS: Add test for get_next_domain
    * LDAP: Do not print verbose DEBUG messages from providers that don't set 
UUID
    * SYSDB: Store trust direction for subdomains
    * UTIL/SYSDB: Move new_subdomain() to sysdb_subdomains.c and make it private
    * TESTS: Add a test for sysdb_subdomains.c
    * SYSDB: Add realm to sysdb_master_domain_add_info
    * SYSDB: Add a forest root attribute to sss_domain_info
    * IPA: Add ipa_subdomains_handler_get_{start,cont} wrappers
    * IPA: Check master domain record before subdomain records
    * IPA: Fold ipa_subdom_enumerates into ipa_subdom_store
    * IPA: Also update master domain when initializing subdom handler
    * IPA: Move server-mode functions to a separate module
    * IPA: Split two functions to new module ipa_subdomains_utils.c
    * IPA: Include ipaNTTrustDirection in the attribute set for trusted domains
    * IPA: Read forest name for trusted forest roots as well
    * IPA: Make constructing an IPA server mode context async
    * TESTS: Split off keytab creation into a common module
    * TESTS: Add a common mock_be_ctx function
    * TESTS: Add a common function to set up sdap_id_ctx
    * TESTS: Move krb5_try_kdcip to nested group test
    * TESTS: Add unit test for the subdomain_server.c module
    * IPA: Fetch keytab for 1way trusts
    * AD: Rename ad_set_ad_id_options to ad_set_sdap_options
    * AD: Rename ad_create_default_options to ad_create_2way_trust_options
    * AD: Split off ad_create_default_options
    * IPA/AD: Set up AD domain in ad_create_2way_trust_options
    * IPA: Do not set AD_KRB5_REALM twice
    * AD: Add ad_create_1way_trust_options
    * IPA: Utility function for setting up one-way trust context
    * LDAP: Do not set keytab through environment variable
    * LDAP: Consolidate SDAP_SASL_REALM/SDAP_KRB5_REALM behaviour
    * CONFIG: Add SSS_STATEDIR as VARDIR/lib/sss
    * BUILD: Store keytabs in /var/lib/sss/keytabs
    * Updating the translations for the 1.13 Alpha release
    * Updating the version.m4 file for the 1.13 Beta release
    * tests: Reduce duplication with new function test_ev_done
    * KRB5: Add and use krb5_auth_queue_send to queue requests by default
    * PAM: Only cache first-factor
    * Updating the translations for the 1.13.0 release
    * Updating the version for the 1.13.0 release 

John Dickerson (1):
    * MAN: Amend the description of ignore_group_members 

Lukas Slebodnik (67):
    * MAN: Remove indentation in element programlistening
    * Fix warning: for loop has empty body
    * Bump version to track 1.13 development
    * SPEC: Use libnl3 for epel6
    * MAKE: Don't include autoconf generated file to tarball
    * TESTS: Mock return value of sdap_get_generic_recv
    * test_nested_groups: Additional unit tests
    * Fix warning: equality comparison with extraneous parentheses
    * LDAP: Conditional jump depends on uninitialised value
    * BUILD: Remove unused libraries for pysss.so
    * BUILD: Remove unused variables
    * BUILD: Remove detection of type Py_ssize_t
    * UTIL: Remove python wrapper sss_python_set_new
    * UTIL: Remove python wrapper sss_python_set_add
    * UTIL: Remove python wrapper sss_python_set_check
    * UTIL: Remove compatibility macro PyModule_AddIntMacro
    * UTIL: Remove python wrapper sss_python_unicode_from_string
    * BUILD: Use python-config for detection *FLAGS
    * SPEC: Use new convention for python packages
    * SPEC: Move python bindings to separate packages
    * BUILD: Add possibility to build python{2,3} bindings
    * TESTS: Run python tests with all supported python versions
    * SPEC: Replace python_ macros with python2_
    * SPEC: Build python3 bindings on available platforms
    * BUILD: Uninstall also symbolic links to python bindings
    * Remove unused argument from be_nsupdate_create_fwd_msg
    * IPA: Remove unused argument from ipa_id_get_group_uuids
    * Remove useless assignment to function parameter
    * PAC: Fix memory leak
    * responder_cache: Fix warning may be used uninitialized
    * debug-tests: Fix test with new line in debug message
    * BUILD: Add missing header file to tarball
    * pam_client: fix casting to const pointer
    * test_expire: Use right assertion macro for standard functions
    * test_ldap_auth: Use right assertion for integer comparison
    * test_resolv_fake: Fix alignment warning
    * PAC: Remove unused function
    * KRB5: Unify prototype and definition
    * util-tests: Initialize boolean variable to default value
    * SPEC: Drop workaround for old libtool
    * SPEC: Drop workarounds for old rpmbuild
    * SPEC: Remove unused option
    * SPEC: Few cosmetic changes
    * simple_access-tests: Simplify assertion
    * sysdb-tests: Add missing assertions
    * sysdb-tests: test return value before output arguments
    * ad_opts: Use different default attribute for group name
    * BUILD: Write hints about optional python bindings
    * sss_client: Fix mixed enums
    * LDAP: Remove dead assignment
    * sss_client: Fix warning "_" redefined
    * SSSDConfigTest: Use unique temporary directory
    * util-tests: Add validation of internal error messages
    * SDAP: Check return value before using output arguments
    * SDAP: Log failure from sysdb_handle_original_uuid
    * test_ipa_subdomains_server: Run clean-up after success
    * IFP: Fix warnings with enabled optimisation
    * SDAP: Remove user from cache for missing user in LDAP
    * test_ipa_subdom_server: Add missing assert
    * test_ipa_subdomains_server: Fix build with --coverage
    * nss: Store entries in responder to initgr mmap cache
    * mmap_cache: Invalidate entry in right memory cache
    * nss: Invalidate entry in initgr mmap cache
    * sss_client: Use initgr mmap cache in client code
    * sss_cache: Clear also initgroups fast cache
    * sss_client: Use unique lock for memory cache
    * sss_client: Re-check memcache after acquiring the lock 

Michal Zidek (5):
    * Use FQDN if default domain was set
    * MAN: default_domain_suffix with use_fully_qualified_names.
    * views: Add is_default_view helper function
    * MONITOR: Poll for resolv.conf if not available during boot
    * MONITOR: Do not report missing file as fatal in monitor_config_file 

Nikolai Kondrashov (3):
    * BUILD: Add AM_PYTHON2_MODULE macro
    * Add integration tests
    * BUILD: Fix variable substitution in cwrap.m4 

Pavel Březina (53):
    * tests: refactor create_dom_test_ctx()
    * tests: add create_multidom_test_ctx()
    * tests: add test_multidom_suite_cleanup()
    * tests: remove code duplication in single domain cleanup
    * responders: new interface for cache request
    * responders: enable views in cache request
    * IFP: use new cache interface
    * server-tests: use strtouint32 instead strtol
    * sbus: add new iface via sbus_conn_register_iface()
    * sbus: move iface and object path code to separate file
    * sbus: use 'path/*' to represent a D-Bus fallback
    * sbus: support multiple interfaces on single path
    * sbus: add object path to sbus request
    * sbus: add sbus_opath_hash_lookup_supported()
    * sbus: support org.freedesktop.DBus.Introspectable
    * sbus: support org.freedesktop.DBus.Properties
    * sbus: unify naming of handler data variable
    * sbus: move common opath functions from ifp to sbus code
    * sbus: add sbus_opath_get_object_name()
    * ifp: fix potential memory leak in check_and_get_component_from_path()
    * sbus: use hard coded getters instead of generated
    * sbus: remove unused 'reply as' functions
    * IFP: move interface definitions from ifpsrv.c into separate file
    * IFP: unify generated interfaces names
    * sbus codegen: do not prefix getters with iface name
    * IFP: simplify object path constant names
    * sbus: add constant to represent subtree
    * be_refresh: get rid of callback pointers
    * sysdb: use sysdb_user/group_dn
    * cache_req tests: rename test_user to test_user_by_name
    * cache_req tests: define user name constant
    * cache_req: preparations for different input type
    * cache_req: add support for user by uid
    * cache_req: add support for group by name
    * cache_req: remove default branch from switches
    * cache_req: add support for group by id
    * cmocka: include mock_parse_inp in header file
    * cache_req: parse input name if needed
    * cache_req: return ERR_INTERNAL if more than one entry is found
    * sbus: provide custom error names
    * sbus: add sbus_opath_decompose[_exact]
    * sbus: add a{sas} get invoker
    * IFP: add org.freedesktop.sssd.infopipe.Users
    * IFP: add org.freedesktop.sssd.infopipe.Users.User
    * IFP: add org.freedesktop.sssd.infopipe.Groups
    * IFP: add org.freedesktop.sssd.infopipe.Groups.Group
    * IFP: deprecate GetUserAttr?
    * IFP: Implement org.freedesktop.sssd.infopipe.Cache[.Object]
    * SBUS: Use default GetAll? invoker if none is set
    * SBUS: Add support for <node /> in introspection
    * IFP: Export nodes
    * sbus: add support for incoming signals
    * sbus: listen to NameOwnerChanged? 

Pavel Reichl (20):
    * add missing '\n' in debug messages
    * PROXY: add missing space in debug message
    * BUILD: fix chmake not to generate warning
    * SDAP: log expired accounts at lower severity level
    * KRB5: add debug hint
    * TESTS: test expiration
    * ldap: refactor check_pwexpire_kerberos to use util func
    * ldap: refactor nds_check_expired to use util func
    * Fix a few typos in comments
    * sbus: sbus_opath_hash_add_iface free tmp talloc ctx
    * krb5: remove field run_as_user
    * localauth plugin: fix coverity warning
    * dyndns: remove dupl declaration of ipa_dyndns_update
    * dyndns: don't pass zone directive to nsupdate
    * dyndns: ipa_dyndns.h missed declaration of used data
    * krb: remove duplicit decl. of write_krb5info_file
    * IPA: Don't override homedir with subdomain_homedir
    * sysdb: new attribute lastOnlineAuthWithCurrentToken
    * PAM: authenticate agains cache
    * Minor code improvements 

Stephen Gallagher (5):
    * LDAP: Support returning referral information
    * AD GPO: Support processing referrals
    * AD GPO: Change default to "enforcing"
    * Add Vagrant configuration for SSSD
    * GPO: Fix incorrect strerror on GPO access denial 

Sumit Bose (22):
    * Add leak check and command line option to test_authtok
    * utils: add sss_authtok_[gs]et_2fa
    * pam: handle 2FA authentication token in the responder
    * Add pre-auth request
    * krb5-child: add preauth and split 2fa token support
    * IPA: create preauth indicator file at startup
    * pam_sss: add pre-auth and 2fa support
    * Add cache_credentials_minimal_first_factor_length config option
    * sysdb: add sysdb_cache_password_ex()
    * krb5: save hash of the first authentication factor to the cache
    * krb5: try delayed online authentication only for single factor auth
    * 2FA offline auth
    * pam_sss: move message encoding into separate file
    * PAM: add PAM responder unit test
    * adding ldap_user_auth_type where missing
    * LDAP: add ldap_user_certificate option
    * certs: add PEM/DER conversion utilities
    * sysdb: add sysdb_search_user_by_cert() and sysdb_search_object_by_cert()
    * LDAP/IPA: add user lookup by certificate
    * ncache: add calls for certificate based searches
    * utils: add get_last_x_chars()
    * IFP: add FindByCertificate? method for User objects 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to