=== SSSD 1.11.8 === The SSSD team is proud to announce the release of version 1.11.8 of the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd == Feedback == Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users == Highlights == * This release focuses on backporting bug fixes from the 1.12 and 1.13 releases. At the moment, the SSSD upstream does not plan on releasing 1.11.9, barring security issues or regressions in this release. We recommend that all users of 1.11 upgrade to 1.12 or 1.13. * Several bugs related to using id_provider=ldap together with ID mapping enabled were fixed * Fixed a potential use-after-free error in the nested groups resolution code * The service restart code in the main "sssd" process was improved * The PAC responder can be built with MIT Kerberos versions 1.13 and 1.14 * A potential segfault in the memberof ldb plugin was fixed * The LDAP child no longer leaves a stray temporary file behind in case acquiring the credentials fails * The sudo responder works correctly even for users or groups whose name contains an LDAP special character such as ) * The autofs responder now works even with setups that enable the default_domain_suffix option * A memory leak in the NSS responder when a non-existing netgroup was requested is fixed in this release * The SSSD no longer leaks a file descriptor if service discovery times out when discovering an LDAP server * The sudo responder fixed the logic to sort entries with the sudoOrder attribute to match the sudo's native LDAP code == Documentation Changes == * The ldap_use_tokengroups option defaults to false in the generic LDAP provider. Previously, both the AD and LDAP provider (with ldap_schema set to ad) attempted to use the tokenGroups, resulting in numerous bugs. == Tickets Fixed == * https://fedorahosted.org/sssd/ticket/2412 Error processing universal groups with cross-domain membership in SSSD server mode * https://fedorahosted.org/sssd/ticket/2471 RHEL6.6 sssd (1.11) fails if IPA permissions and roles have the same name * https://fedorahosted.org/sssd/ticket/2484 Password change over ssh doesn't work with OTP and FreeIPA * https://fedorahosted.org/sssd/ticket/2448 MAN: If ldap_group_base is set, tokengroups might not be able to convert all GIDs to names * https://fedorahosted.org/sssd/ticket/2445 Race condition while invalidating memory cache in client code * https://fedorahosted.org/sssd/ticket/2492 Group membership gets lost in IPA server mode * https://fedorahosted.org/sssd/ticket/2573 Use after free in proxy provider. * https://fedorahosted.org/sssd/ticket/2611 sssd_be dumping core if enumeration times out * https://fedorahosted.org/sssd/ticket/2525 Monitor SIGKILL timer issue and service restart failure * https://fedorahosted.org/sssd/ticket/2572 [abrt] sssd-common: talloc_abort(): sssd killed by SIGABRT * https://fedorahosted.org/sssd/ticket/2430 sssd segfaults repeatedly with error 4 in memberof.so * https://fedorahosted.org/sssd/ticket/1096 Clock skew in krb5 auth should result in offline operation, not failure * https://fedorahosted.org/sssd/ticket/2592 ccname_file_dummy is not unlinked on error * https://fedorahosted.org/sssd/ticket/2613 sysdb sudo search doesn't escape special characters * https://fedorahosted.org/sssd/ticket/2625 Sudo responder does not respect filter_users and filter_groups * https://fedorahosted.org/sssd/ticket/2643 autofs provider fails when default_domain_suffix and use_fully_qualified_names set * https://fedorahosted.org/sssd/ticket/2634 sssd nss responder gets wrong number of secondary groups * https://fedorahosted.org/sssd/ticket/2644 ignore_group_members doesn't work for subdomains * https://fedorahosted.org/sssd/ticket/2659 IPA enumeration provider crashes * https://fedorahosted.org/sssd/ticket/2663 id lookup for non-root domain users doesn't return all groups on first attempt * https://fedorahosted.org/sssd/ticket/2681 SSSD cache is not updated after user is deleted from ldap server * https://fedorahosted.org/sssd/ticket/2744 cleanup_groups should sanitize dn of groups * https://fedorahosted.org/sssd/ticket/2800 Relax POSIX check * https://fedorahosted.org/sssd/ticket/2803 Memory leak / possible DoS with krb auth. * https://fedorahosted.org/sssd/ticket/2792 SSSD is not closing sockets properly * https://fedorahosted.org/sssd/ticket/2888 SRV lookups with id_provider=proxy and auth_provider=krb5 * https://fedorahosted.org/sssd/ticket/2865 sssd_nss memory usage keeps growing on sssd-1.12.4-47.el6.x86_64 (RHEL6.7) when trying to retrieve non-existing netgroups * https://fedorahosted.org/sssd/ticket/2682 sudoOrder not honored as expected == Detailed Changelog == Adam Tkac (1): * Option filter_users had no effect for retrieving sudo rules Aron Parsons (1): * autofs: fix 'Cannot allocate memory' with FQDNs Dan Lavu (1): * MAN: page edit for ldap_use_tokengroups Daniel Hjorth (1): * LDAP: unlink ccname_file_dummy if there is an error Jakub Hrozek (8): * Updating the version for the 1.11.8 development * IPA: Use GC for group lookups in server mode * LDAP: Do not clobber return value when multiple controls are returned * PAC: krb5_pac_verify failures should not be fatal * LDAP: return after tevent_req_error * KRB5: Go offline in case of clock skew * Download complete groups if ignore_group_members is set with tokengroups * DP: Set extra_value to NULL for enum requests Jan Engelhardt (1): * build: call AC_BUILD_AUX_DIR before anything else Lukas Slebodnik (16): * Revert "LDAP: Change defaults for ldap_user/group_objectsid" * LDAP: Disable token groups by default * sss_client: Extract destroying of mmap cache to function * sss_client: Fix race condition in memory cache * PROXY: Fix use after free * pysss_nss_idmap: Use wrapper for older python * MONITOR: Fix double free * TEST: Test empty results from functions sysdb_search_* * SDAP: Do not set gid 0 twice * nss: Do not ignore default vaue of SYSDB_INITGR_EXPIRE * SDAP: Set initgroups expire attribute at the end * SDAP: Remove user from cache for missing user in LDAP * LDAP: Sanitize group dn before using in filter * LDAP: Fix leak of file descriptors * BUILD: Accept krb5 1.14 for building the PAC plugin * BUILD: Fix linking issues on debian Michal Zidek (1): * LDAP: Change defaults for ldap_user/group_objectsid Nalin Dahyabhai (1): * Accept krb5 1.13 for building the PAC plugin Nikolai Kondrashov (1): * build: Don't install ad and ipa man pages unnecessarily Pavel Březina (4): * IPA: use ipaUserGroup object class for groups * enumeration: fix talloc context * sudo: sanitize filter values * sudo: use "higher value wins" when ordering rules Pavel Reichl (14): * LDAP: retain external members * SDAP: return after tevent_req_error * sudo: return after tevent_req_error * monitor: use-after-free bugfix * monitor: monitor_kill_service - refactor * monitor: memory-leak bug * SYSDB: sysdb_search_entry fix memory leak * SYSDB: sysdb_search_custom fix memory leak * TESTS: sysdb_search_return_ENOENT - check mem leaks * SDAP: Relax POSIX check * NSS: sysdb_getnetgr check return value first * NSS: sysdb_getnetgr refactor * NSS: fix memory leak in sysdb_getnetgr * NSS: Fix memory leak netgroup Petr Cech (1): * KRB5: Adding DNS SRV lookup for krb5 provider Simo Sorce (1): * Signals: Remove unused functions Stephen Gallagher (2): * monitor: Service restart fixes * UTIL: Do not change SSSD domains in get_domains_head Sumit Bose (2): * memberof: check for empty arrays to avoid segfaults * ldap: use proper sysdb name in groups_by_user_done() Thomas Oulevey (1): * Fix memory leak in sssdpac_verify() -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project