=== SSSD 1.10 Alpha 1 === The SSSD team is proud to announce the alpha release of version 1.10 of the System Security Services Daemon.
This alpha release includes all the features developed since the sssd-1-9 branched off as well as refactoring of several internal interfaces, making the code more readable and maintanable in the long term. As always, the source is available from https://fedorahosted.org/sssd. RPM packages will be made available for Fedora 19 and rawhide shortly. The SSSD 1.10 Beta release is scheduled for April 25th and will contain all the planned features. We will most likely issue another pre-release build prior to the Beta, but that has not been firmly scheduled yet. == Feedback == Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users == Highlights == * Includes a fix for CVE-2013-0287: A simple access provider flaw prevents intended ACL use when SSSD is configured as an Active Directory client * Many internal interfaces were refactored, making the code more readable and maintanable in the long term. This refactoring includes the subdomains code, the sysdb interface as a whole, internal error code reporting, SELinux login context processing and processing of nested LDAP groups. * A new option ipa_dyndns_ttl was added, allowing the client to set a custom TTL on IPA dynamic DNS updates * A new ignore_group_members option was added. This option can be used to suppress downloading group members on group lookups, making the group lookups much faster for environments that do not need to know the group members. * A new option ldap_rfc2307_fallback_to_local_users was added. If this option is set to true, SSSD is be able to resolve local group members of LDAP groups. * Added support for krb5 1.11's responder callback. * Support for libnl version 3 was added. * Fixed an indexing bug that prevented the contents of autofs maps from being returned to the automounter deamon in case the map contained a large number of entries * Fixed spurious password expiration warning that was printed on login with the Kerberos back end * Fixed a regression when saving binary attributes to the cache * Fixed a file descriptor leak when sss_cache was executed == Packaging Changes == * The shared components of the SSSD are now built as a shared library to reduce amount of duplicated code being linked into multiple SSSD binaries and lower the disk usage of SSSD installation. * The check that ensured that SSSD is running with the same ldb version it was built against was made optional, defaulting to false. You can enable the strict check again by selecting --enable-ldb-version-check during configure == Tickets Fixed == https://fedorahosted.org/sssd/ticket/812 Support libnl 3.x https://fedorahosted.org/sssd/ticket/1033 [RFE] implement a script/tool joining to the Active Directory domain https://fedorahosted.org/sssd/ticket/1287 compilation warnings with -O2 https://fedorahosted.org/sssd/ticket/1327 When multiple values are assigned, sss_debuglevel should display a usage message https://fedorahosted.org/sssd/ticket/1371 Missing resolv.conf should be non-fatal https://fedorahosted.org/sssd/ticket/1376 [RFE] Add support for suppressing group members https://fedorahosted.org/sssd/ticket/1405 [RFE] Kerberos canonicalization should be skipped on password-changes in AD provider https://fedorahosted.org/sssd/ticket/1476 SSSD has a much longer TTL when updating a DNS record than IPA client install placed in the beginning https://fedorahosted.org/sssd/ticket/1481 Move sss_cache to the main subpackage https://fedorahosted.org/sssd/ticket/1484 failover should protect against empty host names https://fedorahosted.org/sssd/ticket/1495 include talloc log in our debug facility https://fedorahosted.org/sssd/ticket/1575 Change responder contexts hierarchy https://fedorahosted.org/sssd/ticket/1586 Make authtoken opaque objects https://fedorahosted.org/sssd/ticket/1603 [RFE] Send user principal together with the PAC to the pac responder https://fedorahosted.org/sssd/ticket/1643 [RFE] refactor sysdb interface https://fedorahosted.org/sssd/ticket/1660 LDAP_CONTROL_X_DEREF: sssd should fallback if server returns LDAP_UNAVAILABLE_CRITICAL_EXTENSION error https://fedorahosted.org/sssd/ticket/1712 sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin https://fedorahosted.org/sssd/ticket/1738 Decrease the krb5_auth_timeout default value of 15 https://fedorahosted.org/sssd/ticket/1743 selinux: move all logic to responder, provider should only update db https://fedorahosted.org/sssd/ticket/1744 selinux: reuse IPA_HBAC_REFRESH or provide an alternative https://fedorahosted.org/sssd/ticket/1745 Unnecessary output is seen when invalid option is passed to sss_cache https://fedorahosted.org/sssd/ticket/1746 sss_* tools with use_fully_qualified_names should require fqdn https://fedorahosted.org/sssd/ticket/1747 Refactor subdomain interfaces https://fedorahosted.org/sssd/ticket/1756 append new line to error string from poptStrerror() https://fedorahosted.org/sssd/ticket/1763 check the return values of sysdb_transaction_commit in sysdb tests https://fedorahosted.org/sssd/ticket/1765 remove the alt_db_path parameter of sysdb_init https://fedorahosted.org/sssd/ticket/1766 use an explanatory macro for checking if a domain is a subdomain https://fedorahosted.org/sssd/ticket/1771 Negative cache messages are displayed at too low of a DEBUG level https://fedorahosted.org/sssd/ticket/1790 Possible null derefence in ipa_subdomains.c https://fedorahosted.org/sssd/ticket/1794 reuse open_cloexec elsewhere in the code https://fedorahosted.org/sssd/ticket/1803 SSSD returns System Error if the ccachedir is not writable https://fedorahosted.org/sssd/ticket/1804 Filter out inappropriate multicast and subnet broadcast addresses from IPA dynamic DNS update https://fedorahosted.org/sssd/ticket/1805 RFE: Add a new override_homedir expansion for the "original value" https://fedorahosted.org/sssd/ticket/1810 Uninitialized scalar variable in responder_get_domain https://fedorahosted.org/sssd/ticket/1811 Unchecked return value in tests https://fedorahosted.org/sssd/ticket/1812 make the get_next_domain() function a little more readable https://fedorahosted.org/sssd/ticket/1813 make the ldb check configurable https://fedorahosted.org/sssd/ticket/1819 Refresh doxygen template files https://fedorahosted.org/sssd/ticket/1820 sysdb unit tests uses system memberof https://fedorahosted.org/sssd/ticket/1825 Invalid assignment to enum https://fedorahosted.org/sssd/ticket/1833 segmentation fault in cmocka unit tests with raised optization level https://fedorahosted.org/sssd/ticket/1834 Support for libini 1.0 https://fedorahosted.org/sssd/ticket/1838 nss and pam clients broken in master https://fedorahosted.org/sssd/ticket/1840 Add --with-test-dir=/dev/shm to DISTCHECK_CONFIGURE_FLAGS == Detailed Changelog == Abhishek Singh (1): * filename in comment is corrected Ariel Barria (1): * Improve syslog message when configuration cannot be loaded Jakub Hrozek (44): * Bump version to 1.10dev * Require ar in configure.ac * TESTS: Fix a couple of debug-level setters * SYSDB: Remove unused macros * LDAP: Remove double break * Indentation fix * Bump the version and reset release back to 0 * tests: add a unit test for sysdb_netgroup_base_dn * tests: unit test for test_sysdb_search_users * tests: adda a unit test for test_sysdb_search_groups * tests: test sysdb_initgroups * tests: add unit test for sysdb_get_new_id * tests: unit test for sysdb_remove_attrs * TOOLS: set domain in check_group_names * Fix code style * Don't use srcdir with tests * krb5: include backwards compatible declaration of krb5_trace_info * LDAP: Check for authtok validity * Filter out multicast addresses from IPA DNS updates * Lower the DEBUG level if an entry cannot be deleted from memcache * Fix the krb5 password expiration warning * Remove enumerate=true from man sssd-ldap * Do not process success case in an else * Revert "Add debug message to autofs client" * Don't treat 0 as default for pam_pwd_expiration warning * Remove unused functions * Use the correct memory context in be_req_create * Check the return value of sysdb_search_services * Detect the presence of libcmocka during configure * Add utility functions for tests that use sysdb or tevent. * Move sss_cmd_execute from client to responder code. * CMocka based test for the NSS responder * Retry the correct service on krb5 child timeout * Remove duplicate remake from bashrc_sssd * Provide a be_get_account_info_send function * Add unit tests for simple access test by groups * Do not compile main() in DP if UNIT_TESTING is defined * Resolve GIDs in the simple access provider * Return error code from ipa_subdom_store * Move signal.m4 from src/util to external * Document what does access_provider=ad do * Include config.h to build io.c on RHEL5 * selinux: Remove unused parameter * Updating the translations for the 1.10 alpha release James Hogarth (1): * Make TTL configurable for dynamic dns updates Jan Cholasta (1): * LDAP: If deref search fails, try again without deref Jan Engelhardt (1): * sysdb: try dealing with binary-content attributes John Hodrien (1): * Correct sss_ssh_knowhostsproxy typo in man pages Kamil Dudka (1): * sssd-1.8.0: work around a bug in cov-build from Coverity Lukas Slebodnik (12): * Improved readability of get_next_domain() * Fixed typo in debug message. * Removing unused parameter type from sudosrv_get_sudorules_query_cache() * Reuse sss_open_cloexec at other places in code. * More generalized function open_debug_file_ex() * Removing unused header file providers.h * Fix sss_client breakage. * Removing unused declaration of functions and variable. * Making the ldb check configurable * Fixing duplicate const * Reusing create_pam_data() on the other places. * Making the authtok structure really opaque. Michal Zidek (15): * sss_debuglevel: Multiple arguments are treated as error. * Include talloc log in our debug facility * failover: Protect against empty host names * sss_cache: Call DEBUG_INIT sooner * tools: Respect use_fully_qualified_names * Possible null derefence in ipa_subdomains.c. * Unchecked return value in files.c * Use the same dbg level for all ncache hits. * Remove the alt_db_path parameter of sysdb_init * File descriptor leak in nss responder. * Debug message in sss_mc_create_file. * Move SELinux processing to provider. * Reuse cached SELinux mappings. * Make the SELinux refresh time configurable. * tests: Print warning if LDB_MODULES_PATH is not set Milan Cejnar (1): * tools: append new line to string from poptStrerror() Nathaniel McCallum (1): * Add support for krb5 1.11's responder callback. Ondrej Kos (13): * MAN: quotation fix * Display more information on DB version mismatch * SYSDB: split sysdb_add_user * TESTS: Fix coverity issues 13126, 13127 * TESTS: include error message on fail * Fix uninitialized time_t var in responder * krb5_child: fix value type and initialization * Fix initialization of multiple variables * Fix coverity issue 13136 * Decrease krb5_auth_timeout default * Update README file * LDAP: Fix value initialization * Provide libnl3 support Paul B. Henson (1): * Add ignore_group_members option. Pavel Březina (25): * sudo: do not hardcode protocol version * fix -O3 variable may be uninitialized warnings * sudo: print message if old protocol is used * sudo manpage: clarify that sudoHost may contain wildcards and not regular expression * use talloc_zfree when freeing rhostent in resolver * set ret to EOK after for loop in sdap_sudo_purge_sudoers * Fix LDAP authentication - invalid password length * set struct bet_info->bet_type * krb: recreate ccache if it was deleted * dp: check whether hostid backend is configured before filing be request * get_next_domain() test dom->parent->next for NULL * subdomains: replace invalid characters with underscore in krb5 mapping file name * if selinux is disabled, ignore that selogin dir is missing * sdap_fill_memberships: continue if a member is not foud in sysdb * Add debug message to autofs client * autofs: fix invalid header 'number of entries' in packet * build: require libcmocka on fedora 18+ * fix segfault in nss responder unit test * krb5-utils-tests: remove invalid condition * correct order in error_to_str table * do not leak memory on failure in *_process_init() * change responder contexts hierarchy * coding style fix * refactor nested group processing: add new code * refactor nested group processing: replace old code Simo Sorce (131): * Add helpers to set common mc record fields * Save errno before it might be modified. * Revert "Avoid accessing half-deallocated memory when using talloc_zfree macro." * Avoid duplicating macros * Avoid const warnings when deallocating memory * Fix tevent_req style for krb5_auth * Fix ipa_subdomain_id names and tevent_req style * Fix tevent_req style for get_netgroup in ipa_id * Streamline ipa_account_info handler * Use an entry type mask macro to filter entry types * Fix comment on wrong line * Remove redundant definition. * Fix tevent_req style for sdap_async_sudo. * Remove unhelpful vtable from sss_cache * Remove dead netgroup functions * Revert "Add a default section to a switch-statement" * Add sysdb_search_service() helper function * Use sysdb_search_service() for all svc queries * Fix sdap reinit. * Code can only check for cached passwords * Add function to safely wipe memory. * Add authtok utility functions. * Change pam data auth tokens. * Use new sysdb_search_service() in sss_cache * The Big sysdb/domain split-up! * Refactor sysdb initialization * Refactor single domain initialization * Remove the sysdb_ctx_get_domain() function. * Make sysdb_user_dn() require a domain explictly. * Make sysdb_group_dn() require a domain explictly. * Make sysdb_netgroup_dn() require a domain explictly. * Make sysdb_netgroup_base_dn() require a domain. * Make sysdb_domain_dn() require a domain. * Make sysdb_custom_dn() require a domain. * Make sysdb_custom_subtree_dn() require a domain. * Move range objects into their own top-level tree. * Upgrade DB and move ranges into top level object * Pass domain to sysdb_get<pw/gr>nam() functions * Pass domain to sysdb_get<pwu/grg><id() functions * Pass domain to sysdb_enum<pw/gr>ebt() functions * Add domain option to sysdb_get/netgr/attrs() fns * Add domain argument to sysdb_initgroups() * Add domain argument to sysdb_get_user_attr() * Add domain to sysdb_search_user_by_name() * Add domain to sysdb_search_user_by_uid() * Add domain to sysdb_search_group_by_name() * Add domain to sysdb_search_group_by_gid() * Add domain arg to sysdb_search_netgroup_by_name() * Add domain argument to sysdb_set_user_attr() * Add domain argument to sysdb_set_group_attr() * Add domain argument to sysdb_set_netgroup_attr() * Add domain argument to sysdb_get_new_id() * Add domain argument to sysdb_add_basic_user() * Add domain argument to sysdb_add_user() * Add domain arguments to sysdb_add_group functions. * Add domain arguments to sysdb_add_inetgroup fns. * Add domain argument to sysdb_store_user() * Add domain argument to sysdb_store_group() * Add domain arg to sysdb group member functions * Add domain argument to sysdb_cache_password() * Add domain argument to sysdb_cache_auth() * Add domain argument to sysdb_store_custom() * Add domain argument to sysdb_search_custom() * Add domain to sysdb_delete_custom * Add domain arg to sysdb_search_users() * Add domain argument to sysdb_delete_user() * Add domain argument to sysdb_search_groups() * Add domain argument to sysdb_delete_group() * Add domain arg to sysdb_search/delete_netgroup() * Add domain argument to sysdb_has/set_enumerated() * Add domain argument to sysdb_remove_attrs() * Add domain argument to sysdb_idmap_ funcitons * Add domain arguemnt to sysdb_get_real_name() * Add domain argument to sysdb autofs functions * Add domain argument to sysdb selinux functions * Add domain arguments to sysdb services functions * Add domain arguments to sysdb ssh functions * Add domain arguments to sysdb sudo functions * Add domain to some subdomain functions * Pass the domain to upgrade functions * Move mpg flag to the domain where it belongs * Kill sysdb->domain * Stop creating fake sysdb contexts * Tidy up BASE dn macros * Remove outdated code. * Move ldap provider access functions * Remove sysdb as a be context structure member * Remove sysdb as a be request structure member * Remove sysdb argument from ipa_host_info_send() * Remove unused structure * Remove sysdb argument from hbac_user_attrs_to_rule() * Remove sysdb arg from hbac_service_attrs_to_rule() * Remove sysdb arg from hbac_*host_attrs_to_rule() * Remove sysdb arg from ipa_hbac_service_info_send() * Remove sysdb arg from [ipa_]hbac_sysdb_save() * Remove sysdb argument from hbac_get_cached_rules() * Remove hbac_ctx_sysdb() * Remove hbac_ctx_be() * Remove hbac_ctx_ev() * Remove hbac_ctx_sdap_id_[ctx|op]() * Move hbac_ctx_is_offline() * Do not pass NULL to ipa_subdomain_retrieve() * Split simple_access_check function out * Pass domain not be_req to access check functions * Remove domain from be_req structure * Introduce be_req_terminate() helper * Add be_req_create() helper * Add be_req_get_be_ctx() helper. * Add be_req_get_data() helper funciton. * Make struct be_req opaque * Add realm info to sss_domain_info * Avoid sysdb_subdom in sysdb_get_subdomains() * Update main domain info in place * Refactor sysdb_master_domain_add_info() * Add sysdb_subdomain_store() function * Remove sysdb_subdom completely * Add function get_next_domain() * Add ability to disable domains * Change the way domains are linked. * Parent and subdomains use the same sysdb * Introduce IS_SUBDOMAIN() macro * krb5_child style fix * Refactor krb5 child * Add SSSD specific error codes and definitions * Use SSSD specific errors for offline auth * Return ERR_INTERNAL instead of EIO * Cleanup error message handling for krb5 child * Improve IS_SSSD_ERROR() macro * Use common error facility instead of sdap_result * Convert sdap_access to new error codes * ldap: Fallback option for rfc2307 schema Stephen Gallagher (10): * LDAP: Better debug logging when saving groups * Correct format security for talloc_named of auth tokens * Fix minor grammar error in log * NSS: Add original homedir to home directory template options * BUILD: Build shared components as an internal shared library * BUILD: Add contributed macros and aliases to simplify building * BUILD: Include build aliases in the tarball * BUILD: Fix cmocka detection * BUILD: Fix up whitespace in Makefile.am * BUILD: Always run distcheck and RPM tests in /dev/shm Sumit Bose (1): * Add a default section to a switch-statement Thorsten Scherf (1): * Updated Doxygen configuration to 1.8.1 _______________________________________________ Freeipa-interest mailing list Freeipa-interest@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-interest