=== SSSD 1.11.5 === The SSSD team is proud to announce the release of version 1.11.5 of the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd RPM packages will be made available for Fedora 19, 20 and rawhide shortly. == Feedback == Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users == Highlights == * This release focuses primarily on bug fixes. * The release addresses an issue where the SSSD was not able to detect all domains in the forest if it was connected to an AD DC which was not the forest root * A new AD sudo provider was introduced. Setting sudo_provider=ad uses the same connection options as id_provider=ad, which simplifies the configuration for users who store sudo rules on an Active Directory server. * The ID mapping ranges are checked for collisions before being used, making SSSD more robust in cases where the ranges would collide * Password changes when using OTPs with an IPA server are now supported. Please note that this functionality is not present in the released FreeIPA versions yet. * Several bugs related to setting an SELinux user context from an IPA server were fixed == Documentation Changes == * A new pam_sss option ignore_unknown_user was added. Setting this option makes pam_sss return PAM_IGNORE when processing an uknown user instead of PAM_USER_UNKNOWN. This option is mostly useful for BSD systems. == Tickets Fixed == https://fedorahosted.org/sssd/ticket/1955 SSSD pam module accepts usernames with leading spaces https://fedorahosted.org/sssd/ticket/1958 [RFE] Expose the list of trusted domains to IPA https://fedorahosted.org/sssd/ticket/2153 If both IPA and LDAP are set up with enumeration on, two enum tasks are running https://fedorahosted.org/sssd/ticket/2218 sssd.conf man pages don't list a configuration option. https://fedorahosted.org/sssd/ticket/2226 Make SSSD compilable on systems with non-standard paths to krb5 includes https://fedorahosted.org/sssd/ticket/2232 [freebsd] pam_sss: add ignore_unknown_user option https://fedorahosted.org/sssd/ticket/2235 MAN: Remove misleading memberof example from ldap_access_filter example https://fedorahosted.org/sssd/ticket/2251 not retrieving homedirs of AD users with posix attributes https://fedorahosted.org/sssd/ticket/2252 Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes https://fedorahosted.org/sssd/ticket/2253 Check IPA idranges before saving them to the cache https://fedorahosted.org/sssd/ticket/2256 Evaluate usage of sudo LDAP provider together with the AD provider https://fedorahosted.org/sssd/ticket/2257 Setting int option to 0 yields the default value https://fedorahosted.org/sssd/ticket/2263 ipa-server-mode: Use lower-case user name component in home dir path https://fedorahosted.org/sssd/ticket/2264 SSSD Does not cache SELinux map from FreeIPA correctly https://fedorahosted.org/sssd/ticket/2270 IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in https://fedorahosted.org/sssd/ticket/2271 sssd fails to handle expired passwords when OTP is used https://fedorahosted.org/sssd/ticket/2279 Add another Kerberos error code to trigger IPA password migration https://fedorahosted.org/sssd/ticket/2280 Double OK when starting the service https://fedorahosted.org/sssd/ticket/2282 SSSD should create the SELinux mapping file with format expected by pam_selinux https://fedorahosted.org/sssd/ticket/2284 Valgrind: Invalid read of int while processing netgroup https://fedorahosted.org/sssd/ticket/2285 other subdomains are unavailable when joined to a subdomain in the ad forest https://fedorahosted.org/sssd/ticket/2289 Error during password change https://fedorahosted.org/sssd/ticket/2293 configure time variables not expanded when running ./configure https://fedorahosted.org/sssd/ticket/2300 RHEL7 IPA selinuxusermap hbac rule not always matching == Detailed Changelog == Alexey Shabalin (1): * Use KRB5_CFLAGS where appropriate Jakub Hrozek (16): * Updating the version for the 1.11.5 release * IPA: Don't call tevent_req_post outside _send * IPA: Don't fail if apply_subdomain_homedir returns ENOENT * OPTS: Allow using defaults for blobs * DP: Provide separate dp_copy_defaults function * MAN: Clarify the ldap_access_filter option further * MAN: Clarify that changing ID mapping options might require purging the cache * IPA: Do not save intermediate data to sysdb * AD: Only connect to GC for subdomain users * MAN: Clarify the GC support a bit * IPA: Use the correct domain when processing SELinux rules * IPA: Write SELinux usernames in the right case * KRB5: Do not attempt to get a TGT after a password change using OTP * AD: connect to forest root when downloading the list of subdomains * IPA: Fix SELinux mapping order memory hierarchy * Updating the translations for the 1.11.5 release Lukas Slebodnik (10): * SPEC: Use systemd on available platforms * LDAP: Setup periodic task only once. * UTIL: Sanitize whitespaces. * DOC: Fix names of arguments in doxygen comments * AD: Continue if sssd failes to check extra members * SYSV: Do not call functions success and fail itself * IPA: Use function sysdb_attrs_get_el in safe way * Makefile: Add missing library to the dp_opt_tests * TESTS: Link libsss_test_common with tevent * Makefile: Use alternative method to replace *bindir Michal Zidek (1): * Possible null dereference in SELinux code Nathaniel McCallum (1): * Fix krb5 changepw when FAST-only preauth methods are used (like OTP) Pete Fritchman (1): * PAM: add ignore_unknown_user option Stef Walter (1): * providers: Fix types passed to dbus varargs functions Sumit Bose (13): * IDMAP: add sss_idmap_check_collision(_ex) * IPA: refactor idmap code and add test * IPA: check ranges for collisions before saving them * libsss_idmap: bump version-info * config API: add missing subdomain target to AD provider test * SUDO: AD provider * ipa-server-mode: use lower-case user name for home dir * IPA: Use GC for AD initgroup requests * IPA/KRB5: handle KRB5_PROG_ETYPE_NOSUPP during IPA password migration * krb5_child: remove unused option lifetime_str from k5c_setup_fast() * krb5-child: extract lifetime settings into set_lifetime_options() * krb5_client: rename krb5_set_canonicalize() to set_canonicalize_option() * krb5-child: add revert_changepw_options() _______________________________________________ Freeipa-interest mailing list Freeipa-interest@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-interest