=== SSSD 1.13 Alpha === The SSSD team is proud to announce the release of version 1.13 Alpha of the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd RPM packages will be made available for Fedora rawhide shortly. == Feedback == Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users == Highlights == * The Active Directory provider has changed the default value of the ad_gpo_access_control option from permissive to enforcing. As a consequence, the GPO access control now affects all clients that set access_provider to ad. In order to restore the previous behaviour, set ad_gpo_access_control to permissive or use a different access_provider type. * Group Policy objects defined in a different AD domain that the computer object is defined in are now supported. * Support for separate prompts when using two-factor authentication was added * Credential caching and Offline authentication are also available when using two-factor authentication * Added support for one-way trusts between an IPA and Active Directory environment. Please note that this SSSD functionality depends on IPA code that will be released in the IPA 4.2 version * Many enhancements to the InfoPipe D-Bus API. Notably, the SSSD users and groups are now exposed as first-class objects. The users and groups can also be marked as cached and would subsequently show up in the Introspection output * The DBus interface is now also able to look up User objects by certificate. This is a first part of work that will eventually allow smart-card authentication in SSSD. * The LDAP cleanup task is now disabled by default, unless enumeration is enabled. Please refer to the ldap_purge_cache_timeout option in case your environment requires the cleanup task * The Python bindings are now built for both Python2 and Python3 * The LDAP bind timeout, StartTLS timeout and password change timeout are now configurable using the ldap_opt_timeout option == Packaging Changes == * A new directory /var/lib/sss/keytabs is present and owned by the sssd-ipa subpackage. The SSSD stores keytabs for one-way trust relationships in this directory. Downstreams should make sure that the directory is only readable to the user who runs the SSSD service. * Several packaging changes are present in this release to support the Python3 bindings, notably new python-sss and python-sss-murmur subpackages are introduced in upstream RPM packaging * All python bindings now have a Python3 and a Python2 version in the upstream RPM packaging scheme * The OpenSSL development library such as openssl-devel on RHEL/Fedora or Debian/Ubuntu? libssl-dev is now required to support certificate operations * A new internal library libsss_cert.so is present in this release. == Documentation Changes == * The ad_gpo_access_control option default has changed from permissive to enforcing * The default value of ldap_purge_cache_timeout changed to 0, thus effectivelly disabling the cleanup task. * A new option cache_credentials_minimal_first_factor_length was added. This option sets constraints on the password length if One-Time passwords are used and credentials are to be cached. Please see the sssd.conf(5) man page for more details == Tickets Fixed == https://fedorahosted.org/sssd/ticket/897 sssd should pass -d to nsupdate when running with high log level https://fedorahosted.org/sssd/ticket/1501 Make the LDAP bind operation timeout configurable https://fedorahosted.org/sssd/ticket/2150 [RFE] Expose listing calls over D-BUS https://fedorahosted.org/sssd/ticket/2224 nsupdate stderr is not captured https://fedorahosted.org/sssd/ticket/2236 The cleanup task has no DEBUG statements https://fedorahosted.org/sssd/ticket/2326 SBUS: Flush the UID cache when we receive NameOwnerChanged https://fedorahosted.org/sssd/ticket/2338 [RFE] Implement object caching on the bus https://fedorahosted.org/sssd/ticket/2339 IFP: support multiple interfaces for object https://fedorahosted.org/sssd/ticket/2540 SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain https://fedorahosted.org/sssd/ticket/2569 In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set https://fedorahosted.org/sssd/ticket/2574 SSSD should be able to build python2 and python3 bindings in a one build https://fedorahosted.org/sssd/ticket/2583 [RFE] Homedir is always overwritten with subdomain_homedir value in server mode https://fedorahosted.org/sssd/ticket/2593 Does sssd-ad use the most suitable attribute for group name? https://fedorahosted.org/sssd/ticket/2603 Make SSSD's HBAC validation more permissive if deny rules are not used https://fedorahosted.org/sssd/ticket/2609 [bug] sssd always appends default_domain_suffix when checking for host keys https://fedorahosted.org/sssd/ticket/2618 Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all https://fedorahosted.org/sssd/ticket/2620 id_provider=proxy with auth_provider=ldap does not work reliably https://fedorahosted.org/sssd/ticket/2625 Sudo responder does not respect filter_users and filter_groups https://fedorahosted.org/sssd/ticket/2627 Disable the cleanup task by default https://fedorahosted.org/sssd/ticket/2636 RFE: Fetch keytabs for one-way trusts in IPA subdomain code https://fedorahosted.org/sssd/ticket/2638 RFE: Change ad_id_ctx instantiation in the IPA subdomain code to support one-way trusts https://fedorahosted.org/sssd/ticket/2645 [RFE] Support GPOs from different domain controllers https://fedorahosted.org/sssd/ticket/2661 RFE: Change AD GPO default to enforcing https://fedorahosted.org/sssd/ticket/2666 sssd with ldap backend throws error domain log == Detailed Changelog == Jakub Hrozek (68): * MAN: Fix a typo * SYSDB: Reduce code duplication in sysdb_gpo.c * UTIL: Make two child_common.c functions static * TESTS: Cover child_common.c with unit tests * LDAP: Use child_io_destructor instead of child_cleanup in a custom desctructor * UTIL: Remove child_cleanup * UTIL: Unify the fd_nonblocking implementation * RESOLV: Remove obsolete in-tree implementation of SRV and TXT parsing * PAM: print the pam status as string, too * KRB5: More debugging for create_ccache() * SDAP: Make simple bind timeout configurable * SDAP: Make password change timeout configurable with ldap_opt_timeout * SDAP: Make StartTLS bind configurable with ldap_opt_timeout * SDAP: Decorate the sdap_op functions with DEBUG messages * IPA: Remove the ipa_hbac_treat_deny_as option * MAN: Clarify debug_level a bit * SSH: Ignore the default_domain_suffix * LDAP: Set sdap handle as explicitly connected in LDAP auth * tests: Revert strcmp condition * ncache: Fix sss_ncache_reset_permanent * ncache: Silence critical error from filter_users when default_domain_suffix is set * ncache: Add sss_ncache_reset_repopulate_permanent * responders: reset ncache after domains are discovered during startup * NSS: Reset negcache after checking domains * MAN: Clarify how are GPO mappings called in GPO editor * UTIL: Add a simple function to get the fd of debug_file * dyndns: Log nsupdate stderr with a high debug level * nsupdate: Append -d/-D to nsupdate with a high debug level * subdom: Remove unused function get_flat_name_from_subdomain_name * nss: Use negcache for getbysid requests * tests: Add NSS responder tests for bysid requests * LDAP: disable the cleanup task by default * TESTS: Use the right testcase * TESTS: Add test for get_next_domain * LDAP: Do not print verbose DEBUG messages from providers that don't set UUID * SYSDB: Store trust direction for subdomains * UTIL/SYSDB: Move new_subdomain() to sysdb_subdomains.c and make it private * TESTS: Add a test for sysdb_subdomains.c * SYSDB: Add realm to sysdb_master_domain_add_info * SYSDB: Add a forest root attribute to sss_domain_info * IPA: Add ipa_subdomains_handler_get_{start,cont} wrappers * IPA: Check master domain record before subdomain records * IPA: Fold ipa_subdom_enumerates into ipa_subdom_store * IPA: Also update master domain when initializing subdom handler * IPA: Move server-mode functions to a separate module * IPA: Split two functions to new module ipa_subdomains_utils.c * IPA: Include ipaNTTrustDirection in the attribute set for trusted domains * IPA: Read forest name for trusted forest roots as well * IPA: Make constructing an IPA server mode context async * TESTS: Split off keytab creation into a common module * TESTS: Add a common mock_be_ctx function * TESTS: Add a common function to set up sdap_id_ctx * TESTS: Move krb5_try_kdcip to nested group test * TESTS: Add unit test for the subdomain_server.c module * IPA: Fetch keytab for 1way trusts * AD: Rename ad_set_ad_id_options to ad_set_sdap_options * AD: Rename ad_create_default_options to ad_create_2way_trust_options * AD: Split off ad_create_default_options * IPA/AD: Set up AD domain in ad_create_2way_trust_options * IPA: Do not set AD_KRB5_REALM twice * AD: Add ad_create_1way_trust_options * IPA: Utility function for setting up one-way trust context * LDAP: Do not set keytab through environment variable * LDAP: Consolidate SDAP_SASL_REALM/SDAP_KRB5_REALM behaviour * CONFIG: Add SSS_STATEDIR as VARDIR/lib/sss * BUILD: Store keytabs in /var/lib/sss/keytabs * Updating the translations for the 1.13 Alpha release * Updating the version.m4 file for the 1.13 Beta release John Dickerson (1): * MAN: Amend the description of ignore_group_members Lukas Slebodnik (59): * MAN: Remove indentation in element programlistening * Fix warning: for loop has empty body * Bump version to track 1.13 development * SPEC: Use libnl3 for epel6 * MAKE: Don't include autoconf generated file to tarball * TESTS: Mock return value of sdap_get_generic_recv * test_nested_groups: Additional unit tests * Fix warning: equality comparison with extraneous parentheses * LDAP: Conditional jump depends on uninitialised value * BUILD: Remove unused libraries for pysss.so * BUILD: Remove unused variables * BUILD: Remove detection of type Py_ssize_t * UTIL: Remove python wrapper sss_python_set_new * UTIL: Remove python wrapper sss_python_set_add * UTIL: Remove python wrapper sss_python_set_check * UTIL: Remove compatibility macro PyModule_AddIntMacro * UTIL: Remove python wrapper sss_python_unicode_from_string * BUILD: Use python-config for detection *FLAGS * SPEC: Use new convention for python packages * SPEC: Move python bindings to separate packages * BUILD: Add possibility to build python{2,3} bindings * TESTS: Run python tests with all supported python versions * SPEC: Replace python_ macros with python2_ * SPEC: Build python3 bindings on available platforms * BUILD: Uninstall also symbolic links to python bindings * Remove unused argument from be_nsupdate_create_fwd_msg * IPA: Remove unused argument from ipa_id_get_group_uuids * Remove useless assignment to function parameter * PAC: Fix memory leak * responder_cache: Fix warning may be used uninitialized * debug-tests: Fix test with new line in debug message * BUILD: Add missing header file to tarball * pam_client: fix casting to const pointer * test_expire: Use right assertion macro for standard functions * test_ldap_auth: Use right assertion for integer comparison * test_resolv_fake: Fix alignment warning * PAC: Remove unused function * KRB5: Unify prototype and definition * util-tests: Initialize boolean variable to default value * SPEC: Drop workaround for old libtool * SPEC: Drop workarounds for old rpmbuild * SPEC: Remove unused option * SPEC: Few cosmetic changes * simple_access-tests: Simplify assertion * sysdb-tests: Add missing assertions * sysdb-tests: test return value before output arguments * ad_opts: Use different default attribute for group name * BUILD: Write hints about optional python bindings * sss_client: Fix mixed enums * LDAP: Remove dead assignment * sss_client: Fix warning "_" redefined * SSSDConfigTest: Use unique temporary directory * util-tests: Add validation of internal error messages * SDAP: Check return value before using output arguments * SDAP: Log failure from sysdb_handle_original_uuid * test_ipa_subdomains_server: Run clean-up after success * IFP: Fix warnings with enabled optimisation * SDAP: Remove user from cache for missing user in LDAP * test_ipa_subdom_server: Add missing assert Michal Zidek (2): * Use FQDN if default domain was set * MAN: default_domain_suffix with use_fully_qualified_names. Nikolai Kondrashov (3): * BUILD: Add AM_PYTHON2_MODULE macro * Add integration tests * BUILD: Fix variable substitution in cwrap.m4 Pavel Březina (53): * tests: refactor create_dom_test_ctx() * tests: add create_multidom_test_ctx() * tests: add test_multidom_suite_cleanup() * tests: remove code duplication in single domain cleanup * responders: new interface for cache request * responders: enable views in cache request * IFP: use new cache interface * server-tests: use strtouint32 instead strtol * sbus: add new iface via sbus_conn_register_iface() * sbus: move iface and object path code to separate file * sbus: use 'path/*' to represent a D-Bus fallback * sbus: support multiple interfaces on single path * sbus: add object path to sbus request * sbus: add sbus_opath_hash_lookup_supported() * sbus: support org.freedesktop.DBus.Introspectable * sbus: support org.freedesktop.DBus.Properties * sbus: unify naming of handler data variable * sbus: move common opath functions from ifp to sbus code * sbus: add sbus_opath_get_object_name() * ifp: fix potential memory leak in check_and_get_component_from_path() * sbus: use hard coded getters instead of generated * sbus: remove unused 'reply as' functions * IFP: move interface definitions from ifpsrv.c into separate file * IFP: unify generated interfaces names * sbus codegen: do not prefix getters with iface name * IFP: simplify object path constant names * sbus: add constant to represent subtree * be_refresh: get rid of callback pointers * sysdb: use sysdb_user/group_dn * cache_req tests: rename test_user to test_user_by_name * cache_req tests: define user name constant * cache_req: preparations for different input type * cache_req: add support for user by uid * cache_req: add support for group by name * cache_req: remove default branch from switches * cache_req: add support for group by id * cmocka: include mock_parse_inp in header file * cache_req: parse input name if needed * cache_req: return ERR_INTERNAL if more than one entry is found * sbus: provide custom error names * sbus: add sbus_opath_decompose[_exact] * sbus: add a{sas} get invoker * IFP: add org.freedesktop.sssd.infopipe.Users * IFP: add org.freedesktop.sssd.infopipe.Users.User * IFP: add org.freedesktop.sssd.infopipe.Groups * IFP: add org.freedesktop.sssd.infopipe.Groups.Group * IFP: deprecate GetUserAttr? * IFP: Implement org.freedesktop.sssd.infopipe.Cache[.Object] * SBUS: Use default GetAll? invoker if none is set * SBUS: Add support for <node /> in introspection * IFP: Export nodes * sbus: add support for incoming signals * sbus: listen to NameOwnerChanged? Pavel Reichl (17): * add missing '\n' in debug messages * PROXY: add missing space in debug message * BUILD: fix chmake not to generate warning * SDAP: log expired accounts at lower severity level * KRB5: add debug hint * TESTS: test expiration * ldap: refactor check_pwexpire_kerberos to use util func * ldap: refactor nds_check_expired to use util func * Fix a few typos in comments * sbus: sbus_opath_hash_add_iface free tmp talloc ctx * krb5: remove field run_as_user * localauth plugin: fix coverity warning * dyndns: remove dupl declaration of ipa_dyndns_update * dyndns: don't pass zone directive to nsupdate * dyndns: ipa_dyndns.h missed declaration of used data * krb: remove duplicit decl. of write_krb5info_file * IPA: Don't override homedir with subdomain_homedir Stephen Gallagher (4): * LDAP: Support returning referral information * AD GPO: Support processing referrals * AD GPO: Change default to "enforcing" * Add Vagrant configuration for SSSD Sumit Bose (22): * Add leak check and command line option to test_authtok * utils: add sss_authtok_[gs]et_2fa * pam: handle 2FA authentication token in the responder * Add pre-auth request * krb5-child: add preauth and split 2fa token support * IPA: create preauth indicator file at startup * pam_sss: add pre-auth and 2fa support * Add cache_credentials_minimal_first_factor_length config option * sysdb: add sysdb_cache_password_ex() * krb5: save hash of the first authentication factor to the cache * krb5: try delayed online authentication only for single factor auth * 2FA offline auth * pam_sss: move message encoding into separate file * PAM: add PAM responder unit test * adding ldap_user_auth_type where missing * LDAP: add ldap_user_certificate option * certs: add PEM/DER conversion utilities * sysdb: add sysdb_search_user_by_cert() and sysdb_search_object_by_cert() * LDAP/IPA: add user lookup by certificate * ncache: add calls for certificate based searches * utils: add get_last_x_chars() * IFP: add FindByCertificate? method for User objects _______________________________________________ Freeipa-interest mailing list Freeipa-interest@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-interest