== SSSD 1.13.2 === The SSSD team is proud to announce the release of version 1.13.2 of the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd RPM packages will be made available for Fedora shortly. == Feedback == Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users == Highlights == * This is primarily a bugfix release, with minor features added to the local overrides feature * The sss_override tool gained new user-show, user-find, group-show and group-find commands * The PAM responder was crashing if PAM_USER was set to an empty string. This bug was fixed * The sssd_be process could crash when looking up groups in setups with IPA-AD trusts that use POSIX attributes but do not replicate them to the Global Catalog * A socket leak in case SSSD couldn't establish a connection to an LDAP server was fixed * SSSD's memory cache now behaves better when used by long-running applications such as system deamons and the administrator invalidates the cache * The SSSDConfig Python API no longer throws an exception when config_file_version is missing * The InfoPipe D-Bus interface is able to retrieve user groups correctly if the user is a member of non-POSIX groups like ipausers as well * Lookups by certificate now work correctly in multi-domain environment * The lookup of POSIX attributes after startup was relaxed to only check attribute presence, not validity. The POSIX check was also made less verbose * A bug when looking up a subdomain user by UPN users was fixed == Packaging Changes == * The memory cache for initgroups results was previously not packaged. This bug was fixed. * Python 2/3 packaging in the RPM specfile was improved == Tickets Fixed == https://fedorahosted.org/sssd/ticket/2176 warn if memcache_timeout is greater than entry_cache_timeout https://fedorahosted.org/sssd/ticket/2493 Check chown_debug_file() usage https://fedorahosted.org/sssd/ticket/2673 Consider also disabled domains when link_forest_roots() is called https://fedorahosted.org/sssd/ticket/2697 extend PAM responder unit test https://fedorahosted.org/sssd/ticket/2706 Contribute and DevelTips are duplicate https://fedorahosted.org/sssd/ticket/2726 Long living applicantion can use removed memory cache. https://fedorahosted.org/sssd/ticket/2730 responder_cache_req-tests failed https://fedorahosted.org/sssd/ticket/2736 sss_override: add find and show commands https://fedorahosted.org/sssd/ticket/2759 sbus_codegen_tests leaves a process running https://fedorahosted.org/sssd/ticket/2779 Review and update wiki pages for 1.13.2 https://fedorahosted.org/sssd/ticket/2786 Create a wiki page that lists security-sensitive options https://fedorahosted.org/sssd/ticket/2792 SSSD is not closing sockets properly https://fedorahosted.org/sssd/ticket/2800 Relax POSIX check https://fedorahosted.org/sssd/ticket/2802 sss_override segfaults when accidentally adding --help flag to some commands https://fedorahosted.org/sssd/ticket/2804 Size limit exceeded too loud during POSIX check https://fedorahosted.org/sssd/ticket/2807 CI: configure script failed on CentOS {6,7} https://fedorahosted.org/sssd/ticket/2810 sssd_be crashed https://fedorahosted.org/sssd/ticket/2811 PAM responder crashed if user was not set https://fedorahosted.org/sssd/ticket/2814 avoid symlinks witih python modules https://fedorahosted.org/sssd/ticket/2819 CI: test_ipa_subdomains_server failed on rhel6 + --coverage (FAIL: test_ipa_subdom_server) https://fedorahosted.org/sssd/ticket/2826 sss_override: memory violation https://fedorahosted.org/sssd/ticket/2827 bug in UPN lookups for subdomain users https://fedorahosted.org/sssd/ticket/2833 local overrides: don't contact server with overriden name/id https://fedorahosted.org/sssd/ticket/2837 REGRESSION: ipa-client-automout failed https://fedorahosted.org/sssd/ticket/2861 sssd crashes if non-UTF-8 locale is used https://fedorahosted.org/sssd/ticket/2863 IFP: ifp_users_user_get_groups doesn't handle non-POSIX groups == Detailed Changelog == Dan Lavu (1): * sss_override: Add restart requirements to man page Jakub Hrozek (10): * Bump the version for the 1.13.2 development * AD: Provide common connection list construction functions * AD: Consolidate connection list construction on ad_common.c * tests: Fix compilation warning * tools: Don't shadow 'exit' * IFP: Skip non-POSIX groups properly * DP: Drop dp_pam_err_to_string * DP: Check callback messages for valid UTF-8 * sbus: Check string arguments for valid UTF-8 strings * Updating translations for the 1.13.2 release Lukas Slebodnik (33): * CI: Fix configure script arguments for CentOS * CI: Don't depend on user input with apt-get * CI: Add missing dependency for debian * CI: Run integration tests on debian testing * BUILD: Link just libsss_crypto with crypto libraries * BUILD: Link crypto_tests with existing library * BUILD: Remove unused variable TEST_MOCK_OBJ * BUILD: Avoid symlinks with python modules * SSSDConfigTest: Try load saved config * SSSDConfigTest: Test real config without config_file_version * intg_tests: Fix PEP8 warnings * BUILD: Accept krb5 1.14 for building the PAC plugin * BUILD: Fix detection of pthread with strict CFLAGS * BUILD: Fix doc directory for sss_simpleifp * LDAP: Fix leak of file descriptors * CI: Workaroung for code coverage with old gcc * cache_req: Fix warning -Wshadow * SBUS: Fix warnings -Wshadow * TESTS: Fix warnings -Wshadow * INIT: Drop syslog.target from service file * sbus_codegen_tests: Suppress warning Wmaybe-uninitialized * DP_PTASK: Fix warning may be used uninitialized * UTIL: Fix memory leak in switch_creds * TESTS: Initialize leak check * TESTS: Check return value of check_leaks_pop * TESTS: Make check_leaks static function * TESTS: Add warning for unused result of leak check functions * sss_client: Fix underflow of active_threads * sssd_client: Do not use removed memory cache * test_memory_cache: Test removing mc without invalidation * Revert "intg: Invalidate memory cache before removing files" * CONFIGURE: Bump AM_GNU_GETTEXT_VERSION * test_sysdb_subdomains: Do not use assignment in assertions Michal Židek (7): * SSSDConfig: Do not raise exception if config_file_version is missing * spec: Missing initgroups mmap file * util: Update get_next_domain's interface * tests: Add get_next_domain_flags test * sysdb: Include disabled domains in link_forest_roots * sysdb: Use get_next_domain instead of dom->next * Refactor some conditions Nikolai Kondrashov (13): * CI: Update reason blocking move to DNF * CI: Exclude whitespace_test from Valgrind checks * intg: Get base DN from LDAP connection object * intg: Add support for specifying all user attrs * intg: Split LDAP test fixtures for flexibility * intg: Reduce sssd.conf duplication in test_ldap.py * intg: Fix RFC2307bis group member creation * intg: Do not use non-existent pre-increment * CI: Do not skip tests not checked with Valgrind * CI: Handle dashes in valgrind-condense * intg: Fix all PEP8 issues * CI: Enforce coverage make check failures * intg: Add more LDAP tests Pavel Březina (23): * sss tools: improve option handling * sbus codegen tests: free ctx * cache_req: provide extra flag for oob request * cache_req: add support for UPN * cache_req tests: reduce code duplication * cache_req: remove raw_name and do not touch orig_name * sss_override: fix comment describing format * sss_override: explicitly set ret = EOK * sss_override: steal msgs string to objs * nss: send original name and id with local views if possible * sudo: search with view even if user is found * sudo: send original name and id with local views if possible * sss_tools: always show common and help options * sss_override: fix exporting multiple domains * sss_override: add user-find * sss_override: add group-find * sss_override: add user-show * sss_override: add group-show * sss_override: do not free ldb_dn in get_object_dn() * sss_override: use more generic help text * sss_tools: do not allow unexpected free argument * BE: Add IFP to known clients * AD: remove annoying debug message Pavel Reichl (12): * AD: add debug messages for netlogon get info * confdb: warn if memcache_timeout > than entry_cache * SDAP: Relax POSIX check * SDAP: optional warning - sizelimit exceeded in POSIX check * SDAP: allow_paging in sdap_get_generic_ext_send() * SDAP: change type of attrsonly in sdap_get_generic_ext_state * SDAP: pass params in sdap_get_and_parse_generic_send * sss_override: amend man page - overrides do not stack * sss_override: Removed overrides might be in memcache * pam-srv-tests: split pam_test_setup() so it can be reused * pam-srv-tests: Add UT for cached 'online' auth. * intg: Add test for user and group local overrides Petr Cech (9): * DEBUG: Preventing chown_debug_file if journald on * TEST: Add test_user_by_recent_filter_valid * TEST: Refactor of test_responder_cache_req.c * TEST: Refactor of test_responder_cache_req.c * TEST: Add common function are_values_in_array() * TEST: Add test_users_by_recent_filter_valid * TEST: Add test_group_by_recent_filter_valid * TEST: Refactor of test_responder_cache_req.c * TEST: Add test_groups_by_recent_filter_valid Stephen Gallagher (2): * LDAP: Inform about small range size * Monitor: Show service pings at debug level 8 Sumit Bose (5): * PAM: only allow missing user name for certificate authentication * fix ldb_search usage * fix upn cache_req for sub-domain users * nss: fix UPN lookups for sub-domain users * cache_req: check all domains for lookups by certificate _______________________________________________ Freeipa-interest mailing list Freeipa-interest@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-interest