Re: [Freeipa-users] Announcing SSSD 1.13.4

2016-04-28 Thread Terry John
>>I am plagued by the "sssd dereference processing failed : Input/output error"
>>problem. Is there any news when this version of sssd will be released for 
>>RedHat/Centos?

>If you are interested in testing of sssd-1.13.4 then you can test 
>upstream(backported from fedora) version in copr.
>https://copr.fedorainfracloud.org/coprs/g/sssd/sssd-1-13/

Ok thanks
I'll see if I can give it a try
Terry


The Manheim group of companies within the UK comprises: Manheim Europe Limited 
(registered number: 03183918), Manheim Auctions Limited (registered number: 
00448761), Manheim Retail Services Limited (registered number: 02838588), 
Motors.co.uk Limited (registered number: 05975777), Real Time Communications 
Limited (registered number: 04277845) and Complete Automotive Solutions Limited 
(registered number: 05302535). Each of these companies is registered in England 
and Wales with the registered office address of Central House, Leeds Road, 
Rothwell, Leeds LS26 0JE. The Manheim group of companies operates under various 
brand/trading names including Manheim Inspection Services, Manheim Auctions, 
Manheim Direct, Manheim De-fleet and Manheim Aftersales Solutions.

V:0CF72C13B2AC



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Announcing SSSD 1.13.4

2016-04-28 Thread Lukas Slebodnik
On (28/04/16 09:08), Terry John wrote:
>I am plagued by the "sssd dereference processing failed : Input/output error"
>problem. Is there any news when this version of sssd will be released
>for RedHat/Centos?
>
If you are interested in testing of sssd-1.13.4
then you can test upstream(backported from fedora) version
in copr.

https://copr.fedorainfracloud.org/coprs/g/sssd/sssd-1-13/

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Announcing SSSD 1.13.4

2016-04-28 Thread Jakub Hrozek
On Thu, Apr 28, 2016 at 09:08:18AM +, Terry John wrote:
> I am plagued by the "sssd dereference processing failed : Input/output error" 
> problem. Is there any news when this version of sssd will be released for 
> RedHat/Centos?
> 
> My current version is: 1.12.4-47.el6

RHEL-6.8. But please note that in most cases it's just a harmless error
message. Do you actually see some issue or just an annoying message in
the logs?


> 
> Terry
> 
> -Original Message-
> From: freeipa-users-boun...@redhat.com 
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jakub Hrozek
> Sent: 14 April 2016 16:17
> To: sssd-de...@lists.fedorahosted.org; sssd-us...@lists.fedorahosted.org; 
> freeipa-users@redhat.com; freeipa-inter...@redhat.com
> Subject: [Freeipa-users] Announcing SSSD 1.13.4
> 
> == SSSD 1.13.4 ===
> 
> The SSSD team is proud to announce the release of version 1.13.4 of the 
> System Security Services Daemon.
> 
> As always, the source is available from https://fedorahosted.org/sssd
> 
> RPM packages will be made available for Fedora shortly.
> 
> == Feedback ==
> Please provide comments, bugs and other feedback via the sssd-devel or 
> sssd-users mailing lists:
> https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
> https://lists.fedorahosted.org/mailman/listinfo/sssd-users
> 
> == Highlights ==
> * The IPA sudo provider was reimplemented. The new version reads the
>   data from IPA's LDAP tree (as opposed to the compat tree populated by
>   the slapi-nis plugin that was used previously). The benefit is that
>   deployments which don't require the compat tree for other purposes,
>   such as support for non-SSSD clients can disable those autogenerated
>   LDAP trees to conserve resources that slapi-nis otherwise requires. 
> There
>   should be no visible changes to the end user.
> * SSSD now has the ability to renew the machine credentials (keytabs)
>   when the ad provider is used. Please note that a recent version of
>   the adcli (0.8 or newer) package is required for this feature to work.
> * The automatic ID mapping feature was improved so that the administrator
>   is no longer required to manually set the range size in case a RID in
>   the AD domain is larger than the default range size
> * A potential infinite loop in the NFS ID mapping plugin that was
>   resulting in an excessive memory usage was fixed
> * Clients that are pinned to a particular AD site using the ad_site
>   option no longer communicate with DCs outside that site during service
>   discovery.
> * The IPA identity provider is now able to resolve external
>   (typically coming from a trusted AD forest) group members during
>   get-group-information requests. Please note that resolving external
>   group memberships for AD users during the initgroup requests used to
>   work even prior to this update. This feature is mostly useful for cases
>   where an IPA client is using the compat tree to resolve AD trust users.
> * The IPA ID views feature now works correctly even for deployments
>   without a trust relationship. Previously, the subdomains IPA provider
>   failed to read the views data if no master domain record was created
>   on the IPA server during trust establishment.
> * A race condition in the client libraries between the SSSD closing
>   the socket as idle and the client application using the socket was
>   fixed. This bug manifested with a Broken Pipe error message on the
>   client.
> * SSSD is now able to resolve users with the same usernames in different
>   OUs of an AD domain
> * The smartcard authentication now works properly with gnome-screensaver
> 
> == Packaging Changes ==
> * The krb5.include.d directory is now owned by the sssd user and
>   packaged in the krb5-common subpackage
> 
> == Documentation Changes ==
> * A new option ldap_idmap_helper_table_size was added. This option can
>   help tune allocation of new ID mapping slices for AD domains with a high
>   RID values. Most deployments can use the default value of this option.
> * Several PAM services were added to the lists that are used to map
>   Windows logon services to Linux PAM services. The newly added PAM
>   services include login managers (lightdm, lxdm, sddm and xdm) as well
>   as the cockpit service.
> * The AD machine credentials renewal task can be fine-tuned using
>   the ad_machine_account_password_renewal_opts to change the initial
>   delay and period of the credentials renewal task. In addition, the new
>   ad_maximum_machine_a

Re: [Freeipa-users] Announcing SSSD 1.13.4

2016-04-28 Thread Terry John
I am plagued by the "sssd dereference processing failed : Input/output error" 
problem. Is there any news when this version of sssd will be released for 
RedHat/Centos?

My current version is: 1.12.4-47.el6

Terry

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jakub Hrozek
Sent: 14 April 2016 16:17
To: sssd-de...@lists.fedorahosted.org; sssd-us...@lists.fedorahosted.org; 
freeipa-users@redhat.com; freeipa-inter...@redhat.com
Subject: [Freeipa-users] Announcing SSSD 1.13.4

== SSSD 1.13.4 ===

The SSSD team is proud to announce the release of version 1.13.4 of the System 
Security Services Daemon.

As always, the source is available from https://fedorahosted.org/sssd

RPM packages will be made available for Fedora shortly.

== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel or 
sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users

== Highlights ==
* The IPA sudo provider was reimplemented. The new version reads the
  data from IPA's LDAP tree (as opposed to the compat tree populated by
  the slapi-nis plugin that was used previously). The benefit is that
  deployments which don't require the compat tree for other purposes,
  such as support for non-SSSD clients can disable those autogenerated
  LDAP trees to conserve resources that slapi-nis otherwise requires. There
  should be no visible changes to the end user.
* SSSD now has the ability to renew the machine credentials (keytabs)
  when the ad provider is used. Please note that a recent version of
  the adcli (0.8 or newer) package is required for this feature to work.
* The automatic ID mapping feature was improved so that the administrator
  is no longer required to manually set the range size in case a RID in
  the AD domain is larger than the default range size
* A potential infinite loop in the NFS ID mapping plugin that was
  resulting in an excessive memory usage was fixed
* Clients that are pinned to a particular AD site using the ad_site
  option no longer communicate with DCs outside that site during service
  discovery.
* The IPA identity provider is now able to resolve external
  (typically coming from a trusted AD forest) group members during
  get-group-information requests. Please note that resolving external
  group memberships for AD users during the initgroup requests used to
  work even prior to this update. This feature is mostly useful for cases
  where an IPA client is using the compat tree to resolve AD trust users.
* The IPA ID views feature now works correctly even for deployments
  without a trust relationship. Previously, the subdomains IPA provider
  failed to read the views data if no master domain record was created
  on the IPA server during trust establishment.
* A race condition in the client libraries between the SSSD closing
  the socket as idle and the client application using the socket was
  fixed. This bug manifested with a Broken Pipe error message on the
  client.
* SSSD is now able to resolve users with the same usernames in different
  OUs of an AD domain
* The smartcard authentication now works properly with gnome-screensaver

== Packaging Changes ==
* The krb5.include.d directory is now owned by the sssd user and
  packaged in the krb5-common subpackage

== Documentation Changes ==
* A new option ldap_idmap_helper_table_size was added. This option can
  help tune allocation of new ID mapping slices for AD domains with a high
  RID values. Most deployments can use the default value of this option.
* Several PAM services were added to the lists that are used to map
  Windows logon services to Linux PAM services. The newly added PAM
  services include login managers (lightdm, lxdm, sddm and xdm) as well
  as the cockpit service.
* The AD machine credentials renewal task can be fine-tuned using
  the ad_machine_account_password_renewal_opts to change the initial
  delay and period of the credentials renewal task. In addition, the new
  ad_maximum_machine_account_password_age option allows the administrator
  to select how old the machine credential must be before trying to
  renew it.
* The administrator can use the new option pam_account_locked_message to
  set a custom informational message when the account logging in is locked.

== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1041
[RFE] Support Automatic Renewing of Kerberos Host Keytabs
https://fedorahosted.org/sssd/ticket/1108
[RFE] SUDO: Support the IPA schema
https://fedorahosted.org/sssd/ticket/2188
automatically assign new slices for any AD domain
https://fedorahosted.org/sssd/ticket/2522