[SSSD] Re: [SSSD-users] Announcing SSSD 2.2.1

Thu, 29 Aug 2019 05:39:42 -0700 

I am sorry I did not include all translation
files into the tarball for this release. I will do another
minor release that will update the translation as well.

Please disregard the 2.2.1 version.
Sorry for the inconvenience.

Michal

On 8/28/19 10:07 AM, Michal Židek wrote:

             == SSSD 2.2.1 ===

The SSSD team is proud to announce the release of version 2.2.1 of the
System Security Services Daemon. The tarball can be downloaded from:
     https://releases.pagure.org/SSSD/sssd/

RPM packages will be made available for Fedora shortly.

Feedback
--------
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
     https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
     https://lists.fedorahosted.org/mailman/listinfo/sssd-users

Highlights
----------

New features
^^^^^^^^^^^^
* New options were added which allow sssd-kcm to handle bigger data.
   See manual pages for ``max_ccaches``, ``max_uid_caches``  and
   ``max_ccache_size``.
* SSSD can now automatically refresh cached user data from subdomains
   in IPA/AD trust.

Notable bug fixes
^^^^^^^^^^^^^^^^^
* Fixed issue with SSSD hanging when connecting to non-responsive
   server with ldaps://
* SSSD is now restarted by systemd after crashes.
* Fixed refression when dyndns_update was set to True and
   dyndns_refresh_interval was not set or set to 0 then DNS
   records were not updated at all.
* Fixed issue when ``default_domain_suffix`` was used with
   ``id_provider = files`` and caused all results from files domain to be
   fully qualified.
* Fixed issue with sudo rules not being visible on OpenLDAP servers
* Fixed crash with ``auth_provider = proxy`` that prevented logins


Packaging Changes
-----------------
None

Documentation Changes
---------------------
A new option ``dns_resolver_server_timeout`` was added
A new option ``max_ccaches`` was added
A new option ``max_uid_ccaches`` was added
A new option ``max_ccache_size`` was added
A new option ``ocsp_dgst`` was added

Tickets Fixed
-------------
 * `2878 <https://pagure.io/SSSD/sssd/issue/2878>`_ - sssd failover does not work on connecting to non-responsive ldaps:// server  * `3217 <https://pagure.io/SSSD/sssd/issue/3217>`_ - Conflicting default timeout values  * `3386 <https://pagure.io/SSSD/sssd/issue/3386>`_ - sssd-kcm cannot handle big tickets  * `3489 <https://pagure.io/SSSD/sssd/issue/3489>`_ - p11_child should work wit openssl1.0+  * `3685 <https://pagure.io/SSSD/sssd/issue/3685>`_ - KCM: Default to a new back end that would write to the secrets database directly 
  * `3833 <https://pagure.io/SSSD/sssd/issue/3833>`_ - port to pcre2
 * `3894 <https://pagure.io/SSSD/sssd/issue/3894>`_ - multihost tests: ldb-tools is needed for multihost tests  * `3905 <https://pagure.io/SSSD/sssd/issue/3905>`_ - SSSD doesn't clear cache entries for IDs below min_id.  * `4012 <https://pagure.io/SSSD/sssd/issue/4012>`_ - SSSD is not refreshing cached user data for the ipa sub-domain in a IPA/AD trust  * `4026 <https://pagure.io/SSSD/sssd/issue/4026>`_ - EVP_PKEY_new_raw_private_key() was only added in OpenSSL 1.1.1  * `4028 <https://pagure.io/SSSD/sssd/issue/4028>`_ - sssd-kcm calls sssd-genconf which triggers nscd warning  * `4037 <https://pagure.io/SSSD/sssd/issue/4037>`_ - Logins fail after upgrade to 2.2.0  * `4040 <https://pagure.io/SSSD/sssd/issue/4040>`_ - Reasonable to Restart sssd on crashes?  * `4046 <https://pagure.io/SSSD/sssd/issue/4046>`_ - sudo: incorrect usn value for openldap  * `4047 <https://pagure.io/SSSD/sssd/issue/4047>`_ - dyndns_update = True is no longer not enough to get the IP address of the machine updated in IPA upon sssd.service startup  * `4050 <https://pagure.io/SSSD/sssd/issue/4050>`_ - nss_cmd_endservent resets the wrong index  * `4052 <https://pagure.io/SSSD/sssd/issue/4052>`_ - sssd config option "default_domain_suffix" should not cause the files domain entries to be qualified  * `3931 <https://pagure.io/SSSD/sssd/issue/3931>`_ - proxy provider is not working with enumerate=true when trying to fetch all groups  * `4043 <https://pagure.io/SSSD/sssd/issue/4043>`_ - Typo in systemd.m4 prevents detection of systemd.pc  * `3978 <https://pagure.io/SSSD/sssd/issue/3978>`_ - UPN negative cache does not use values from 'filter_users' config option  * `4032 <https://pagure.io/SSSD/sssd/issue/4032>`_ - p11_child::do_ocsp() function implementation is not FIPS140 compliant  * `4039 <https://pagure.io/SSSD/sssd/issue/4039>`_ - p11_child::sign_data() function implementation is not FIPS140 compliant  * `4056 <https://pagure.io/SSSD/sssd/issue/4056>`_ - permission denied on logs when running sssd as non-root user  * `4024 <https://pagure.io/SSSD/sssd/issue/4024>`_ - Non FIPS140 compliant usage of PRNG 
  * `2854 <https://pagure.io/SSSD/sssd/issue/2854>`_ - FAIL test-find-uid
 * `3962 <https://pagure.io/SSSD/sssd/issue/3962>`_ - Problem with tests/cmocka/test_dyndns.c  * `4022 <https://pagure.io/SSSD/sssd/issue/4022>`_ - utils: sss_hmac_sha1() function implementation is not FIPS140 compliant  * `4024 <https://pagure.io/SSSD/sssd/issue/4024>`_ - Non FIPS140 compliant usage of PRNG  * `4026 <https://pagure.io/SSSD/sssd/issue/4026>`_ - EVP_PKEY_new_raw_private_key() was only added in OpenSSL 1.1.1 

Detailed changelog
------------------
Alex Rodin (1):
      tests/cmocka/test_dyndns.c: Switching from tevent_loop_once() to tevent_loop_wait() 

Alexey Tikhonov (14):
       util/crypto/libcrypto: changed sss_hmac_sha1()
       util/crypto/libcrypto: changed sss_hmac_sha1()
       util/secrets: memory leaks are fixed
       util/crypto/nss/nss_nite: params sanitization
       crypto/libcrypto/crypto_nite: HMAC calculation changed
       util/find_uid.c: fixed debug message
       util/find_uid.c: fixed race condition bug
       util/crypto: removed erroneous declaration
       util/crypto/sss_crypto.c: cleanup of includes
       util/crypto: generate_csprng_buffer() changed
       util/crypto: added sss_rand()
       crypto/libcrypto/crypto_nite.c: memory leak fixed
       FIPS140 compliant usage of PRNG
       crypto/nss: some nss_ctx_init() params made const

Jakub Hrozek (34):
       Updating the version for the 2.2.1 release
       TESTS: Install expect to drive password-change modifications
       TESTS: Also add LDAP password when creating users
      TESTS: Test changing LDAP password with extended operation and modification 
       TEST: Add a multihost test for not returning / for an empty home dir
      MONITOR: Don't check for the nscd socket while regenerating configuration 
       SYSDB: Add sysdb_search_with_ts_attr
       BE: search with sysdb_search_with_ts_attr
       BE: Enable refresh for multiple domains
       BE: Make be_refresh_ctx_init set up the periodical task, too
      BE/LDAP: Call be_refresh_ctx_init() in the provider libraries, not in back end       BE: Pass in attribute to look up with instead of hardcoding SYSDB_NAME       BE: Change be_refresh_ctx_init to return errno and set be_ctx->refresh_ctx       BE/LDAP: Split out a helper function from sdap_refresh for later reuse 
       BE: Pass in filter_type when creating the refresh account request
       BE: Send refresh requests in batches
      BE: Extend be_ptask_create() with control when to schedule next run after success       BE: Schedule the refresh interval from the finish time of the last run 
       AD: Implement background refresh for AD domains
       IPA: Implement background refresh for IPA domains
       BE/IPA/AD/LDAP: Add inigroups refresh support
      BE/IPA/AD/LDAP: Initialize the refresh callback from a list to reduce logic duplication 
       IPA/AD/SDAP/BE: Generate refresh callbacks with a macro
       MAN: Amend the documentation for the background refresh
      DP/SYSDB: Move the code to set initgrExpireTimestamp to a reusable function       IPA/AD/LDAP: Increase the initgrExpireTimestamp after finishing refresh request 
       MAN: Get rid of sssd-secrets reference
      MAN: Document that it is enough to systemctl restart sssd-kcm.service lately       SECRETS: Use different option names from secrets and KCM for quota options 
       SECRETS: Don't limit the global number of ccaches
       KCM: Pass confdb context to the ccache db initialization
       KCM: Configurable quotas for the secdb ccache back end
       TESTS: Add tests for the configurable quotas
      Don't qualify users from files domain when default_domain_suffix is set 

Jakub Jelen (1):
       pam_sss: Add missing colon to the PIN prompt

Lukas Slebodnik (1):
       PROXY: Return data in output parameter if everything is OK

Michal Židek (2):
       TESTS: ldb-tools and sssd-tools are required for multihost tests
       Update the translations for the 2.2.1 release

Niranjan M.R (1):
       TESTS: Test kvno correctly displays vesion numbers of principals

Pavel Březina (11):
       ci: disable timeout
       ci: switch to new tooling and remove 'Read trusted files' stage
       ci: rebase pull request on the target branch
       ci: print node on which the test is being run
       sudo: use proper datetime for default modifyTimestamp value
       systemd: add Restart=on-failure to sssd.service
       man: fix description of dns_resolver_op_timeout
       man: fix description of dns_resolver_timeout
       failover: add dns_resolver_server_timeout option
       failover: change default timeouts
       config: add dns_resolver_op_timeout to option list

Sam Morris (1):
       build: fix detection of systemd.pc

Samuel Cabrero (1):
       nss: Fix command 'endservent' resetting wrong struct member

Sumit Bose (10):
       negcache: add fq-usernames of know domains to all UPN neg-caches
       p11_child: prefer better digest function if card supports it
       p11_child: fix a memory leak and other memory mangement issues
       pam: make sure p11_child.log has the right permissions
       ssh: make sure p11_child.log has the right permissions
       BE: make sure child log files have the right permissions
       utils: remove unused prototype (cert_to_ssh_key)
       utils: move parse_cert_verify_opts() into separate file
       p11_child: make OCSP digest configurable
       pam: fix loop in Smartcard authentication

Tomas Halman (9):
       MAN: ldap_user_home_directory default missing
       pcre: port to pcre2
       CACHE: SSSD doesn't clear cache entries
       LDAP: failover does not work on non-responsive ldaps
       CONFDB: Files domain if activated without .conf
       TESTS: adapt tests to enabled default files domain
       BE: Introduce flag for be_ptask_create
       BE: Convert be_ptask params to flags
       DYNDNS: dyndns_update is not enough

Yuri Chornoivan (1):
       Fix minor typos in docs
_______________________________________________
sssd-users mailing list -- sssd-us...@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ 
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-us...@lists.fedorahosted.org 
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

Reply via email to