On Wed, Mar 7, 2018 at 5:51 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > Hi, > > I would like to release 1.16.1 tomorrow. There is one open ticket still in > the milestone, but there is just a minor question in the PR > (https://github.com/SSSD/sssd/pull/528) and even if we can’t merge that PR by > tomorrow, I think the ticket should not be blocking the release. Is everyone > OK with that?
Ack! And I'd prefer to have PR #528 merged, if the time allows. > > Below please see a draft of the release notes. Comments are welcome. > > SSSD 1.16.1 > =========== > > Highlights > ---------- > > New Features > ^^^^^^^^^^^^ > * A new option ``auto_private_groups`` was added. If this option is > enabled, SSSD will automatically create user private groups based on > user's UID number. The GID number is ignored in this case. Please > see > https://docs.pagure.org/SSSD.sssd/design_pages/auto_private_groups.html > for more details on the feature. > > * The SSSD smart card integration now supports a special type of PAM > conversation implemented by GDM which allows the user to select the > appropriate smrt card certificate in GDM. Please refer to > > https://docs.pagure.org/SSSD.sssd/design_pages/smartcard_multiple_certificates.html > for more details about this feature. > > * A new API for accessing user and group information was added. This API > is similar to the tradiional Name Service Switch API, but allows > the consumer to talk to SSSD directly as well as to fine-tune > the query with e.g. how cache should be evaluated. Please see > https://docs.pagure.org/SSSD.sssd/design_pages/enhanced_nss_api.html > for more information on the new API. > > * The ``sssctl`` command line tool gained a new command ``access-report``, > which can generate who can access the client machine. Currently only > generating > the report on an IPA client based on HBAC rules is supported. Please see > https://docs.pagure.org/SSSD.sssd/design_pages/attestation_report.html > for more information about this new feature. > > * The ``hostid`` provider was moved from the IPA specific code to the > generic > LDAP code. This allows SSH host keys to be access by the generic LDAP > provider > as well. See the ``ldap_host_*`` options in the ``sssd-ldap`` manual page > for more details. > > * Setting the ``memcache_timeout`` option to 0 disabled creating the > memory cache files altogether. This can be useful in cases there is a > bug in the memory cache that needs working around. > > Performance enhancements > ^^^^^^^^^^^^^^^^^^^^^^^^ > * Several internal changes to how objects are stored in the cache improve > SSSD performance in environments with large number of objects of the same > type (e.g. many users, many groups). In particular, several useless > indexes > were removed and the most common object types no longer use the indexed > ``objectClass`` attribute, but use unindexed ``objectCategory`` instead > (#3503) > > * In setups with ``id_provider=ad`` that use POSIX attributes which > are replicated to the Global Catalog, SSSD uses the Global Catalog to > determine which domain should be contacted for a by-ID lookup instead > of iterating over all domains. More details about this feature can > be found at > > https://docs.pagure.org/SSSD.sssd/design_pages/uid_negative_global_catalog.html > > Notable bug fixes > ^^^^^^^^^^^^^^^^^ > * A crash in ``sssd_nss`` that might have happened if a list of domains > was refreshed while a NSS lookup using this request was fixed (#3551) > > * A potential crash in ``sssd_nss`` during netgroup lookup in case the > netgroup object kept in memory was already freed (#3523) > > * Fixed a potential crash of ``sssd_be`` with two concurrent sudo refreshes > in case one of them failed (#3562) > > * A memory growth issue in ``sssd_nss`` that occured when an entry was > removed from the memory cache was fixed (#3588) > > * Two potential memory growth issues in the ``sssd_be`` process that could > have hit configurations with ``id_provider=ad`` were fixed (#3639) > > * The ``selinux_child`` process no longer crashes on a system where SSSD > is compiled with SELinux support, but at the same time, the SELinux policy > is not even installed on the machine (#3618) > > * The memory cache consistency detection logic was fixed. This would prevent > printing false positive memory cache corruption messages (#3571) > > * SSSD now remembers the last successfuly discovered AD site and use this > for DNS search to lookup a site and forest during the next lookup. This > prevents time outs in case SSSD was discovering the site using the global > list of DCs where some of the global DCs might be unreachable. (#3265) > > * SSSD no longer starts the implicit file domain when configured with > ``id_provider=proxy`` and ``proxy_lib_name=files``. This bug prevented > SSSD from being used in setups that combine identities from UNIX files > together with authentication against a remote source unless a files > domain was explicitly configured (#3590) > > * The IPA provider can handle switching between different ID views better > (#3579) > > * Previously, the IPA provider kept SSH public keys and certificates from > an ID view in its cache and returned them even if the public key or > certificate was then removed from the override (#3602, #3603) > > * FleetCommander profiles coming from IPA are applied even if they are > assigned globally (to ``category: ALL``), previously, only profiles > assigned to a host or a hostgroup were applied (#3449) > > * It is now possible to reset an expired password for users with 2FA > authentication enabled (#3585) > > * A bug in the AD provider which could have resulted in built-in AD groups > being incorrectly cached was fixed (#3610) > > * The SSSD watchdog can now cope better with time drifts (#3285) > > * The ``nss_sss`` NSS module's return codes for invalid cases were fixed > > * A bug in the LDAP provider that prevented setups with id_provider=proxy > and auth_provider=ldap with LDAP servers that do not allow anonymous > binds from working was fixed (#3451) > > Packaging Changes > ----------------- > * The FleetCommander desktop profile path now uses stricter permissions, > 751 instead of 755 (#3621) > > * A new option ``--logger`` was added to the ``sssd(8)`` binary. This option > obsoletes old options such as ``--debug-to-files``, although the old > options > are kept for backwards compatibility. > > Documentation Changes > --------------------- > There are no notable documentation changes such as options changing default > values etc in this release. > > Tickets Fixed > ------------- > > Detailed Changelog > ------------------ > _______________________________________________ > sssd-devel mailing list -- email@example.com > To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Best Regards, -- Fabiano Fidêncio _______________________________________________ sssd-devel mailing list -- firstname.lastname@example.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org