On Wed, Mar 7, 2018 at 5:51 PM, Jakub Hrozek <jhro...@redhat.com> wrote:
> Hi,
> I would like to release 1.16.1 tomorrow. There is one open ticket still in 
> the milestone, but there is just a minor question in the PR 
> (https://github.com/SSSD/sssd/pull/528) and even if we can’t merge that PR by 
> tomorrow, I think the ticket should not be blocking the release. Is everyone 
> OK with that?

Ack! And I'd prefer to have PR #528 merged, if the time allows.

> Below please see a draft of the release notes. Comments are welcome.
> SSSD 1.16.1
> ===========
> Highlights
> ----------
> New Features
> ^^^^^^^^^^^^
>   * A new option ``auto_private_groups`` was added.  If this option is
>     enabled, SSSD will automatically create user private groups based on
>     user's UID number. The GID number is ignored in this case. Please
>     see 
> https://docs.pagure.org/SSSD.sssd/design_pages/auto_private_groups.html
>     for more details on the feature.
>   * The SSSD smart card integration now supports a special type of PAM
>     conversation implemented by GDM which allows the user to select the
>     appropriate smrt card certificate in GDM. Please refer to
> https://docs.pagure.org/SSSD.sssd/design_pages/smartcard_multiple_certificates.html
>     for more details about this feature.
>   * A new API for accessing user and group information was added. This API
>     is similar to the tradiional Name Service Switch API, but allows
>     the consumer to talk to SSSD directly as well as to fine-tune
>     the query with e.g. how cache should be evaluated. Please see
>     https://docs.pagure.org/SSSD.sssd/design_pages/enhanced_nss_api.html
>     for more information on the new API.
>   * The ``sssctl`` command line tool gained a new command ``access-report``,
>     which can generate who can access the client machine. Currently only 
> generating
>     the report on an IPA client based on HBAC rules is supported. Please see
>     https://docs.pagure.org/SSSD.sssd/design_pages/attestation_report.html
>     for more information about this new feature.
>   * The ``hostid`` provider was moved from the IPA specific code to the 
> generic
>     LDAP code. This allows SSH host keys to be access by the generic LDAP 
> provider
>     as well. See the ``ldap_host_*`` options in the ``sssd-ldap`` manual page
>     for more details.
>   * Setting the ``memcache_timeout`` option to 0 disabled creating the
>     memory cache files altogether. This can be useful in cases there is a
>     bug in the memory cache that needs working around.
> Performance enhancements
> ^^^^^^^^^^^^^^^^^^^^^^^^
>   * Several internal changes to how objects are stored in the cache improve
>     SSSD performance in environments with large number of objects of the same
>     type (e.g. many users, many groups). In particular, several useless 
> indexes
>     were removed and the most common object types no longer use the indexed
>     ``objectClass`` attribute, but use unindexed ``objectCategory`` instead
>     (#3503)
>   * In setups with ``id_provider=ad`` that use POSIX attributes which
>     are replicated to the Global Catalog, SSSD uses the Global Catalog to
>     determine which domain should be contacted for a by-ID lookup instead
>     of iterating over all domains.  More details about this feature can
>     be found at
> https://docs.pagure.org/SSSD.sssd/design_pages/uid_negative_global_catalog.html
> Notable bug fixes
> ^^^^^^^^^^^^^^^^^
>  * A crash in ``sssd_nss`` that might have happened if a list of domains
>    was refreshed while a NSS lookup using this request was fixed (#3551)
>  * A potential crash in ``sssd_nss``  during netgroup lookup in case the
>    netgroup object kept in memory was already freed (#3523)
>  * Fixed a potential crash of ``sssd_be`` with two concurrent sudo refreshes
>    in case one of them failed (#3562)
>  * A memory growth issue in ``sssd_nss`` that occured when an entry was
>    removed from the memory cache was fixed (#3588)
>  * Two potential memory growth issues in the ``sssd_be`` process that could
>    have hit configurations with ``id_provider=ad`` were fixed (#3639)
>  * The ``selinux_child`` process no longer crashes on a system where SSSD
>    is compiled with SELinux support, but at the same time, the SELinux policy
>    is not even installed on the machine (#3618)
>  * The memory cache consistency detection logic was fixed. This would prevent
>    printing false positive memory cache corruption messages (#3571)
>  * SSSD now remembers the last successfuly discovered AD site and use this
>    for DNS search to lookup a site and forest during the next lookup. This
>    prevents time outs in case SSSD was discovering the site using the global
>    list of DCs where some of the global DCs might be unreachable. (#3265)
>  * SSSD no longer starts the implicit file domain when configured with
>    ``id_provider=proxy`` and ``proxy_lib_name=files``. This bug prevented
>    SSSD from being used in setups that combine identities from UNIX files
>    together with authentication against a remote source unless a files
>    domain was explicitly configured (#3590)
>  * The IPA provider can handle switching between different ID views better
>    (#3579)
>  * Previously, the IPA provider kept SSH public keys and certificates from
>    an ID view in its cache and returned them even if the public key or
>    certificate was then removed from the override (#3602, #3603)
>  * FleetCommander profiles coming from IPA are applied even if they are
>    assigned globally (to ``category: ALL``), previously, only profiles
>    assigned to a host or a hostgroup were applied (#3449)
>  * It is now possible to reset an expired password for users with 2FA
>    authentication enabled (#3585)
>  * A bug in the AD provider which could have resulted in built-in AD groups
>    being incorrectly cached was fixed (#3610)
>  * The SSSD watchdog can now cope better with time drifts (#3285)
>  * The ``nss_sss`` NSS module's return codes for invalid cases were fixed
>  * A bug in the LDAP provider that prevented setups with id_provider=proxy
>    and auth_provider=ldap with LDAP servers that do not allow anonymous
>    binds from working was fixed (#3451)
> Packaging Changes
> -----------------
>  * The FleetCommander desktop profile path now uses stricter permissions,
>    751 instead of 755 (#3621)
>  * A new option ``--logger`` was added to the ``sssd(8)`` binary. This option
>    obsoletes old options such as ``--debug-to-files``, although the old 
> options
>    are kept for backwards compatibility.
> Documentation Changes
> ---------------------
> There are no notable documentation changes such as options changing default
> values etc in this release.
> Tickets Fixed
> -------------
> Detailed Changelog
> ------------------
> _______________________________________________
> sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
> To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

Best Regards,
Fabiano Fidêncio
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

Reply via email to