Hi, below are the release notes for 1.16.2. Please comment :-)
SSSD 1.16.2 =========== Highlights ---------- New Features ^^^^^^^^^^^^ * The smart card authentication, or in more general certificate authentication code now supports OpenSSL in addition to previously supported NSS (#3489). In addition, the SSH responder can now return public SSH keys derived from the public keys stored in a X.509 certificate. Please refer to the ``ssh_use_certificate_keys`` option in the man pages. * The files provider now supports mirroring multiple passwd or group files. This enhancement can be used to use the SSSD files provider instead of the nss_altfiles module Notable bug fixes ^^^^^^^^^^^^^^^^^ * A memory handling issue in the ``nss_ex`` interface was fixed. This bug would manifest in IPA environments with a trusted AD domain as a crash of the ns-slapd process, because a ``ns-slapd`` plugin loads the ``nss_ex`` interface (#3715) * Several fixes for the KCM deamon were merged (see #3687, #3671, #3633) * The ``ad_site`` override is now honored in GPO code as well (#3646) * Several potential crashes in the NSS responder's netgroup code were fixed (#3679, #3731) * The LDAP provider now supports group renaming (#2653) * The GPO access control code no longer returns an error if one of the relevant GPO rules contained no SIDs at all (#3680) * A memory leak in the IPA provider related to resolving external AD groups was fixed (#3719) * Setups that used multiple domains where one of the domains had its ID space limited using the ``min_id/max_id`` options did not resolve requests by ID properly (#3728) * Overriding IDs or names did not work correctly when the domain resolution order was set as well (#3595) * A version mismatch between certain newer Samba versions (e.g. those shipped in RHEL-7.5) and the Winbind interface provided by SSSD was fixed. To further prevent issues like this in the future, the correct interface is now detected at build time (#3741) * The files provider no longer returns a qualified name in case domain resolution order is used (#3743) * A race condition between evaluating IPA group memberships and AD group memberships in setups with IPA-AD trusts that would have manifested as randomly losing IPA group memberships assigned to an AD user was fixed (#3744) * Setting an SELinux login label was broken in setups where the domain resolution order was used (#3740) * SSSD start up issue on systems that use the libldb library with version 1.4.0 or newer was fixed. Packaging Changes ----------------- * Several new build requirements were added in order to support the OpenSSL certificate authentication Documentation Changes --------------------- * The files provider gained two new configuration options ``passwd_files`` and ``group_files.`` These can be used to specify the additional files to mirror. * A new ``ssh_use_certificate_keys`` option toggles whether the SSH responder would return public SSH keys derived from X.509 certificates. * The ``local_negative_timeout`` option is now enabled by default. This means that if SSSD fails to find a user in the configured domains, but is then able to find the user with an NSS call such as getpwnam, it would negatively cache the request for the duration of the local_negative_timeout option. _______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/JPHPMXWJQOTPVEBSHNIUK52VPLIWP4FV/