== SSSD 2.2.2 ===
The SSSD team is proud to announce the release of version 2.2.2 of the
System Security Services Daemon. The tarball can be downloaded from:
https://releases.pagure.org/SSSD/sssd/
RPM packages will be made available for Fedora shortly.
Feedback
--------
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
SSSD 2.2.2 (I have included SSSD 2.2.1 at the end as well)
==========
Highlights
----------
New features
^^^^^^^^^^^^
None
Notable bug fixes
^^^^^^^^^^^^^^^^^
* Removing domain from ad_enabled_domain was not reflected in SSSD's
cache. This has been fixed.
* Because of a race condition SSSD could crash during shutdown. The race
condition was fixed.
* Fixed a bug that limited number of external groups fetched by SSSD to
2000.
* pam_sss now properly creates gnome keyring during login.
* SSSD with KCM could wrongly pick older ccache instead of the latest
one after
login. This was fixed.
Packaging Changes
-----------------
None
Documentation Changes
---------------------
None
Tickets Fixed
-------------
* `3932 <https://pagure.io/SSSD/sssd/issue/3932>`_ - MAN: Document
that PAM stack contains the systemd-user service in the account phase in
recent distributions
* `4009 <https://pagure.io/SSSD/sssd/issue/4009>`_ - Removing domain
from ad_enabled_domains is not reflected in cache
* `4058 <https://pagure.io/SSSD/sssd/issue/4058>`_ - Paging not
enabled when fetching external groups, limits the number of external
groups to 2000
* `4063 <https://pagure.io/SSSD/sssd/issue/4063>`_ - sssd-kcm: type
confusion on KDC offset
* `4067 <https://pagure.io/SSSD/sssd/issue/4067>`_ - pam_sss with
smartcard auth does not create gnome keyring
* `4068 <https://pagure.io/SSSD/sssd/issue/4068>`_ - pam_sss: empty
smart card pin registers as authentication attempt
* `4069 <https://pagure.io/SSSD/sssd/issue/4069>`_ - pam_sss should
reset PAM_USER based on use_fully_qualified_names option in sssd.conf
* `3996 <https://pagure.io/SSSD/sssd/issue/3996>`_ - sudo: do not
update last usn when updating expired rules
* `4065 <https://pagure.io/SSSD/sssd/issue/4065>`_ - IFP: GetUserAttr
does not search by UPN
* `4074 <https://pagure.io/SSSD/sssd/issue/4074>`_ - Integration tests
use python2 unconditionally
Detailed changelog
------------------
Jakub Hrozek (6):
MAN: Document that PAM stack contains the systemd-user service in
the account phase in RHEL-8
IPA: Allow paging when fetching external groups
MAN: Document that PAM stack contains the systemd-user service in
the account phase in RHEL-8
IPA: Allow paging when fetching external groups
KCM: Use int32_t type conversion in DEBUG message for int32_t
variable
KCM: Add a forgotten return
KCM: Allow modifications of ccache's principal
KCM: Fill empty cache, do not initialize a new one
Lukas Slebodnik (18):
BUILD: Add macro for checking python3 modules
BUILD: Fix typo of detecting python module for intgcheck
BUILD: Move checking of python2 modules for intgcheck
BUILD: Add macro for checking pytest for intgcheck
BUILD: Change value of variable HAVE_PYTHON2/3_BINDINGS
BUILD: Move python checks for intgcheck to macro
INTG: Do hot hardcode version of python/pytest in intgcheck
BUILD: Prefer python3 for intgcheck
intg: Install python3 dependencies for intgcheck on new distros
pyhbac: Fix warning Wdiscarded-qualifiers
test_pam_responder: Fix unicore error
SSSDConfig: Add minimal test for parse method
SSSDConfig: Fix SyntaxWarning "is not" with a literal
TESTS: Add minimal test for pysss encrypt
pysss: Fix DeprecationWarning PY_SSIZE_T_CLEAN
pysss_murmur: Fix DeprecationWarning PY_SSIZE_T_CLEAN
test_pam_responder: Fix DeprecationWarning invalid escape sequence
testlib: Fix SyntaxWarning "is" with a literal
Michal Židek (2):
Bumping the version to track the 2.2.2 development
Update the translations for the 2.2.2 release
Pavel Březina (12):
ad: remove subdomain that has been disabled through
ad_enabled_domains from sysdb
sysdb: add sysdb_domain_set_enabled()
ad: set enabled=false attribute for subdomains that no longer exists
sysdb: read and interpret domain's enabled attribute
sysdb: add sysdb_list_subdomains()
ad: remove all subdomains if only master domain is enabled
ad: make ad_enabled_domains case insensitive
ci: use python2 version of pytest
ci: pep8 was renamed to pycodestyle in Fedora 31
ci: remove left overs from previous rebase
sudo: do not update last usn value on rules refresh
ifp: let cache_req parse input name so it can fallback to upn search
Sumit Bose (5):
pam: keep pin on the PAM stack for forward_pass
pam: do not accept empty PIN
pam: user PAM return codes where expected
pam: set PAM_USER properly with allow_missing_name
Revert "SERVER: Receving SIGSEGV process on shutdown"
Tomas Halman (3):
SERVER: Receving SIGSEGV process on shutdown
BE: Invalid oprator used in condition
SERVER: Receving SIGSEGV process on shutdown
SSSD 2.2.1
==========
Highlights
----------
New features
^^^^^^^^^^^^
* New options were added which allow sssd-kcm to handle bigger data.
See manual pages for ``max_ccaches``, ``max_uid_caches`` and
``max_ccache_size``.
* SSSD can now automatically refresh cached user data from subdomains
in IPA/AD trust.
Notable bug fixes
^^^^^^^^^^^^^^^^^
* Fixed issue with SSSD hanging when connecting to non-responsive
server with ldaps://
* SSSD is now restarted by systemd after crashes.
* Fixed refression when dyndns_update was set to True and
dyndns_refresh_interval was not set or set to 0 then DNS
records were not updated at all.
* Fixed issue when ``default_domain_suffix`` was used with
``id_provider = files`` and caused all results from files domain to be
fully qualified.
* Fixed issue with sudo rules not being visible on OpenLDAP servers
* Fixed crash with ``auth_provider = proxy`` that prevented logins
Packaging Changes
-----------------
None
Documentation Changes
---------------------
A new option ``dns_resolver_server_timeout`` was added
A new option ``max_ccaches`` was added
A new option ``max_uid_ccaches`` was added
A new option ``max_ccache_size`` was added
A new option ``ocsp_dgst`` was added
Tickets Fixed
-------------
* `2878 <https://pagure.io/SSSD/sssd/issue/2878>`_ - sssd failover
does not work on connecting to non-responsive ldaps:// server
* `3217 <https://pagure.io/SSSD/sssd/issue/3217>`_ - Conflicting
default timeout values
* `3386 <https://pagure.io/SSSD/sssd/issue/3386>`_ - sssd-kcm cannot
handle big tickets
* `3489 <https://pagure.io/SSSD/sssd/issue/3489>`_ - p11_child should
work wit openssl1.0+
* `3685 <https://pagure.io/SSSD/sssd/issue/3685>`_ - KCM: Default to a
new back end that would write to the secrets database directly
* `3833 <https://pagure.io/SSSD/sssd/issue/3833>`_ - port to pcre2
* `3894 <https://pagure.io/SSSD/sssd/issue/3894>`_ - multihost tests:
ldb-tools is needed for multihost tests
* `3905 <https://pagure.io/SSSD/sssd/issue/3905>`_ - SSSD doesn't
clear cache entries for IDs below min_id.
* `4012 <https://pagure.io/SSSD/sssd/issue/4012>`_ - SSSD is not
refreshing cached user data for the ipa sub-domain in a IPA/AD trust
* `4026 <https://pagure.io/SSSD/sssd/issue/4026>`_ -
EVP_PKEY_new_raw_private_key() was only added in OpenSSL 1.1.1
* `4028 <https://pagure.io/SSSD/sssd/issue/4028>`_ - sssd-kcm calls
sssd-genconf which triggers nscd warning
* `4037 <https://pagure.io/SSSD/sssd/issue/4037>`_ - Logins fail after
upgrade to 2.2.0
* `4040 <https://pagure.io/SSSD/sssd/issue/4040>`_ - Reasonable to
Restart sssd on crashes?
* `4046 <https://pagure.io/SSSD/sssd/issue/4046>`_ - sudo: incorrect
usn value for openldap
* `4047 <https://pagure.io/SSSD/sssd/issue/4047>`_ - dyndns_update =
True is no longer not enough to get the IP address of the machine
updated in IPA upon sssd.service startup
* `4050 <https://pagure.io/SSSD/sssd/issue/4050>`_ -
nss_cmd_endservent resets the wrong index
* `4052 <https://pagure.io/SSSD/sssd/issue/4052>`_ - sssd config
option "default_domain_suffix" should not cause the files domain entries
to be qualified
* `3931 <https://pagure.io/SSSD/sssd/issue/3931>`_ - proxy provider is
not working with enumerate=true when trying to fetch all groups
* `4043 <https://pagure.io/SSSD/sssd/issue/4043>`_ - Typo in
systemd.m4 prevents detection of systemd.pc
* `3978 <https://pagure.io/SSSD/sssd/issue/3978>`_ - UPN negative
cache does not use values from 'filter_users' config option
* `4032 <https://pagure.io/SSSD/sssd/issue/4032>`_ -
p11_child::do_ocsp() function implementation is not FIPS140 compliant
* `4039 <https://pagure.io/SSSD/sssd/issue/4039>`_ -
p11_child::sign_data() function implementation is not FIPS140 compliant
* `4056 <https://pagure.io/SSSD/sssd/issue/4056>`_ - permission denied
on logs when running sssd as non-root user
* `4024 <https://pagure.io/SSSD/sssd/issue/4024>`_ - Non FIPS140
compliant usage of PRNG
* `2854 <https://pagure.io/SSSD/sssd/issue/2854>`_ - FAIL test-find-uid
* `3962 <https://pagure.io/SSSD/sssd/issue/3962>`_ - Problem with
tests/cmocka/test_dyndns.c
* `4022 <https://pagure.io/SSSD/sssd/issue/4022>`_ - utils:
sss_hmac_sha1() function implementation is not FIPS140 compliant
* `4024 <https://pagure.io/SSSD/sssd/issue/4024>`_ - Non FIPS140
compliant usage of PRNG
* `4026 <https://pagure.io/SSSD/sssd/issue/4026>`_ -
EVP_PKEY_new_raw_private_key() was only added in OpenSSL 1.1.1
Detailed changelog
------------------
Alex Rodin (1):
tests/cmocka/test_dyndns.c: Switching from tevent_loop_once() to
tevent_loop_wait()
Alexey Tikhonov (14):
util/crypto/libcrypto: changed sss_hmac_sha1()
util/crypto/libcrypto: changed sss_hmac_sha1()
util/secrets: memory leaks are fixed
util/crypto/nss/nss_nite: params sanitization
crypto/libcrypto/crypto_nite: HMAC calculation changed
util/find_uid.c: fixed debug message
util/find_uid.c: fixed race condition bug
util/crypto: removed erroneous declaration
util/crypto/sss_crypto.c: cleanup of includes
util/crypto: generate_csprng_buffer() changed
util/crypto: added sss_rand()
crypto/libcrypto/crypto_nite.c: memory leak fixed
FIPS140 compliant usage of PRNG
crypto/nss: some nss_ctx_init() params made const
Jakub Hrozek (34):
Updating the version for the 2.2.1 release
TESTS: Install expect to drive password-change modifications
TESTS: Also add LDAP password when creating users
TESTS: Test changing LDAP password with extended operation and
modification
TEST: Add a multihost test for not returning / for an empty home dir
MONITOR: Don't check for the nscd socket while regenerating
configuration
SYSDB: Add sysdb_search_with_ts_attr
BE: search with sysdb_search_with_ts_attr
BE: Enable refresh for multiple domains
BE: Make be_refresh_ctx_init set up the periodical task, too
BE/LDAP: Call be_refresh_ctx_init() in the provider libraries,
not in back end
BE: Pass in attribute to look up with instead of hardcoding
SYSDB_NAME
BE: Change be_refresh_ctx_init to return errno and set
be_ctx->refresh_ctx
BE/LDAP: Split out a helper function from sdap_refresh for later
reuse
BE: Pass in filter_type when creating the refresh account request
BE: Send refresh requests in batches
BE: Extend be_ptask_create() with control when to schedule next
run after success
BE: Schedule the refresh interval from the finish time of the
last run
AD: Implement background refresh for AD domains
IPA: Implement background refresh for IPA domains
BE/IPA/AD/LDAP: Add inigroups refresh support
BE/IPA/AD/LDAP: Initialize the refresh callback from a list to
reduce logic duplication
IPA/AD/SDAP/BE: Generate refresh callbacks with a macro
MAN: Amend the documentation for the background refresh
DP/SYSDB: Move the code to set initgrExpireTimestamp to a
reusable function
IPA/AD/LDAP: Increase the initgrExpireTimestamp after finishing
refresh request
MAN: Get rid of sssd-secrets reference
MAN: Document that it is enough to systemctl restart
sssd-kcm.service lately
SECRETS: Use different option names from secrets and KCM for
quota options
SECRETS: Don't limit the global number of ccaches
KCM: Pass confdb context to the ccache db initialization
KCM: Configurable quotas for the secdb ccache back end
TESTS: Add tests for the configurable quotas
Don't qualify users from files domain when default_domain_suffix
is set
Jakub Jelen (1):
pam_sss: Add missing colon to the PIN prompt
Lukas Slebodnik (1):
PROXY: Return data in output parameter if everything is OK
Michal Židek (2):
TESTS: ldb-tools and sssd-tools are required for multihost tests
Update the translations for the 2.2.1 release
Niranjan M.R (1):
TESTS: Test kvno correctly displays vesion numbers of principals
Pavel Březina (11):
ci: disable timeout
ci: switch to new tooling and remove 'Read trusted files' stage
ci: rebase pull request on the target branch
ci: print node on which the test is being run
sudo: use proper datetime for default modifyTimestamp value
systemd: add Restart=on-failure to sssd.service
man: fix description of dns_resolver_op_timeout
man: fix description of dns_resolver_timeout
failover: add dns_resolver_server_timeout option
failover: change default timeouts
config: add dns_resolver_op_timeout to option list
Sam Morris (1):
build: fix detection of systemd.pc
Samuel Cabrero (1):
nss: Fix command 'endservent' resetting wrong struct member
Sumit Bose (10):
negcache: add fq-usernames of know domains to all UPN neg-caches
p11_child: prefer better digest function if card supports it
p11_child: fix a memory leak and other memory mangement issues
pam: make sure p11_child.log has the right permissions
ssh: make sure p11_child.log has the right permissions
BE: make sure child log files have the right permissions
utils: remove unused prototype (cert_to_ssh_key)
utils: move parse_cert_verify_opts() into separate file
p11_child: make OCSP digest configurable
pam: fix loop in Smartcard authentication
Tomas Halman (9):
MAN: ldap_user_home_directory default missing
pcre: port to pcre2
CACHE: SSSD doesn't clear cache entries
LDAP: failover does not work on non-responsive ldaps
CONFDB: Files domain if activated without .conf
TESTS: adapt tests to enabled default files domain
BE: Introduce flag for be_ptask_create
BE: Convert be_ptask params to flags
DYNDNS: dyndns_update is not enough
Yuri Chornoivan (1):
Fix minor typos in docs
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org