Jakub Hrozek
2014-09-17 13:32:20 UTC
=== SSSD 1.11.7 ===
The SSSD team is proud to announce the release of version 1.11.7 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora 19 and 20 shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* This release focuses on delivering bug fixes and smaller features backported
from the 1.12 line
* Several fixes related to retrieving the correct group memberships in
the AD provider configured to use POSIX attributes were fixed.
* The Active Directory provider now correctly detects Windows Server 2012 R2.
Previous versions would fall back to the slower non-AD path with 2012 R2.
* Groups without full POSIX information can now be used to enroll group
membership (fixes CVE-2014-0249)
* Detection of transition from offline to online state was improved,
resulting in fewer timeouts when SSSD is offline.
* If referrals are disabled with a config option (or by default in the AD
provider), any returned referral would be ignored. Previously, the back
end would switch to offline mode on encountering a referral.
== Documentation Changes ==
* A new option override_space was added. When this option is set, a space
character in user or group names is replaced by the character specified
in this option
* A small random value is now added to the offline_timeout parameter value
to avoid flooding servers with periodical online checks
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1854
[RFE] Add option for sssd to replace space with specified character in LDAP group
https://fedorahosted.org/sssd/ticket/2212
[RFE] Add fallback to sudoRunAs when sudoRunAsUser is not defined and no ldap_sudorule_runasuser mapping has been defined in SSSD
https://fedorahosted.org/sssd/ticket/2323
Expired shadow policy user(shadowLastChange=0) is not prompted for password change
https://fedorahosted.org/sssd/ticket/2343
CVE-2014-0249 sssd: incorrect expansion of group membership when encountering a non-POSIX group [fedora-all]
https://fedorahosted.org/sssd/ticket/2345
tokengroups do not work with id_provider=ldap
https://fedorahosted.org/sssd/ticket/2349
public key validator is too strict and does not allow newlines anywhere in the public key string, not even at the end
https://fedorahosted.org/sssd/ticket/2355
Requests queued during transition from offline to online mode
https://fedorahosted.org/sssd/ticket/2360
The SSSD dbus service should retry system bus connection if it fails
https://fedorahosted.org/sssd/ticket/2364
RFE: Be able to configure sssd to honor openldap account lock to restrict access via ssh key
https://fedorahosted.org/sssd/ticket/2377
sudo: invalid sudoHost filter with asterisk
https://fedorahosted.org/sssd/ticket/2380
Race condition in the client code
https://fedorahosted.org/sssd/ticket/2383
dereferencing control failure against openldap server
https://fedorahosted.org/sssd/ticket/2385
ad: group membership is empty when id mapping is off and tokengroups are enabled
https://fedorahosted.org/sssd/ticket/2389
Problems with tokengroups and ldap_group_search_base
https://fedorahosted.org/sssd/ticket/2390
Failover does not always happen from SRV to hostname resolution(via /etc/hosts)
https://fedorahosted.org/sssd/ticket/2391
sssd_be segfaults in ldb_msg_find_element
https://fedorahosted.org/sssd/ticket/2397
Auth fails when space in username is replaced with character set by override_default_whitespace
https://fedorahosted.org/sssd/ticket/2399
RHEL6.6 sssd not running after upgrade
https://fedorahosted.org/sssd/ticket/2400
sssd can't retrieve sudo rules when using the "default_domain_suffix" option
https://fedorahosted.org/sssd/ticket/2401
clarify the offline timeout in man page
https://fedorahosted.org/sssd/ticket/2402
IFP: FQDN lookups are broken
https://fedorahosted.org/sssd/ticket/2405
use-after-free in dyndns code
https://fedorahosted.org/sssd/ticket/2406
Saving group membership fails if provider is AD, POSIX attributes are used and primary group contains the user as a member
https://fedorahosted.org/sssd/ticket/2407
simple_allow_groups does not lookup groups from other AD domains
https://fedorahosted.org/sssd/ticket/2409
On error, libnss_sss can mistakenly close descriptors it doesn't "own"
https://fedorahosted.org/sssd/ticket/2410
Race condition between sudo refresh
https://fedorahosted.org/sssd/ticket/2418
sssd does not recognize Windows server 2012 R2's LDAP as AD
https://fedorahosted.org/sssd/ticket/2421
Dereference code errors out when dereferencing entries protected by ACIs
https://fedorahosted.org/sssd/ticket/2436
ipa user private group not found
== Detailed Changelog ==
Ian Lee (1):
* Add user lookup and session dependencies to systemd service file.
Jakub Hrozek (32):
* Updating the version for the 1.11.7 release
* BUILD: dbusintrospectdir is not used anymore
* IFP: Fix DEBUG messages
* IFP: Return a specific value on failure connecting to the system bus
* IFP: Provide a SBUS method to reconnect to sysbus
* MONITOR: Signal InfoPipe? to reconnect on SIGUSR2
* TOOLS: New helper tool sss_signal
* BUILD: Add the DBus service activation
* IFP: Fix lookups with fully-qualified names
* RPM: Restart service in %posttrans, not %post
* NSS: Ignore default_domain for netgroups
* Only replace space with the specified substitution
* Make the space override responder-agnostic
* PAM: Use the override_space option
* IFP: Use the override_space option
* SUDO: Use the override_space option
* IPA: handle searches by SID in apply_subdomain_homedir
* Revert "IPA: new attribute map for non-posix groups"
* Revert "IPA: process non-posix nested groups"
* Revert "IPA: try to resolve nested groups as poxix group"
* LDAP: Do not shortcut on ret != EOK during password expiry check
* LDAP: Split out linking primary group members into a separate function
* LDAP: Don't add a user member twice when adding a primary group
* LDAP: Use tmp_ctx in ldap_child for temporary data
* LDAP: Use randomized ccname for storing credentials
* LDAP: Add Windows Server 2012 R2 functional level
* LDAP: Fall back to functional level of Windows Server 2003
* LDAP: Enable tokenGroups with Windows Server 2003
* LDAP: Ignore returned referrals if referral support is disabled
* LDAP: Skip dereferenced entries that we are not permitted to read
* Ignore referrals in deref and ASQ, too
* Updating the translations for the 1.11.7 release
Jan Cholasta (1):
* SSH: Allow newline at the end of public key values in LDAP
Lukas Slebodnik (19):
* Don't use macro _XOPEN_SOURCE for function strptime
* sss_client: thread safe initialisation of sss_cli_mc_ctx
* sss_client: Fix memory leak in nss_mc_{group,passwd}
* LDAP: Remove unused option ldap_netgroup_uuid
* LDAP: Remove unused option ldap_group_uuid
* LDAP: Remove unused option ldap_user_uuid
* test_utils: Use common header file for libsss_util tests.
* UTIL: Add functions for replacing whitespaces.
* NSS: Replace spaces with specified string in names.
* dyndns_test: Use right socket length of for IPv4 address.
* responder-get-domains-tests: fix checking of leaks
* test_dyndns: Use different talloc context in wrapped functions.
* TESTS: leak_check functions shouldn't be called with NULL context
* dyndns: Fix talloc hierarchy of "struct sss_iface_addr"
* test_dyndns: sss_iface_addr_list_get can return more values
* SDAP: free subrequest in sdap_dyndns_update_addrs_done
* SDAP: Immediately finish request for empty array
* SDAP: Use different talloc_context for array of names
* SDAP: Update groups for user just once.
Michal Zidek (6):
* ptask: Allow adding random_offset to scheduled execution time
* ptask: Add backoff feature to the ptask api.
* Exit offline mode only if server is available.
* MAN: How much time sssd spends offline
* Add alternative objectClass to group attribute maps
* Use the alternative objectclass in group maps.
Michal Šrubař (1):
* LDAP SUDO: sudo provider doesn't fetch 'EntryUSN'
Nalin Dahyabhai (1):
* sss_client: Fix "struct sss_cli_mc_ctx" reinitialize-on-errors
Nikolai Kondrashov (1):
* build: Switch back to DISTCHECK_CONFIGURE_FLAGS
Pavel Březina (9):
* sbus_request: fix potential NULL dereference
* ad: comment ENOENT when id mapping is disabled
* ad: update membership after SIDs are resolved
* sudo: fetch sudoRunAs attribute
* sudo: use dbus array for rules refresh
* sudo: replace asterisk with escape sequence in host filter
* failover: set port status to not working if previous srv lookup failed
* ad initgroups: continue if resolved SID is still missing
* sudo: work with correct D-Bus iterator
Pavel Reichl (18):
* TESTS: sss_ssh - textual public key format
* LDAP: tokengroups do not work with id_provider=ldap
* SDAP: Continue resolving SID even if some fail
* IPA: new attribute map for non-posix groups
* IPA: process non-posix nested groups
* IPA: try to resolve nested groups as poxix group
* SDAP: split sdap_access_filter_get_access_done
* SDAP: refactor sdap_access_filter_send
* SDAP: nitpicks in sdap_access_filter_get_access_done
* SDAP: refactor sdap_access_filter_done
* SDAP: don't log error on access denied
* SDAP: refactor AC offline checks
* SDAP: new option - DN to ppolicy on LDAP
* SDAP: account lockout to restrict access via ssh key
* MAN: options 'lockout' and 'ldap_pwdlockout_dn'
* IPA: process non-posix nested groups
* AD: process non-posix nested groups w/o tokenGroups
* AD: process non-posix nested groups using tokenGroups
Sumit Bose (1):
* Replace space: add some checks
The SSSD team is proud to announce the release of version 1.11.7 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora 19 and 20 shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* This release focuses on delivering bug fixes and smaller features backported
from the 1.12 line
* Several fixes related to retrieving the correct group memberships in
the AD provider configured to use POSIX attributes were fixed.
* The Active Directory provider now correctly detects Windows Server 2012 R2.
Previous versions would fall back to the slower non-AD path with 2012 R2.
* Groups without full POSIX information can now be used to enroll group
membership (fixes CVE-2014-0249)
* Detection of transition from offline to online state was improved,
resulting in fewer timeouts when SSSD is offline.
* If referrals are disabled with a config option (or by default in the AD
provider), any returned referral would be ignored. Previously, the back
end would switch to offline mode on encountering a referral.
== Documentation Changes ==
* A new option override_space was added. When this option is set, a space
character in user or group names is replaced by the character specified
in this option
* A small random value is now added to the offline_timeout parameter value
to avoid flooding servers with periodical online checks
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1854
[RFE] Add option for sssd to replace space with specified character in LDAP group
https://fedorahosted.org/sssd/ticket/2212
[RFE] Add fallback to sudoRunAs when sudoRunAsUser is not defined and no ldap_sudorule_runasuser mapping has been defined in SSSD
https://fedorahosted.org/sssd/ticket/2323
Expired shadow policy user(shadowLastChange=0) is not prompted for password change
https://fedorahosted.org/sssd/ticket/2343
CVE-2014-0249 sssd: incorrect expansion of group membership when encountering a non-POSIX group [fedora-all]
https://fedorahosted.org/sssd/ticket/2345
tokengroups do not work with id_provider=ldap
https://fedorahosted.org/sssd/ticket/2349
public key validator is too strict and does not allow newlines anywhere in the public key string, not even at the end
https://fedorahosted.org/sssd/ticket/2355
Requests queued during transition from offline to online mode
https://fedorahosted.org/sssd/ticket/2360
The SSSD dbus service should retry system bus connection if it fails
https://fedorahosted.org/sssd/ticket/2364
RFE: Be able to configure sssd to honor openldap account lock to restrict access via ssh key
https://fedorahosted.org/sssd/ticket/2377
sudo: invalid sudoHost filter with asterisk
https://fedorahosted.org/sssd/ticket/2380
Race condition in the client code
https://fedorahosted.org/sssd/ticket/2383
dereferencing control failure against openldap server
https://fedorahosted.org/sssd/ticket/2385
ad: group membership is empty when id mapping is off and tokengroups are enabled
https://fedorahosted.org/sssd/ticket/2389
Problems with tokengroups and ldap_group_search_base
https://fedorahosted.org/sssd/ticket/2390
Failover does not always happen from SRV to hostname resolution(via /etc/hosts)
https://fedorahosted.org/sssd/ticket/2391
sssd_be segfaults in ldb_msg_find_element
https://fedorahosted.org/sssd/ticket/2397
Auth fails when space in username is replaced with character set by override_default_whitespace
https://fedorahosted.org/sssd/ticket/2399
RHEL6.6 sssd not running after upgrade
https://fedorahosted.org/sssd/ticket/2400
sssd can't retrieve sudo rules when using the "default_domain_suffix" option
https://fedorahosted.org/sssd/ticket/2401
clarify the offline timeout in man page
https://fedorahosted.org/sssd/ticket/2402
IFP: FQDN lookups are broken
https://fedorahosted.org/sssd/ticket/2405
use-after-free in dyndns code
https://fedorahosted.org/sssd/ticket/2406
Saving group membership fails if provider is AD, POSIX attributes are used and primary group contains the user as a member
https://fedorahosted.org/sssd/ticket/2407
simple_allow_groups does not lookup groups from other AD domains
https://fedorahosted.org/sssd/ticket/2409
On error, libnss_sss can mistakenly close descriptors it doesn't "own"
https://fedorahosted.org/sssd/ticket/2410
Race condition between sudo refresh
https://fedorahosted.org/sssd/ticket/2418
sssd does not recognize Windows server 2012 R2's LDAP as AD
https://fedorahosted.org/sssd/ticket/2421
Dereference code errors out when dereferencing entries protected by ACIs
https://fedorahosted.org/sssd/ticket/2436
ipa user private group not found
== Detailed Changelog ==
Ian Lee (1):
* Add user lookup and session dependencies to systemd service file.
Jakub Hrozek (32):
* Updating the version for the 1.11.7 release
* BUILD: dbusintrospectdir is not used anymore
* IFP: Fix DEBUG messages
* IFP: Return a specific value on failure connecting to the system bus
* IFP: Provide a SBUS method to reconnect to sysbus
* MONITOR: Signal InfoPipe? to reconnect on SIGUSR2
* TOOLS: New helper tool sss_signal
* BUILD: Add the DBus service activation
* IFP: Fix lookups with fully-qualified names
* RPM: Restart service in %posttrans, not %post
* NSS: Ignore default_domain for netgroups
* Only replace space with the specified substitution
* Make the space override responder-agnostic
* PAM: Use the override_space option
* IFP: Use the override_space option
* SUDO: Use the override_space option
* IPA: handle searches by SID in apply_subdomain_homedir
* Revert "IPA: new attribute map for non-posix groups"
* Revert "IPA: process non-posix nested groups"
* Revert "IPA: try to resolve nested groups as poxix group"
* LDAP: Do not shortcut on ret != EOK during password expiry check
* LDAP: Split out linking primary group members into a separate function
* LDAP: Don't add a user member twice when adding a primary group
* LDAP: Use tmp_ctx in ldap_child for temporary data
* LDAP: Use randomized ccname for storing credentials
* LDAP: Add Windows Server 2012 R2 functional level
* LDAP: Fall back to functional level of Windows Server 2003
* LDAP: Enable tokenGroups with Windows Server 2003
* LDAP: Ignore returned referrals if referral support is disabled
* LDAP: Skip dereferenced entries that we are not permitted to read
* Ignore referrals in deref and ASQ, too
* Updating the translations for the 1.11.7 release
Jan Cholasta (1):
* SSH: Allow newline at the end of public key values in LDAP
Lukas Slebodnik (19):
* Don't use macro _XOPEN_SOURCE for function strptime
* sss_client: thread safe initialisation of sss_cli_mc_ctx
* sss_client: Fix memory leak in nss_mc_{group,passwd}
* LDAP: Remove unused option ldap_netgroup_uuid
* LDAP: Remove unused option ldap_group_uuid
* LDAP: Remove unused option ldap_user_uuid
* test_utils: Use common header file for libsss_util tests.
* UTIL: Add functions for replacing whitespaces.
* NSS: Replace spaces with specified string in names.
* dyndns_test: Use right socket length of for IPv4 address.
* responder-get-domains-tests: fix checking of leaks
* test_dyndns: Use different talloc context in wrapped functions.
* TESTS: leak_check functions shouldn't be called with NULL context
* dyndns: Fix talloc hierarchy of "struct sss_iface_addr"
* test_dyndns: sss_iface_addr_list_get can return more values
* SDAP: free subrequest in sdap_dyndns_update_addrs_done
* SDAP: Immediately finish request for empty array
* SDAP: Use different talloc_context for array of names
* SDAP: Update groups for user just once.
Michal Zidek (6):
* ptask: Allow adding random_offset to scheduled execution time
* ptask: Add backoff feature to the ptask api.
* Exit offline mode only if server is available.
* MAN: How much time sssd spends offline
* Add alternative objectClass to group attribute maps
* Use the alternative objectclass in group maps.
Michal Šrubař (1):
* LDAP SUDO: sudo provider doesn't fetch 'EntryUSN'
Nalin Dahyabhai (1):
* sss_client: Fix "struct sss_cli_mc_ctx" reinitialize-on-errors
Nikolai Kondrashov (1):
* build: Switch back to DISTCHECK_CONFIGURE_FLAGS
Pavel Březina (9):
* sbus_request: fix potential NULL dereference
* ad: comment ENOENT when id mapping is disabled
* ad: update membership after SIDs are resolved
* sudo: fetch sudoRunAs attribute
* sudo: use dbus array for rules refresh
* sudo: replace asterisk with escape sequence in host filter
* failover: set port status to not working if previous srv lookup failed
* ad initgroups: continue if resolved SID is still missing
* sudo: work with correct D-Bus iterator
Pavel Reichl (18):
* TESTS: sss_ssh - textual public key format
* LDAP: tokengroups do not work with id_provider=ldap
* SDAP: Continue resolving SID even if some fail
* IPA: new attribute map for non-posix groups
* IPA: process non-posix nested groups
* IPA: try to resolve nested groups as poxix group
* SDAP: split sdap_access_filter_get_access_done
* SDAP: refactor sdap_access_filter_send
* SDAP: nitpicks in sdap_access_filter_get_access_done
* SDAP: refactor sdap_access_filter_done
* SDAP: don't log error on access denied
* SDAP: refactor AC offline checks
* SDAP: new option - DN to ppolicy on LDAP
* SDAP: account lockout to restrict access via ssh key
* MAN: options 'lockout' and 'ldap_pwdlockout_dn'
* IPA: process non-posix nested groups
* AD: process non-posix nested groups w/o tokenGroups
* AD: process non-posix nested groups using tokenGroups
Sumit Bose (1):
* Replace space: add some checks