Jakub Hrozek
2015-12-15 21:21:34 UTC
== SSSD 1.13.3 ===
The SSSD team is proud to announce the release of version 1.13.3 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* A bug that prevented user lookups and logins after migration from
winsync to IPA-AD trusts was fixed
* The OCSP certificate validation checks are enabled for smartcard logins
if SSSD was compiled with the NSS crypto library.
* A bug that prevented the ignore_group_members option from working
correctly in AD provider setups that use a dedicated primary group (as
opposed to a user-private group) was fixed
* Offline detection and offline login timeouts were improved for AD users
logging in from a domain trusted by an IPA server
* The AD provider supports setting up autofs_provider=ad
* Several usability improvements to our debug messages
== Packaging Changes ==
* The p11_child helper binary is able to run completely unprivileged and
no longer requires the setgid bit to be set
== Documentation Changes ==
* A new option certificate_verification was added. This option allows
the administrator to disable OCSP checks in case the OCSP server is
not reachable
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1632
[RFE] Unable to use AD provider for automount lookups
https://fedorahosted.org/sssd/ticket/1943
convert sudo timer to be_ptask
https://fedorahosted.org/sssd/ticket/2672
sudo: reload hostinfo when going online
https://fedorahosted.org/sssd/ticket/2732
Add Integration tests for local views feature
https://fedorahosted.org/sssd/ticket/2747
get_object_from_cache() does not handle services
https://fedorahosted.org/sssd/ticket/2755
Review p11_child hardening
https://fedorahosted.org/sssd/ticket/2787
We should mention SSS_NSS_USE_MEMCACHE in man sssd.conf(5) as well
https://fedorahosted.org/sssd/ticket/#2796
fix man page for sssd-ldap
https://fedorahosted.org/sssd/ticket/2801
Check next certificate on smart card if first is not valid
https://fedorahosted.org/sssd/ticket/2812
Smartcard login when certificate on the card is revoked and ocsp check enabled is not supported
https://fedorahosted.org/sssd/ticket/2830
Try to suppress "Could not parse domain SID from [(null)]" for IPA users
https://fedorahosted.org/sssd/ticket/2846
Inform about SSSD PAC timeout better
https://fedorahosted.org/sssd/ticket/2868
AD provider and ignore_group_members=True might cause flaky group memberships
https://fedorahosted.org/sssd/ticket/2874
sssd: [sysdb_add_user] (0x0400): Error: 17 (File exists)
== Detailed Changelog ==
Dan Lavu (1):
* Clarify that subdomains always use service discovery
Jakub Hrozek (7):
* Upgrading the version for the 1.13.3 release
* DP: Do not confuse static analysers with dead code
* BUILD: Only install polkit rules if the directory is available
* IPA: Use search timeout, not enum timeout for searching overrides
* AD: Add autofs provider
* MAN: Clarify when should TGs be disabled for group nesting restriction
* Update translations for the 1.13.3 release
Lukas Slebodnik (2):
* sbus_codegen_tests: Use portable definition of large constants
* DEBUG: Add missing new lines
Michal Židek (1):
* MAN: sssd.conf should mention SSS_NSS_USE_MEMCACHE
Pavel Březina (22):
* SYSDB: Add missing include to sysdb_services.h
* LDAP: Mark globals in ldap_opts.h as extern
* AD: Mark globals in ad_opts.h as extern
* IPA: Mark globals in ipa_opts.h as extern
* KRB5: Mark globals in krb5_opts.h as extern
* SUDO: convert periodical refreshes to be_ptask
* SUDO: move refreshes from sdap_sudo.c to sdap_sudo_refresh.c
* SUDO: move offline check to handler
* SUDO: simplify error handling
* SUDO: fix sdap_id_op logic
* SUDO: fix tevent style
* SUDO: fix sdap_sudo_smart_refresh_recv()
* SUDO: sdap_sudo_load_sudoers improve iterator
* SUDO: set USN inside sdap_sudo_refresh request
* SUDO: built host filter inside sdap_sudo_refresh request
* SUDO: do not imitate full refresh if usn is unknown in smart refresh
* SUDO: fix potential memory leak in sdap_sudo_init
* SUDO: obtain host information when going online
* SUDO: remove finalizer
* SUDO: make sdap_sudo_handler static
* SUDO: use size_t instead of int in for cycles
* SUDO: get srv_opts after we are connected
Pavel Reichl (1):
* sysdb-tests: Fix warning - incompatible pointer type
Petr Cech (2):
* IPA_PROVIDER: Explicit no handle of services
* KRB5_CHILD: Debug logs for PAC timeout
Sumit Bose (7):
* IPA: fix override with the same name
* p11: allow p11_child to run completely unprivileged
* p11: check if cert is valid before selecting it
* p11: enable ocsp checks
* ldap: skip sdap_save_grpmem() if ignore_group_members is set
* initgr: only search for primary group if it is not already cached
* LDAP: check early for missing SID in mapping check
The SSSD team is proud to announce the release of version 1.13.3 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* A bug that prevented user lookups and logins after migration from
winsync to IPA-AD trusts was fixed
* The OCSP certificate validation checks are enabled for smartcard logins
if SSSD was compiled with the NSS crypto library.
* A bug that prevented the ignore_group_members option from working
correctly in AD provider setups that use a dedicated primary group (as
opposed to a user-private group) was fixed
* Offline detection and offline login timeouts were improved for AD users
logging in from a domain trusted by an IPA server
* The AD provider supports setting up autofs_provider=ad
* Several usability improvements to our debug messages
== Packaging Changes ==
* The p11_child helper binary is able to run completely unprivileged and
no longer requires the setgid bit to be set
== Documentation Changes ==
* A new option certificate_verification was added. This option allows
the administrator to disable OCSP checks in case the OCSP server is
not reachable
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1632
[RFE] Unable to use AD provider for automount lookups
https://fedorahosted.org/sssd/ticket/1943
convert sudo timer to be_ptask
https://fedorahosted.org/sssd/ticket/2672
sudo: reload hostinfo when going online
https://fedorahosted.org/sssd/ticket/2732
Add Integration tests for local views feature
https://fedorahosted.org/sssd/ticket/2747
get_object_from_cache() does not handle services
https://fedorahosted.org/sssd/ticket/2755
Review p11_child hardening
https://fedorahosted.org/sssd/ticket/2787
We should mention SSS_NSS_USE_MEMCACHE in man sssd.conf(5) as well
https://fedorahosted.org/sssd/ticket/#2796
fix man page for sssd-ldap
https://fedorahosted.org/sssd/ticket/2801
Check next certificate on smart card if first is not valid
https://fedorahosted.org/sssd/ticket/2812
Smartcard login when certificate on the card is revoked and ocsp check enabled is not supported
https://fedorahosted.org/sssd/ticket/2830
Try to suppress "Could not parse domain SID from [(null)]" for IPA users
https://fedorahosted.org/sssd/ticket/2846
Inform about SSSD PAC timeout better
https://fedorahosted.org/sssd/ticket/2868
AD provider and ignore_group_members=True might cause flaky group memberships
https://fedorahosted.org/sssd/ticket/2874
sssd: [sysdb_add_user] (0x0400): Error: 17 (File exists)
== Detailed Changelog ==
Dan Lavu (1):
* Clarify that subdomains always use service discovery
Jakub Hrozek (7):
* Upgrading the version for the 1.13.3 release
* DP: Do not confuse static analysers with dead code
* BUILD: Only install polkit rules if the directory is available
* IPA: Use search timeout, not enum timeout for searching overrides
* AD: Add autofs provider
* MAN: Clarify when should TGs be disabled for group nesting restriction
* Update translations for the 1.13.3 release
Lukas Slebodnik (2):
* sbus_codegen_tests: Use portable definition of large constants
* DEBUG: Add missing new lines
Michal Židek (1):
* MAN: sssd.conf should mention SSS_NSS_USE_MEMCACHE
Pavel Březina (22):
* SYSDB: Add missing include to sysdb_services.h
* LDAP: Mark globals in ldap_opts.h as extern
* AD: Mark globals in ad_opts.h as extern
* IPA: Mark globals in ipa_opts.h as extern
* KRB5: Mark globals in krb5_opts.h as extern
* SUDO: convert periodical refreshes to be_ptask
* SUDO: move refreshes from sdap_sudo.c to sdap_sudo_refresh.c
* SUDO: move offline check to handler
* SUDO: simplify error handling
* SUDO: fix sdap_id_op logic
* SUDO: fix tevent style
* SUDO: fix sdap_sudo_smart_refresh_recv()
* SUDO: sdap_sudo_load_sudoers improve iterator
* SUDO: set USN inside sdap_sudo_refresh request
* SUDO: built host filter inside sdap_sudo_refresh request
* SUDO: do not imitate full refresh if usn is unknown in smart refresh
* SUDO: fix potential memory leak in sdap_sudo_init
* SUDO: obtain host information when going online
* SUDO: remove finalizer
* SUDO: make sdap_sudo_handler static
* SUDO: use size_t instead of int in for cycles
* SUDO: get srv_opts after we are connected
Pavel Reichl (1):
* sysdb-tests: Fix warning - incompatible pointer type
Petr Cech (2):
* IPA_PROVIDER: Explicit no handle of services
* KRB5_CHILD: Debug logs for PAC timeout
Sumit Bose (7):
* IPA: fix override with the same name
* p11: allow p11_child to run completely unprivileged
* p11: check if cert is valid before selecting it
* p11: enable ocsp checks
* ldap: skip sdap_save_grpmem() if ignore_group_members is set
* initgr: only search for primary group if it is not already cached
* LDAP: check early for missing SID in mapping check