Jakub Hrozek
2014-04-08 11:31:17 UTC
=== SSSD 1.11.5 ===
The SSSD team is proud to announce the release of version 1.11.5 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora 19, 20 and rawhide shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* This release focuses primarily on bug fixes.
* The release addresses an issue where the SSSD was not able to detect
all domains in the forest if it was connected to an AD DC which was not
the forest root
* A new AD sudo provider was introduced. Setting sudo_provider=ad uses
the same connection options as id_provider=ad, which simplifies the
configuration for users who store sudo rules on an Active Directory server.
* The ID mapping ranges are checked for collisions before being used,
making SSSD more robust in cases where the ranges would collide
* Password changes when using OTPs with an IPA server are now
supported. Please note that this functionality is not present in the
released FreeIPA versions yet.
* Several bugs related to setting an SELinux user context from an IPA
server were fixed
== Documentation Changes ==
* A new pam_sss option ignore_unknown_user was added. Setting this option
makes pam_sss return PAM_IGNORE when processing an uknown user instead of
PAM_USER_UNKNOWN. This option is mostly useful for BSD systems.
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1955
SSSD pam module accepts usernames with leading spaces
https://fedorahosted.org/sssd/ticket/1958
[RFE] Expose the list of trusted domains to IPA
https://fedorahosted.org/sssd/ticket/2153
If both IPA and LDAP are set up with enumeration on, two enum tasks are running
https://fedorahosted.org/sssd/ticket/2218
sssd.conf man pages don't list a configuration option.
https://fedorahosted.org/sssd/ticket/2226
Make SSSD compilable on systems with non-standard paths to krb5 includes
https://fedorahosted.org/sssd/ticket/2232
[freebsd] pam_sss: add ignore_unknown_user option
https://fedorahosted.org/sssd/ticket/2235
MAN: Remove misleading memberof example from ldap_access_filter example
https://fedorahosted.org/sssd/ticket/2251
not retrieving homedirs of AD users with posix attributes
https://fedorahosted.org/sssd/ticket/2252
Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes
https://fedorahosted.org/sssd/ticket/2253
Check IPA idranges before saving them to the cache
https://fedorahosted.org/sssd/ticket/2256
Evaluate usage of sudo LDAP provider together with the AD provider
https://fedorahosted.org/sssd/ticket/2257
Setting int option to 0 yields the default value
https://fedorahosted.org/sssd/ticket/2263
ipa-server-mode: Use lower-case user name component in home dir path
https://fedorahosted.org/sssd/ticket/2264
SSSD Does not cache SELinux map from FreeIPA correctly
https://fedorahosted.org/sssd/ticket/2270
IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in
https://fedorahosted.org/sssd/ticket/2271
sssd fails to handle expired passwords when OTP is used
https://fedorahosted.org/sssd/ticket/2279
Add another Kerberos error code to trigger IPA password migration
https://fedorahosted.org/sssd/ticket/2280
Double OK when starting the service
https://fedorahosted.org/sssd/ticket/2282
SSSD should create the SELinux mapping file with format expected by pam_selinux
https://fedorahosted.org/sssd/ticket/2284
Valgrind: Invalid read of int while processing netgroup
https://fedorahosted.org/sssd/ticket/2285
other subdomains are unavailable when joined to a subdomain in the ad forest
https://fedorahosted.org/sssd/ticket/2289
Error during password change
https://fedorahosted.org/sssd/ticket/2293
configure time variables not expanded when running ./configure
https://fedorahosted.org/sssd/ticket/2300
RHEL7 IPA selinuxusermap hbac rule not always matching
== Detailed Changelog ==
Alexey Shabalin (1):
* Use KRB5_CFLAGS where appropriate
Jakub Hrozek (16):
* Updating the version for the 1.11.5 release
* IPA: Don't call tevent_req_post outside _send
* IPA: Don't fail if apply_subdomain_homedir returns ENOENT
* OPTS: Allow using defaults for blobs
* DP: Provide separate dp_copy_defaults function
* MAN: Clarify the ldap_access_filter option further
* MAN: Clarify that changing ID mapping options might require purging the cache
* IPA: Do not save intermediate data to sysdb
* AD: Only connect to GC for subdomain users
* MAN: Clarify the GC support a bit
* IPA: Use the correct domain when processing SELinux rules
* IPA: Write SELinux usernames in the right case
* KRB5: Do not attempt to get a TGT after a password change using OTP
* AD: connect to forest root when downloading the list of subdomains
* IPA: Fix SELinux mapping order memory hierarchy
* Updating the translations for the 1.11.5 release
Lukas Slebodnik (10):
* SPEC: Use systemd on available platforms
* LDAP: Setup periodic task only once.
* UTIL: Sanitize whitespaces.
* DOC: Fix names of arguments in doxygen comments
* AD: Continue if sssd failes to check extra members
* SYSV: Do not call functions success and fail itself
* IPA: Use function sysdb_attrs_get_el in safe way
* Makefile: Add missing library to the dp_opt_tests
* TESTS: Link libsss_test_common with tevent
* Makefile: Use alternative method to replace *bindir
Michal Zidek (1):
* Possible null dereference in SELinux code
Nathaniel McCallum (1):
* Fix krb5 changepw when FAST-only preauth methods are used (like OTP)
Pete Fritchman (1):
* PAM: add ignore_unknown_user option
Stef Walter (1):
* providers: Fix types passed to dbus varargs functions
Sumit Bose (13):
* IDMAP: add sss_idmap_check_collision(_ex)
* IPA: refactor idmap code and add test
* IPA: check ranges for collisions before saving them
* libsss_idmap: bump version-info
* config API: add missing subdomain target to AD provider test
* SUDO: AD provider
* ipa-server-mode: use lower-case user name for home dir
* IPA: Use GC for AD initgroup requests
* IPA/KRB5: handle KRB5_PROG_ETYPE_NOSUPP during IPA password migration
* krb5_child: remove unused option lifetime_str from k5c_setup_fast()
* krb5-child: extract lifetime settings into set_lifetime_options()
* krb5_client: rename krb5_set_canonicalize() to set_canonicalize_option()
* krb5-child: add revert_changepw_options()
The SSSD team is proud to announce the release of version 1.11.5 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora 19, 20 and rawhide shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* This release focuses primarily on bug fixes.
* The release addresses an issue where the SSSD was not able to detect
all domains in the forest if it was connected to an AD DC which was not
the forest root
* A new AD sudo provider was introduced. Setting sudo_provider=ad uses
the same connection options as id_provider=ad, which simplifies the
configuration for users who store sudo rules on an Active Directory server.
* The ID mapping ranges are checked for collisions before being used,
making SSSD more robust in cases where the ranges would collide
* Password changes when using OTPs with an IPA server are now
supported. Please note that this functionality is not present in the
released FreeIPA versions yet.
* Several bugs related to setting an SELinux user context from an IPA
server were fixed
== Documentation Changes ==
* A new pam_sss option ignore_unknown_user was added. Setting this option
makes pam_sss return PAM_IGNORE when processing an uknown user instead of
PAM_USER_UNKNOWN. This option is mostly useful for BSD systems.
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1955
SSSD pam module accepts usernames with leading spaces
https://fedorahosted.org/sssd/ticket/1958
[RFE] Expose the list of trusted domains to IPA
https://fedorahosted.org/sssd/ticket/2153
If both IPA and LDAP are set up with enumeration on, two enum tasks are running
https://fedorahosted.org/sssd/ticket/2218
sssd.conf man pages don't list a configuration option.
https://fedorahosted.org/sssd/ticket/2226
Make SSSD compilable on systems with non-standard paths to krb5 includes
https://fedorahosted.org/sssd/ticket/2232
[freebsd] pam_sss: add ignore_unknown_user option
https://fedorahosted.org/sssd/ticket/2235
MAN: Remove misleading memberof example from ldap_access_filter example
https://fedorahosted.org/sssd/ticket/2251
not retrieving homedirs of AD users with posix attributes
https://fedorahosted.org/sssd/ticket/2252
Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes
https://fedorahosted.org/sssd/ticket/2253
Check IPA idranges before saving them to the cache
https://fedorahosted.org/sssd/ticket/2256
Evaluate usage of sudo LDAP provider together with the AD provider
https://fedorahosted.org/sssd/ticket/2257
Setting int option to 0 yields the default value
https://fedorahosted.org/sssd/ticket/2263
ipa-server-mode: Use lower-case user name component in home dir path
https://fedorahosted.org/sssd/ticket/2264
SSSD Does not cache SELinux map from FreeIPA correctly
https://fedorahosted.org/sssd/ticket/2270
IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in
https://fedorahosted.org/sssd/ticket/2271
sssd fails to handle expired passwords when OTP is used
https://fedorahosted.org/sssd/ticket/2279
Add another Kerberos error code to trigger IPA password migration
https://fedorahosted.org/sssd/ticket/2280
Double OK when starting the service
https://fedorahosted.org/sssd/ticket/2282
SSSD should create the SELinux mapping file with format expected by pam_selinux
https://fedorahosted.org/sssd/ticket/2284
Valgrind: Invalid read of int while processing netgroup
https://fedorahosted.org/sssd/ticket/2285
other subdomains are unavailable when joined to a subdomain in the ad forest
https://fedorahosted.org/sssd/ticket/2289
Error during password change
https://fedorahosted.org/sssd/ticket/2293
configure time variables not expanded when running ./configure
https://fedorahosted.org/sssd/ticket/2300
RHEL7 IPA selinuxusermap hbac rule not always matching
== Detailed Changelog ==
Alexey Shabalin (1):
* Use KRB5_CFLAGS where appropriate
Jakub Hrozek (16):
* Updating the version for the 1.11.5 release
* IPA: Don't call tevent_req_post outside _send
* IPA: Don't fail if apply_subdomain_homedir returns ENOENT
* OPTS: Allow using defaults for blobs
* DP: Provide separate dp_copy_defaults function
* MAN: Clarify the ldap_access_filter option further
* MAN: Clarify that changing ID mapping options might require purging the cache
* IPA: Do not save intermediate data to sysdb
* AD: Only connect to GC for subdomain users
* MAN: Clarify the GC support a bit
* IPA: Use the correct domain when processing SELinux rules
* IPA: Write SELinux usernames in the right case
* KRB5: Do not attempt to get a TGT after a password change using OTP
* AD: connect to forest root when downloading the list of subdomains
* IPA: Fix SELinux mapping order memory hierarchy
* Updating the translations for the 1.11.5 release
Lukas Slebodnik (10):
* SPEC: Use systemd on available platforms
* LDAP: Setup periodic task only once.
* UTIL: Sanitize whitespaces.
* DOC: Fix names of arguments in doxygen comments
* AD: Continue if sssd failes to check extra members
* SYSV: Do not call functions success and fail itself
* IPA: Use function sysdb_attrs_get_el in safe way
* Makefile: Add missing library to the dp_opt_tests
* TESTS: Link libsss_test_common with tevent
* Makefile: Use alternative method to replace *bindir
Michal Zidek (1):
* Possible null dereference in SELinux code
Nathaniel McCallum (1):
* Fix krb5 changepw when FAST-only preauth methods are used (like OTP)
Pete Fritchman (1):
* PAM: add ignore_unknown_user option
Stef Walter (1):
* providers: Fix types passed to dbus varargs functions
Sumit Bose (13):
* IDMAP: add sss_idmap_check_collision(_ex)
* IPA: refactor idmap code and add test
* IPA: check ranges for collisions before saving them
* libsss_idmap: bump version-info
* config API: add missing subdomain target to AD provider test
* SUDO: AD provider
* ipa-server-mode: use lower-case user name for home dir
* IPA: Use GC for AD initgroup requests
* IPA/KRB5: handle KRB5_PROG_ETYPE_NOSUPP during IPA password migration
* krb5_child: remove unused option lifetime_str from k5c_setup_fast()
* krb5-child: extract lifetime settings into set_lifetime_options()
* krb5_client: rename krb5_set_canonicalize() to set_canonicalize_option()
* krb5-child: add revert_changepw_options()