Jakub Hrozek
2015-01-08 18:06:53 UTC
=== SSSD 1.12.3 ===
The SSSD team is proud to announce the release of version 1.12.3 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora 21 and rawhide shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* This is mostly a bug fixing release with only minor enhancements visible
to the end user
* Contains many fixes and enhancements related to the ID views functionality of
FreeIPA servers
* SSSD now allows the IPA client to move from one ID view to another
after SSSD restart
* It is possible to apply ID views to IPA domains as well. Previous SSSD
versions only allowed views to be applied to AD trusted domains
* Overriding SSH public keys is supported in this release
* This release contains several fixes and enhancements related to users
and groups from trusted AD domains
* When a trusted AD domain is disabled on the server side, access is
denied for users logging in from these domains
* External group memberships (i.e. memberships in IPA groups) are now
resolved correctly for trusted AD users
* The localauth plugin configuration is written into the pubconf directory
which should be included from krb5.conf on IPA clients. As a result,
the localauth plugin should be configured automatically on IPA clients.
* Password change when One-Time-Passwords are used was fixed
* The tokenGroups support was disabled by default in the LDAP provider. The
tokenGroups support is still enabled by default in the AD provider
* Simple access provider skips user or group names that can't be resolved
if only allow rules are configured
== Packaging Changes ==
* Support for running SSSD as a non-privileged user was added. SSSD's
directories must be owned by this user, hence SSSD needs to be
configured properly at build time, using the new configure option
--with-sssd-user. Additionally, the non-privileged user must also be
selected in sssd.conf using the "user" configuration option.
== Documentation Changes ==
* A new configuration option "krb5_confd_path" was added. This option
specifies the directory where SSSD places Kerberos configuration snippets.
* The default value of "ldap_user_uuid" was changed to be "objectSID"
for the AD back end and unset for all other back ends.
* The option "ldap_use_tokengroups" changed its default value to True
for AD and IPA providers only.
* The "allowed_shells" option newly accepts the wildcard ("*") value, allowing any shell
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1195
4 functions with reference leaks within sssd (src/python/pyhbac.c)
https://fedorahosted.org/sssd/ticket/1939
Create unit test for be_ptask
https://fedorahosted.org/sssd/ticket/2102
disable midpoint refresh for netgroups if ptask refresh is enabled
https://fedorahosted.org/sssd/ticket/2219
Shell fallback mechanism in SSSD
https://fedorahosted.org/sssd/ticket/2370
sssd should run under unprivileged user
https://fedorahosted.org/sssd/ticket/2372
SELinux: Audit changes to the SELinux label files
https://fedorahosted.org/sssd/ticket/2404
Remove password from the PAM stack if OTP is used
https://fedorahosted.org/sssd/ticket/2430
sssd segfaults repeatedly with error 4 in memberof.so
https://fedorahosted.org/sssd/ticket/2439
Return a different errno from client when sssd is not running.
https://fedorahosted.org/sssd/ticket/2445
Race condition while invalidating memory cache in client code
https://fedorahosted.org/sssd/ticket/2451
sssd-ldap man page changes, add 'access_provider = ldap' as a requirement 'ldap_access_order = for lockout'
https://fedorahosted.org/sssd/ticket/2454
[RFE] Views: apply user SSH public key override
https://fedorahosted.org/sssd/ticket/2456
Error message not helpful if extdom lookup fails
https://fedorahosted.org/sssd/ticket/2460
service lookups returned in lowercase with case_sensitive=preserving
https://fedorahosted.org/sssd/ticket/2461
Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving
https://fedorahosted.org/sssd/ticket/2462
Manpage description of case_sensitive=preserving is incomplete
https://fedorahosted.org/sssd/ticket/2464
Use ldap_extra_attrs when requesting attributes from extdom plugin
https://fedorahosted.org/sssd/ticket/2467
Set the right permissions in Makefile.am when installing from source
https://fedorahosted.org/sssd/ticket/2468
Don't set the umask in the utility function that creates sockets
https://fedorahosted.org/sssd/ticket/2470
refactor create_pipe_fd()
https://fedorahosted.org/sssd/ticket/2473
RFE: Add a configuration option to specify where a snippet with sssd_krb5_localauth_plugin.so is generated
https://fedorahosted.org/sssd/ticket/2475
Wrong results returned with enumeration
https://fedorahosted.org/sssd/ticket/2477
SSSD doesn't tell that it can't start because of no longer existent ID range
https://fedorahosted.org/sssd/ticket/2481
ID Views implementation does not support IPA user&group overrides
https://fedorahosted.org/sssd/ticket/2484
Password change over ssh doesn't work with OTP and FreeIPA
https://fedorahosted.org/sssd/ticket/2487
sssd does not work with custom value of option re_expression
https://fedorahosted.org/sssd/ticket/2490
dereferencing failure against openldap server
https://fedorahosted.org/sssd/ticket/2492
Group membership gets lost in IPA server mode
https://fedorahosted.org/sssd/ticket/2498
"debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.
https://fedorahosted.org/sssd/ticket/2501
pam_sss domains option: Untrusted users from the same domain are allowed to auth.
https://fedorahosted.org/sssd/ticket/2503
Use the MEMORY ccache to pass around keytab contents
https://fedorahosted.org/sssd/ticket/2506
Check unlink return values to silence Coverity warnings
https://fedorahosted.org/sssd/ticket/2510
The Kerberos provider is not properly views-aware
https://fedorahosted.org/sssd/ticket/2512
selinuxusermap rule does not apply to trusted AD users
https://fedorahosted.org/sssd/ticket/2514
gid is overridden by uid in default trust view
https://fedorahosted.org/sssd/ticket/2516
pam_sss domains option: User auth should fail when domains=<emtpy value>
https://fedorahosted.org/sssd/ticket/2518
SSSD master doesn't build on RHEL-6
https://fedorahosted.org/sssd/ticket/2519
SSSD should not fail authentication when only allow rules are used
https://fedorahosted.org/sssd/ticket/2520
Crash in function get_object_from_cache
https://fedorahosted.org/sssd/ticket/2521
be_ptask unit test fails sometimes
https://fedorahosted.org/sssd/ticket/2524
getent fails for posix group with AD users after login
https://fedorahosted.org/sssd/ticket/2526
User is unable to authenticate if the option krb5_fast_principal is NULL
https://fedorahosted.org/sssd/ticket/2529
IPA: incomplete group memberships for AD users on IPA clients
https://fedorahosted.org/sssd/ticket/2530
MAN: Document that only usernames are checked for pam_trusted_uids
https://fedorahosted.org/sssd/ticket/2535
Access is not rejected for disabled domain
https://fedorahosted.org/sssd/ticket/2537
sssd-libwbclient conflicts with Samba's and causes crash in wbinfo
== Detailed Changelog ==
Carlos A. Munoz (1):
* Add zanata.xml file for integration with Zanata command line client
Dan Lavu (3):
* MAN PAGE: modified sssd-ldap.5.xml for sssd ticket #2451
* MAN: page edit for ldap_use_tokengroups
* MAN: Clarify ad_gpo_map* options
Denis Kutin (1):
* NSS: Possibility to use any shells in 'allowed_shells'
Jakub Hrozek (68):
* Updating the version for the 1.12.3 development
* SSSD: Add the options to specify a UID and GID to run as
* SSSD: Chown the log files
* UTIL: Use a custom PID_PATH and DB_PATH when unit testing server.c
* TESTS: Unit tests can use confdb without using sysdb
* TESTS: Unit tests for server_setup
* RPM: Package the libsss_semanage.so library
* IPA: Handle NULL members in process_members()
* UTIL: Add a function to convert id_t from a number or a name
* BUILD: Add a config option for sssd user, own private directories as the user
* RPM: Change file ownership to sssd.sssd
* SSSD: Load a user to run a service as from configuration
* SBUS: Chown the sbus socket if needed
* SBUS: Allow connections from other UIDs
* BE: Own the sbus socket as the SSSD user
* NSS: Run as a user specified by monitor
* TEST: Unit test for create_pipe_fd
* AUTOFS: Run the autofs responder as the SSSD user
* PAC: Run the pac responder as the SSSD user
* SUDO: Run the sudo responder as the SSSD user
* SSH: Run the ssh responder as the SSSD user
* GPO: Terminate request on error
* TESTS: Add tests for the views-related option maps
* IPA: Don't fail the request when BE doesn't find the object
* IPA: Rename user_dom into obj_dom
* BUILD: Install ldap_child and as setuid if running under non-privileged user
* LDAP: Move sss_krb5_verify_keytab_ex to ldap_child
* LDAP: read the correct data type from ldap_child's input buffer
* LDAP: Drop privileges after kinit in ldap_child
* UTIL: Remove code duplication of struct io
* UTIL: Remove more code duplication setting up child processes
* IPA: Move setting the SELinux context to a child process
* BE: Make struct bet_queue_item private to sssd_be
* BUILD: Install krb5_child as suid if running under non-privileged user
* KRB5: Drop privileges in the child, not the back end
* KRB5: Move ccache-related functions to krb5_ccache.c
* KRB5: Move checking for illegal RE to krb5_utils.c
* KRB5: Move all ccache operations to krb5_child.c
* KRB5: Do not switch_creds() if already the specified user
* BUILD: Use separate chown to make changing ownership to the sssd user non-fatal
* BUILD: Make chown of files to sssd user non-fatal
* BUILD: Touch files in DESTDIR
* BE: Become a regular user after initialization
* BE: Fix a debug message
* IPA: Handle IPA groups returned from extop plugin
* Hint about removing sysdb if initializing ID map fails
* PAM: Make pam_forwarder_parse_data static
* SBUS: Initialize DBusError before using it
* PAM: Check for trusted domain before sending the request to BE
* PAM: Move is_uid_trusted from pam_ctx to preq
* TESTS: Basic child tests
* Add extra_args to exec_child()
* KRB5: Create the fast ccache in a child process
* LDAP: Remove useless include
* sss_atomic_write_s() return value is signed
* KRB5: Relax DEBUG message
* TESTS: Build test_child even without cmocka
* Rename test-child to dummy-child
* CI: Suppress memory errors from poptGetNextOpt
* tests: Free popt_context
* IFP: Return group names with the right case
* KRB5: Check FAST kinit errors using get_tgt_times()
* Skip CHAUTHTOK_PRELIM when using OTPs
* PAM: Domain names are case-insensitive
* PAM: Missing argument to domains= should fail auth
* MAN: Misspelled username in pam_trusted_users is not fatal
* RESPONDER: Log failures to resolve user names in csv_string_to_uid_array
* Updating translations for the 1.12.3 release
Lukas Slebodnik (28):
* BUILD: Fix automake warning
* test_server: Fix waiting for background process
* SPEC: Print testsuite log for failed test
* SBUS: Fix error handling after closing container
* BUILD: Fix linking cwrap tests with -Wl,--as-needed
* test_sysdb_views: Use unique directory for cache
* IPA: Store right username to selinux child context
* PAM: Remove authtok from PAM stack with OTP
* NSS: Fix warning enumerated type mixed with another type
* Revert "LDAP: Change defaults for ldap_user/group_objectsid"
* AD: Change level of debug message
* CI: Build sssd on debian with samba support
* LDAP: Disable token groups by default
* sss_client: Extract destroying of mmap cache to function
* sss_client: Fix race condition in memory cache
* krb5: Check return value of krb5_principal_get_realm
* krb5: Check return value of sss_krb5_princ_realm
* AD: Set dp_error if gc was not used
* TOOLS: sss_debuglevel should worh with ifp responder
* CI: Update valgrind suppresion database for libselinux
* IPA: Do not append domain name to fq name
* sss_client: Work around glibc bug
* MAKE: Fix linking of test_child_common
* UTIL: Fix dependencies of internal sss libraries
* BUILD: Install libsss_crypt after its dependencies
* MONITOR: Disable inlining of function load_configuration
* krb5_child: Initialize REALM earlier
* IPA: properly handle groups from different domains
Michal Zidek (21):
* util: Move semanage related functions to src/util
* sss_semanage: Add mlsrange parameter to set_seuser
* IPA: Use set_seuser instead of writing selinux login file
* MONITOR: Allow confdb to be accessed by nonroot user
* SYSDB: Allow calling chown on the sysdb file from monitor
* responder_common: Create fd for pipe in helper
* responders: Do not initialize pipe fd if already present
* PAM: Create pipe file descriptors before privileges are dropped
* PAM: Run pam responder as nonroot
* nss: preserve service name in getsrv call
* MONITOR: Fix warning may be used uninitialized
* selinux_child: Do not ignore return values.
* proxy: Do not try to store same alias twice
* PROXY: Preserve service name in proxy provider
* MAN: Update case_sensitive=Preserving in man pages.
* Man: debug_timestamps and debug_microseconds
* test: Wrong parameter type in sss_parse_name_check
* util: Special-case PCRE_ERROR_NOMATCH in sss_parse_name
* util: sss_get_domain_name regex mismatch not fatal
* confdb: Make confdb_set_string accept const char pointer
* AD: Never store case_sensitive as "true" to confdb
Nikolai Kondrashov (1):
* CI: Remove Clang analyzer
Pavel Březina (8):
* IPA: use ipaUserGroup object class for groups
* be_ptask: create a private header file
* be_ptask: handle OFFLINE_DISABLE mode before task execution
* be_ptask: add next_execution time to struct be_ptask
* be_ptask: do not store sync ctx to _task
* tests: be_ptask
* be_ptask: let backoff affect only period
* be_ptask: use gettimeofday() instead of time()
Pavel Reichl (20):
* TESTS: Add -std=gnu99 to cwrap tests CFLAGS
* Fix debug messages - trailing '.'
* pyhbac,pysss: fix reference leaks
* RESPONDERS: refactor create_pipe_fd()
* RESPONDERS: Don't hard-code umask value in utility function
* RESPONDERS: Set default value for umask
* CONFDB: Detect&fix misconf opt refresh_expired_interval
* NSS: disable midpoint refresh for netgroups
* SYSDB: sysdb_idmap_get_mappings returns ENOENT
* Fix: always check return value of unlink()
* BUILD: restrict perms. when installing from source
* SYSDB: sysdb_get_bool() return ENOENT & unit tests
* simple access provider: non-existing object
* simple-access-provider: break matching allowed users
* LDAP: retain external members
* TESTS: sysdb_delete_by_sid() test return value
* NSS: nss_cmd_getbysid_search return ENOENT
* SYSDB: sysdb_search_object_by_sid returns ENOENT
* CONFDB: Typo in debug message
* TESTS: typo in 'assert message'
Stephen Gallagher (1):
* monitor: Service restart fixes
Sumit Bose (48):
* ipa: fix issues with older servers not supporting views
* ipa: improve error reporting for extdom LDAP exop
* ipa_subdomains_handler_master_done: initialize reply_count
* nss: group enumeration fix
* sdap_print_server: use getpeername() to get server address
* IFP: Fix typo in debug message
* memberof: check for empty arrays to avoid segfaults
* Add add_strings_lists() utility function
* IPA: inherit ldap_user_extra_attrs to AD subdomains
* Add parse_attr_list_ex() helper function
* nss: parse user_attributes option
* nss: return user_attributes in origbyname request
* sysdb_get_user_attr_with_views: add mandatory override attributes
* sysdb_add_overrides_to_object: add new parameter and multi-value support
* Views: apply user SSH public key override
* Add test for sysdb_add_overrides_to_object()
* Add ssh pubkey to origbyname request
* Revert "LDAP: Remove unused option ldap_user_uuid"
* Revert "LDAP: Remove unused option ldap_group_uuid"
* Fix uuid defaults
* sysdb: add sysdb_search_object_by_uuid()
* ipa: add split_ipa_anchor()
* LDAP: add support for lookups by UUID
* LDAP: always store UUID if available
* ipa: add get_be_acct_req_for_uuid()
* IPA: make get_object_from_cache() public
* IPA: check overrrides for IPA users as well
* Enable views for all domains
* Fix KRB5_CONF_PATH
* AD/IPA: add krb5_confd_path configuration option
* sysdb: add sysdb_delete_view_tree()
* sysdb: add sysdb_invalidate_overrides()
* views: allow view name change at startup
* krb5: make krb5 provider view aware
* IPA: only update view data if it really changed
* krb5: do not fail if checking the old ccache failed
* test: avoid leaks in leak tests
* krb5: add copy_ccache_into_memory()
* krb5: add copy_keytab_into_memory()
* ldap_child: copy keytab into memory to drop privileges earlier
* krb5_child: become user earlier
* krb5: add wrapper for krb5_kt_have_content()
* krb5: handle KRB5KRB_ERR_GENERIC as unspecific error
* IPA: verify group memberships of trusted domain users
* IPA: do not try to add override gid twice
* IPA: handle GID overrides for MPG domains on clients
* libwbclient: initialize some return values
* Add test for sysdb_store_override
The SSSD team is proud to announce the release of version 1.12.3 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora 21 and rawhide shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* This is mostly a bug fixing release with only minor enhancements visible
to the end user
* Contains many fixes and enhancements related to the ID views functionality of
FreeIPA servers
* SSSD now allows the IPA client to move from one ID view to another
after SSSD restart
* It is possible to apply ID views to IPA domains as well. Previous SSSD
versions only allowed views to be applied to AD trusted domains
* Overriding SSH public keys is supported in this release
* This release contains several fixes and enhancements related to users
and groups from trusted AD domains
* When a trusted AD domain is disabled on the server side, access is
denied for users logging in from these domains
* External group memberships (i.e. memberships in IPA groups) are now
resolved correctly for trusted AD users
* The localauth plugin configuration is written into the pubconf directory
which should be included from krb5.conf on IPA clients. As a result,
the localauth plugin should be configured automatically on IPA clients.
* Password change when One-Time-Passwords are used was fixed
* The tokenGroups support was disabled by default in the LDAP provider. The
tokenGroups support is still enabled by default in the AD provider
* Simple access provider skips user or group names that can't be resolved
if only allow rules are configured
== Packaging Changes ==
* Support for running SSSD as a non-privileged user was added. SSSD's
directories must be owned by this user, hence SSSD needs to be
configured properly at build time, using the new configure option
--with-sssd-user. Additionally, the non-privileged user must also be
selected in sssd.conf using the "user" configuration option.
== Documentation Changes ==
* A new configuration option "krb5_confd_path" was added. This option
specifies the directory where SSSD places Kerberos configuration snippets.
* The default value of "ldap_user_uuid" was changed to be "objectSID"
for the AD back end and unset for all other back ends.
* The option "ldap_use_tokengroups" changed its default value to True
for AD and IPA providers only.
* The "allowed_shells" option newly accepts the wildcard ("*") value, allowing any shell
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1195
4 functions with reference leaks within sssd (src/python/pyhbac.c)
https://fedorahosted.org/sssd/ticket/1939
Create unit test for be_ptask
https://fedorahosted.org/sssd/ticket/2102
disable midpoint refresh for netgroups if ptask refresh is enabled
https://fedorahosted.org/sssd/ticket/2219
Shell fallback mechanism in SSSD
https://fedorahosted.org/sssd/ticket/2370
sssd should run under unprivileged user
https://fedorahosted.org/sssd/ticket/2372
SELinux: Audit changes to the SELinux label files
https://fedorahosted.org/sssd/ticket/2404
Remove password from the PAM stack if OTP is used
https://fedorahosted.org/sssd/ticket/2430
sssd segfaults repeatedly with error 4 in memberof.so
https://fedorahosted.org/sssd/ticket/2439
Return a different errno from client when sssd is not running.
https://fedorahosted.org/sssd/ticket/2445
Race condition while invalidating memory cache in client code
https://fedorahosted.org/sssd/ticket/2451
sssd-ldap man page changes, add 'access_provider = ldap' as a requirement 'ldap_access_order = for lockout'
https://fedorahosted.org/sssd/ticket/2454
[RFE] Views: apply user SSH public key override
https://fedorahosted.org/sssd/ticket/2456
Error message not helpful if extdom lookup fails
https://fedorahosted.org/sssd/ticket/2460
service lookups returned in lowercase with case_sensitive=preserving
https://fedorahosted.org/sssd/ticket/2461
Proxy Provider: Fails to lookup case sensitive users and groups with case_sensitive=preserving
https://fedorahosted.org/sssd/ticket/2462
Manpage description of case_sensitive=preserving is incomplete
https://fedorahosted.org/sssd/ticket/2464
Use ldap_extra_attrs when requesting attributes from extdom plugin
https://fedorahosted.org/sssd/ticket/2467
Set the right permissions in Makefile.am when installing from source
https://fedorahosted.org/sssd/ticket/2468
Don't set the umask in the utility function that creates sockets
https://fedorahosted.org/sssd/ticket/2470
refactor create_pipe_fd()
https://fedorahosted.org/sssd/ticket/2473
RFE: Add a configuration option to specify where a snippet with sssd_krb5_localauth_plugin.so is generated
https://fedorahosted.org/sssd/ticket/2475
Wrong results returned with enumeration
https://fedorahosted.org/sssd/ticket/2477
SSSD doesn't tell that it can't start because of no longer existent ID range
https://fedorahosted.org/sssd/ticket/2481
ID Views implementation does not support IPA user&group overrides
https://fedorahosted.org/sssd/ticket/2484
Password change over ssh doesn't work with OTP and FreeIPA
https://fedorahosted.org/sssd/ticket/2487
sssd does not work with custom value of option re_expression
https://fedorahosted.org/sssd/ticket/2490
dereferencing failure against openldap server
https://fedorahosted.org/sssd/ticket/2492
Group membership gets lost in IPA server mode
https://fedorahosted.org/sssd/ticket/2498
"debug_timestamps = false" and "debug_microseconds = true" do not work after enabling journald with sssd.
https://fedorahosted.org/sssd/ticket/2501
pam_sss domains option: Untrusted users from the same domain are allowed to auth.
https://fedorahosted.org/sssd/ticket/2503
Use the MEMORY ccache to pass around keytab contents
https://fedorahosted.org/sssd/ticket/2506
Check unlink return values to silence Coverity warnings
https://fedorahosted.org/sssd/ticket/2510
The Kerberos provider is not properly views-aware
https://fedorahosted.org/sssd/ticket/2512
selinuxusermap rule does not apply to trusted AD users
https://fedorahosted.org/sssd/ticket/2514
gid is overridden by uid in default trust view
https://fedorahosted.org/sssd/ticket/2516
pam_sss domains option: User auth should fail when domains=<emtpy value>
https://fedorahosted.org/sssd/ticket/2518
SSSD master doesn't build on RHEL-6
https://fedorahosted.org/sssd/ticket/2519
SSSD should not fail authentication when only allow rules are used
https://fedorahosted.org/sssd/ticket/2520
Crash in function get_object_from_cache
https://fedorahosted.org/sssd/ticket/2521
be_ptask unit test fails sometimes
https://fedorahosted.org/sssd/ticket/2524
getent fails for posix group with AD users after login
https://fedorahosted.org/sssd/ticket/2526
User is unable to authenticate if the option krb5_fast_principal is NULL
https://fedorahosted.org/sssd/ticket/2529
IPA: incomplete group memberships for AD users on IPA clients
https://fedorahosted.org/sssd/ticket/2530
MAN: Document that only usernames are checked for pam_trusted_uids
https://fedorahosted.org/sssd/ticket/2535
Access is not rejected for disabled domain
https://fedorahosted.org/sssd/ticket/2537
sssd-libwbclient conflicts with Samba's and causes crash in wbinfo
== Detailed Changelog ==
Carlos A. Munoz (1):
* Add zanata.xml file for integration with Zanata command line client
Dan Lavu (3):
* MAN PAGE: modified sssd-ldap.5.xml for sssd ticket #2451
* MAN: page edit for ldap_use_tokengroups
* MAN: Clarify ad_gpo_map* options
Denis Kutin (1):
* NSS: Possibility to use any shells in 'allowed_shells'
Jakub Hrozek (68):
* Updating the version for the 1.12.3 development
* SSSD: Add the options to specify a UID and GID to run as
* SSSD: Chown the log files
* UTIL: Use a custom PID_PATH and DB_PATH when unit testing server.c
* TESTS: Unit tests can use confdb without using sysdb
* TESTS: Unit tests for server_setup
* RPM: Package the libsss_semanage.so library
* IPA: Handle NULL members in process_members()
* UTIL: Add a function to convert id_t from a number or a name
* BUILD: Add a config option for sssd user, own private directories as the user
* RPM: Change file ownership to sssd.sssd
* SSSD: Load a user to run a service as from configuration
* SBUS: Chown the sbus socket if needed
* SBUS: Allow connections from other UIDs
* BE: Own the sbus socket as the SSSD user
* NSS: Run as a user specified by monitor
* TEST: Unit test for create_pipe_fd
* AUTOFS: Run the autofs responder as the SSSD user
* PAC: Run the pac responder as the SSSD user
* SUDO: Run the sudo responder as the SSSD user
* SSH: Run the ssh responder as the SSSD user
* GPO: Terminate request on error
* TESTS: Add tests for the views-related option maps
* IPA: Don't fail the request when BE doesn't find the object
* IPA: Rename user_dom into obj_dom
* BUILD: Install ldap_child and as setuid if running under non-privileged user
* LDAP: Move sss_krb5_verify_keytab_ex to ldap_child
* LDAP: read the correct data type from ldap_child's input buffer
* LDAP: Drop privileges after kinit in ldap_child
* UTIL: Remove code duplication of struct io
* UTIL: Remove more code duplication setting up child processes
* IPA: Move setting the SELinux context to a child process
* BE: Make struct bet_queue_item private to sssd_be
* BUILD: Install krb5_child as suid if running under non-privileged user
* KRB5: Drop privileges in the child, not the back end
* KRB5: Move ccache-related functions to krb5_ccache.c
* KRB5: Move checking for illegal RE to krb5_utils.c
* KRB5: Move all ccache operations to krb5_child.c
* KRB5: Do not switch_creds() if already the specified user
* BUILD: Use separate chown to make changing ownership to the sssd user non-fatal
* BUILD: Make chown of files to sssd user non-fatal
* BUILD: Touch files in DESTDIR
* BE: Become a regular user after initialization
* BE: Fix a debug message
* IPA: Handle IPA groups returned from extop plugin
* Hint about removing sysdb if initializing ID map fails
* PAM: Make pam_forwarder_parse_data static
* SBUS: Initialize DBusError before using it
* PAM: Check for trusted domain before sending the request to BE
* PAM: Move is_uid_trusted from pam_ctx to preq
* TESTS: Basic child tests
* Add extra_args to exec_child()
* KRB5: Create the fast ccache in a child process
* LDAP: Remove useless include
* sss_atomic_write_s() return value is signed
* KRB5: Relax DEBUG message
* TESTS: Build test_child even without cmocka
* Rename test-child to dummy-child
* CI: Suppress memory errors from poptGetNextOpt
* tests: Free popt_context
* IFP: Return group names with the right case
* KRB5: Check FAST kinit errors using get_tgt_times()
* Skip CHAUTHTOK_PRELIM when using OTPs
* PAM: Domain names are case-insensitive
* PAM: Missing argument to domains= should fail auth
* MAN: Misspelled username in pam_trusted_users is not fatal
* RESPONDER: Log failures to resolve user names in csv_string_to_uid_array
* Updating translations for the 1.12.3 release
Lukas Slebodnik (28):
* BUILD: Fix automake warning
* test_server: Fix waiting for background process
* SPEC: Print testsuite log for failed test
* SBUS: Fix error handling after closing container
* BUILD: Fix linking cwrap tests with -Wl,--as-needed
* test_sysdb_views: Use unique directory for cache
* IPA: Store right username to selinux child context
* PAM: Remove authtok from PAM stack with OTP
* NSS: Fix warning enumerated type mixed with another type
* Revert "LDAP: Change defaults for ldap_user/group_objectsid"
* AD: Change level of debug message
* CI: Build sssd on debian with samba support
* LDAP: Disable token groups by default
* sss_client: Extract destroying of mmap cache to function
* sss_client: Fix race condition in memory cache
* krb5: Check return value of krb5_principal_get_realm
* krb5: Check return value of sss_krb5_princ_realm
* AD: Set dp_error if gc was not used
* TOOLS: sss_debuglevel should worh with ifp responder
* CI: Update valgrind suppresion database for libselinux
* IPA: Do not append domain name to fq name
* sss_client: Work around glibc bug
* MAKE: Fix linking of test_child_common
* UTIL: Fix dependencies of internal sss libraries
* BUILD: Install libsss_crypt after its dependencies
* MONITOR: Disable inlining of function load_configuration
* krb5_child: Initialize REALM earlier
* IPA: properly handle groups from different domains
Michal Zidek (21):
* util: Move semanage related functions to src/util
* sss_semanage: Add mlsrange parameter to set_seuser
* IPA: Use set_seuser instead of writing selinux login file
* MONITOR: Allow confdb to be accessed by nonroot user
* SYSDB: Allow calling chown on the sysdb file from monitor
* responder_common: Create fd for pipe in helper
* responders: Do not initialize pipe fd if already present
* PAM: Create pipe file descriptors before privileges are dropped
* PAM: Run pam responder as nonroot
* nss: preserve service name in getsrv call
* MONITOR: Fix warning may be used uninitialized
* selinux_child: Do not ignore return values.
* proxy: Do not try to store same alias twice
* PROXY: Preserve service name in proxy provider
* MAN: Update case_sensitive=Preserving in man pages.
* Man: debug_timestamps and debug_microseconds
* test: Wrong parameter type in sss_parse_name_check
* util: Special-case PCRE_ERROR_NOMATCH in sss_parse_name
* util: sss_get_domain_name regex mismatch not fatal
* confdb: Make confdb_set_string accept const char pointer
* AD: Never store case_sensitive as "true" to confdb
Nikolai Kondrashov (1):
* CI: Remove Clang analyzer
Pavel Březina (8):
* IPA: use ipaUserGroup object class for groups
* be_ptask: create a private header file
* be_ptask: handle OFFLINE_DISABLE mode before task execution
* be_ptask: add next_execution time to struct be_ptask
* be_ptask: do not store sync ctx to _task
* tests: be_ptask
* be_ptask: let backoff affect only period
* be_ptask: use gettimeofday() instead of time()
Pavel Reichl (20):
* TESTS: Add -std=gnu99 to cwrap tests CFLAGS
* Fix debug messages - trailing '.'
* pyhbac,pysss: fix reference leaks
* RESPONDERS: refactor create_pipe_fd()
* RESPONDERS: Don't hard-code umask value in utility function
* RESPONDERS: Set default value for umask
* CONFDB: Detect&fix misconf opt refresh_expired_interval
* NSS: disable midpoint refresh for netgroups
* SYSDB: sysdb_idmap_get_mappings returns ENOENT
* Fix: always check return value of unlink()
* BUILD: restrict perms. when installing from source
* SYSDB: sysdb_get_bool() return ENOENT & unit tests
* simple access provider: non-existing object
* simple-access-provider: break matching allowed users
* LDAP: retain external members
* TESTS: sysdb_delete_by_sid() test return value
* NSS: nss_cmd_getbysid_search return ENOENT
* SYSDB: sysdb_search_object_by_sid returns ENOENT
* CONFDB: Typo in debug message
* TESTS: typo in 'assert message'
Stephen Gallagher (1):
* monitor: Service restart fixes
Sumit Bose (48):
* ipa: fix issues with older servers not supporting views
* ipa: improve error reporting for extdom LDAP exop
* ipa_subdomains_handler_master_done: initialize reply_count
* nss: group enumeration fix
* sdap_print_server: use getpeername() to get server address
* IFP: Fix typo in debug message
* memberof: check for empty arrays to avoid segfaults
* Add add_strings_lists() utility function
* IPA: inherit ldap_user_extra_attrs to AD subdomains
* Add parse_attr_list_ex() helper function
* nss: parse user_attributes option
* nss: return user_attributes in origbyname request
* sysdb_get_user_attr_with_views: add mandatory override attributes
* sysdb_add_overrides_to_object: add new parameter and multi-value support
* Views: apply user SSH public key override
* Add test for sysdb_add_overrides_to_object()
* Add ssh pubkey to origbyname request
* Revert "LDAP: Remove unused option ldap_user_uuid"
* Revert "LDAP: Remove unused option ldap_group_uuid"
* Fix uuid defaults
* sysdb: add sysdb_search_object_by_uuid()
* ipa: add split_ipa_anchor()
* LDAP: add support for lookups by UUID
* LDAP: always store UUID if available
* ipa: add get_be_acct_req_for_uuid()
* IPA: make get_object_from_cache() public
* IPA: check overrrides for IPA users as well
* Enable views for all domains
* Fix KRB5_CONF_PATH
* AD/IPA: add krb5_confd_path configuration option
* sysdb: add sysdb_delete_view_tree()
* sysdb: add sysdb_invalidate_overrides()
* views: allow view name change at startup
* krb5: make krb5 provider view aware
* IPA: only update view data if it really changed
* krb5: do not fail if checking the old ccache failed
* test: avoid leaks in leak tests
* krb5: add copy_ccache_into_memory()
* krb5: add copy_keytab_into_memory()
* ldap_child: copy keytab into memory to drop privileges earlier
* krb5_child: become user earlier
* krb5: add wrapper for krb5_kt_have_content()
* krb5: handle KRB5KRB_ERR_GENERIC as unspecific error
* IPA: verify group memberships of trusted domain users
* IPA: do not try to add override gid twice
* IPA: handle GID overrides for MPG domains on clients
* libwbclient: initialize some return values
* Add test for sysdb_store_override