Jakub Hrozek
2015-11-19 15:51:47 UTC
== SSSD 1.13.2 ===
The SSSD team is proud to announce the release of version 1.13.2 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* This is primarily a bugfix release, with minor features added to the
local overrides feature
* The sss_override tool gained new user-show, user-find, group-show and
group-find commands
* The PAM responder was crashing if PAM_USER was set to an empty
string. This bug was fixed
* The sssd_be process could crash when looking up groups in setups with
IPA-AD trusts that use POSIX attributes but do not replicate them to
the Global Catalog
* A socket leak in case SSSD couldn't establish a connection to an LDAP
server was fixed
* SSSD's memory cache now behaves better when used by long-running
applications such as system deamons and the administrator invalidates
the cache
* The SSSDConfig Python API no longer throws an exception when
config_file_version is missing
* The InfoPipe D-Bus interface is able to retrieve user groups correctly
if the user is a member of non-POSIX groups like ipausers as well
* Lookups by certificate now work correctly in multi-domain environment
* The lookup of POSIX attributes after startup was relaxed to only
check attribute presence, not validity. The POSIX check was also made
less verbose
* A bug when looking up a subdomain user by UPN users was fixed
== Packaging Changes ==
* The memory cache for initgroups results was previously not packaged. This
bug was fixed.
* Python 2/3 packaging in the RPM specfile was improved
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/2176
warn if memcache_timeout is greater than entry_cache_timeout
https://fedorahosted.org/sssd/ticket/2493
Check chown_debug_file() usage
https://fedorahosted.org/sssd/ticket/2673
Consider also disabled domains when link_forest_roots() is called
https://fedorahosted.org/sssd/ticket/2697
extend PAM responder unit test
https://fedorahosted.org/sssd/ticket/2706
Contribute and DevelTips are duplicate
https://fedorahosted.org/sssd/ticket/2726
Long living applicantion can use removed memory cache.
https://fedorahosted.org/sssd/ticket/2730
responder_cache_req-tests failed
https://fedorahosted.org/sssd/ticket/2736
sss_override: add find and show commands
https://fedorahosted.org/sssd/ticket/2759
sbus_codegen_tests leaves a process running
https://fedorahosted.org/sssd/ticket/2779
Review and update wiki pages for 1.13.2
https://fedorahosted.org/sssd/ticket/2786
Create a wiki page that lists security-sensitive options
https://fedorahosted.org/sssd/ticket/2792
SSSD is not closing sockets properly
https://fedorahosted.org/sssd/ticket/2800
Relax POSIX check
https://fedorahosted.org/sssd/ticket/2802
sss_override segfaults when accidentally adding --help flag to some
commands
https://fedorahosted.org/sssd/ticket/2804
Size limit exceeded too loud during POSIX check
https://fedorahosted.org/sssd/ticket/2807
CI: configure script failed on CentOS {6,7}
https://fedorahosted.org/sssd/ticket/2810
sssd_be crashed
https://fedorahosted.org/sssd/ticket/2811
PAM responder crashed if user was not set
https://fedorahosted.org/sssd/ticket/2814
avoid symlinks witih python modules
https://fedorahosted.org/sssd/ticket/2819
CI: test_ipa_subdomains_server failed on rhel6 + --coverage (FAIL:
test_ipa_subdom_server)
https://fedorahosted.org/sssd/ticket/2826
sss_override: memory violation
https://fedorahosted.org/sssd/ticket/2827
bug in UPN lookups for subdomain users
https://fedorahosted.org/sssd/ticket/2833
local overrides: don't contact server with overriden name/id
https://fedorahosted.org/sssd/ticket/2837
REGRESSION: ipa-client-automout failed
https://fedorahosted.org/sssd/ticket/2861
sssd crashes if non-UTF-8 locale is used
https://fedorahosted.org/sssd/ticket/2863
IFP: ifp_users_user_get_groups doesn't handle non-POSIX groups
== Detailed Changelog ==
Dan Lavu (1):
* sss_override: Add restart requirements to man page
Jakub Hrozek (10):
* Bump the version for the 1.13.2 development
* AD: Provide common connection list construction functions
* AD: Consolidate connection list construction on ad_common.c
* tests: Fix compilation warning
* tools: Don't shadow 'exit'
* IFP: Skip non-POSIX groups properly
* DP: Drop dp_pam_err_to_string
* DP: Check callback messages for valid UTF-8
* sbus: Check string arguments for valid UTF-8 strings
* Updating translations for the 1.13.2 release
Lukas Slebodnik (33):
* CI: Fix configure script arguments for CentOS
* CI: Don't depend on user input with apt-get
* CI: Add missing dependency for debian
* CI: Run integration tests on debian testing
* BUILD: Link just libsss_crypto with crypto libraries
* BUILD: Link crypto_tests with existing library
* BUILD: Remove unused variable TEST_MOCK_OBJ
* BUILD: Avoid symlinks with python modules
* SSSDConfigTest: Try load saved config
* SSSDConfigTest: Test real config without config_file_version
* intg_tests: Fix PEP8 warnings
* BUILD: Accept krb5 1.14 for building the PAC plugin
* BUILD: Fix detection of pthread with strict CFLAGS
* BUILD: Fix doc directory for sss_simpleifp
* LDAP: Fix leak of file descriptors
* CI: Workaroung for code coverage with old gcc
* cache_req: Fix warning -Wshadow
* SBUS: Fix warnings -Wshadow
* TESTS: Fix warnings -Wshadow
* INIT: Drop syslog.target from service file
* sbus_codegen_tests: Suppress warning Wmaybe-uninitialized
* DP_PTASK: Fix warning may be used uninitialized
* UTIL: Fix memory leak in switch_creds
* TESTS: Initialize leak check
* TESTS: Check return value of check_leaks_pop
* TESTS: Make check_leaks static function
* TESTS: Add warning for unused result of leak check functions
* sss_client: Fix underflow of active_threads
* sssd_client: Do not use removed memory cache
* test_memory_cache: Test removing mc without invalidation
* Revert "intg: Invalidate memory cache before removing files"
* CONFIGURE: Bump AM_GNU_GETTEXT_VERSION
* test_sysdb_subdomains: Do not use assignment in assertions
Michal Židek (7):
* SSSDConfig: Do not raise exception if config_file_version is missing
* spec: Missing initgroups mmap file
* util: Update get_next_domain's interface
* tests: Add get_next_domain_flags test
* sysdb: Include disabled domains in link_forest_roots
* sysdb: Use get_next_domain instead of dom->next
* Refactor some conditions
Nikolai Kondrashov (13):
* CI: Update reason blocking move to DNF
* CI: Exclude whitespace_test from Valgrind checks
* intg: Get base DN from LDAP connection object
* intg: Add support for specifying all user attrs
* intg: Split LDAP test fixtures for flexibility
* intg: Reduce sssd.conf duplication in test_ldap.py
* intg: Fix RFC2307bis group member creation
* intg: Do not use non-existent pre-increment
* CI: Do not skip tests not checked with Valgrind
* CI: Handle dashes in valgrind-condense
* intg: Fix all PEP8 issues
* CI: Enforce coverage make check failures
* intg: Add more LDAP tests
Pavel Březina (23):
* sss tools: improve option handling
* sbus codegen tests: free ctx
* cache_req: provide extra flag for oob request
* cache_req: add support for UPN
* cache_req tests: reduce code duplication
* cache_req: remove raw_name and do not touch orig_name
* sss_override: fix comment describing format
* sss_override: explicitly set ret = EOK
* sss_override: steal msgs string to objs
* nss: send original name and id with local views if possible
* sudo: search with view even if user is found
* sudo: send original name and id with local views if possible
* sss_tools: always show common and help options
* sss_override: fix exporting multiple domains
* sss_override: add user-find
* sss_override: add group-find
* sss_override: add user-show
* sss_override: add group-show
* sss_override: do not free ldb_dn in get_object_dn()
* sss_override: use more generic help text
* sss_tools: do not allow unexpected free argument
* BE: Add IFP to known clients
* AD: remove annoying debug message
Pavel Reichl (12):
* AD: add debug messages for netlogon get info
* confdb: warn if memcache_timeout > than entry_cache
* SDAP: Relax POSIX check
* SDAP: optional warning - sizelimit exceeded in POSIX check
* SDAP: allow_paging in sdap_get_generic_ext_send()
* SDAP: change type of attrsonly in sdap_get_generic_ext_state
* SDAP: pass params in sdap_get_and_parse_generic_send
* sss_override: amend man page - overrides do not stack
* sss_override: Removed overrides might be in memcache
* pam-srv-tests: split pam_test_setup() so it can be reused
* pam-srv-tests: Add UT for cached 'online' auth.
* intg: Add test for user and group local overrides
Petr Cech (9):
* DEBUG: Preventing chown_debug_file if journald on
* TEST: Add test_user_by_recent_filter_valid
* TEST: Refactor of test_responder_cache_req.c
* TEST: Refactor of test_responder_cache_req.c
* TEST: Add common function are_values_in_array()
* TEST: Add test_users_by_recent_filter_valid
* TEST: Add test_group_by_recent_filter_valid
* TEST: Refactor of test_responder_cache_req.c
* TEST: Add test_groups_by_recent_filter_valid
Stephen Gallagher (2):
* LDAP: Inform about small range size
* Monitor: Show service pings at debug level 8
Sumit Bose (5):
* PAM: only allow missing user name for certificate authentication
* fix ldb_search usage
* fix upn cache_req for sub-domain users
* nss: fix UPN lookups for sub-domain users
* cache_req: check all domains for lookups by certificate
The SSSD team is proud to announce the release of version 1.13.2 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* This is primarily a bugfix release, with minor features added to the
local overrides feature
* The sss_override tool gained new user-show, user-find, group-show and
group-find commands
* The PAM responder was crashing if PAM_USER was set to an empty
string. This bug was fixed
* The sssd_be process could crash when looking up groups in setups with
IPA-AD trusts that use POSIX attributes but do not replicate them to
the Global Catalog
* A socket leak in case SSSD couldn't establish a connection to an LDAP
server was fixed
* SSSD's memory cache now behaves better when used by long-running
applications such as system deamons and the administrator invalidates
the cache
* The SSSDConfig Python API no longer throws an exception when
config_file_version is missing
* The InfoPipe D-Bus interface is able to retrieve user groups correctly
if the user is a member of non-POSIX groups like ipausers as well
* Lookups by certificate now work correctly in multi-domain environment
* The lookup of POSIX attributes after startup was relaxed to only
check attribute presence, not validity. The POSIX check was also made
less verbose
* A bug when looking up a subdomain user by UPN users was fixed
== Packaging Changes ==
* The memory cache for initgroups results was previously not packaged. This
bug was fixed.
* Python 2/3 packaging in the RPM specfile was improved
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/2176
warn if memcache_timeout is greater than entry_cache_timeout
https://fedorahosted.org/sssd/ticket/2493
Check chown_debug_file() usage
https://fedorahosted.org/sssd/ticket/2673
Consider also disabled domains when link_forest_roots() is called
https://fedorahosted.org/sssd/ticket/2697
extend PAM responder unit test
https://fedorahosted.org/sssd/ticket/2706
Contribute and DevelTips are duplicate
https://fedorahosted.org/sssd/ticket/2726
Long living applicantion can use removed memory cache.
https://fedorahosted.org/sssd/ticket/2730
responder_cache_req-tests failed
https://fedorahosted.org/sssd/ticket/2736
sss_override: add find and show commands
https://fedorahosted.org/sssd/ticket/2759
sbus_codegen_tests leaves a process running
https://fedorahosted.org/sssd/ticket/2779
Review and update wiki pages for 1.13.2
https://fedorahosted.org/sssd/ticket/2786
Create a wiki page that lists security-sensitive options
https://fedorahosted.org/sssd/ticket/2792
SSSD is not closing sockets properly
https://fedorahosted.org/sssd/ticket/2800
Relax POSIX check
https://fedorahosted.org/sssd/ticket/2802
sss_override segfaults when accidentally adding --help flag to some
commands
https://fedorahosted.org/sssd/ticket/2804
Size limit exceeded too loud during POSIX check
https://fedorahosted.org/sssd/ticket/2807
CI: configure script failed on CentOS {6,7}
https://fedorahosted.org/sssd/ticket/2810
sssd_be crashed
https://fedorahosted.org/sssd/ticket/2811
PAM responder crashed if user was not set
https://fedorahosted.org/sssd/ticket/2814
avoid symlinks witih python modules
https://fedorahosted.org/sssd/ticket/2819
CI: test_ipa_subdomains_server failed on rhel6 + --coverage (FAIL:
test_ipa_subdom_server)
https://fedorahosted.org/sssd/ticket/2826
sss_override: memory violation
https://fedorahosted.org/sssd/ticket/2827
bug in UPN lookups for subdomain users
https://fedorahosted.org/sssd/ticket/2833
local overrides: don't contact server with overriden name/id
https://fedorahosted.org/sssd/ticket/2837
REGRESSION: ipa-client-automout failed
https://fedorahosted.org/sssd/ticket/2861
sssd crashes if non-UTF-8 locale is used
https://fedorahosted.org/sssd/ticket/2863
IFP: ifp_users_user_get_groups doesn't handle non-POSIX groups
== Detailed Changelog ==
Dan Lavu (1):
* sss_override: Add restart requirements to man page
Jakub Hrozek (10):
* Bump the version for the 1.13.2 development
* AD: Provide common connection list construction functions
* AD: Consolidate connection list construction on ad_common.c
* tests: Fix compilation warning
* tools: Don't shadow 'exit'
* IFP: Skip non-POSIX groups properly
* DP: Drop dp_pam_err_to_string
* DP: Check callback messages for valid UTF-8
* sbus: Check string arguments for valid UTF-8 strings
* Updating translations for the 1.13.2 release
Lukas Slebodnik (33):
* CI: Fix configure script arguments for CentOS
* CI: Don't depend on user input with apt-get
* CI: Add missing dependency for debian
* CI: Run integration tests on debian testing
* BUILD: Link just libsss_crypto with crypto libraries
* BUILD: Link crypto_tests with existing library
* BUILD: Remove unused variable TEST_MOCK_OBJ
* BUILD: Avoid symlinks with python modules
* SSSDConfigTest: Try load saved config
* SSSDConfigTest: Test real config without config_file_version
* intg_tests: Fix PEP8 warnings
* BUILD: Accept krb5 1.14 for building the PAC plugin
* BUILD: Fix detection of pthread with strict CFLAGS
* BUILD: Fix doc directory for sss_simpleifp
* LDAP: Fix leak of file descriptors
* CI: Workaroung for code coverage with old gcc
* cache_req: Fix warning -Wshadow
* SBUS: Fix warnings -Wshadow
* TESTS: Fix warnings -Wshadow
* INIT: Drop syslog.target from service file
* sbus_codegen_tests: Suppress warning Wmaybe-uninitialized
* DP_PTASK: Fix warning may be used uninitialized
* UTIL: Fix memory leak in switch_creds
* TESTS: Initialize leak check
* TESTS: Check return value of check_leaks_pop
* TESTS: Make check_leaks static function
* TESTS: Add warning for unused result of leak check functions
* sss_client: Fix underflow of active_threads
* sssd_client: Do not use removed memory cache
* test_memory_cache: Test removing mc without invalidation
* Revert "intg: Invalidate memory cache before removing files"
* CONFIGURE: Bump AM_GNU_GETTEXT_VERSION
* test_sysdb_subdomains: Do not use assignment in assertions
Michal Židek (7):
* SSSDConfig: Do not raise exception if config_file_version is missing
* spec: Missing initgroups mmap file
* util: Update get_next_domain's interface
* tests: Add get_next_domain_flags test
* sysdb: Include disabled domains in link_forest_roots
* sysdb: Use get_next_domain instead of dom->next
* Refactor some conditions
Nikolai Kondrashov (13):
* CI: Update reason blocking move to DNF
* CI: Exclude whitespace_test from Valgrind checks
* intg: Get base DN from LDAP connection object
* intg: Add support for specifying all user attrs
* intg: Split LDAP test fixtures for flexibility
* intg: Reduce sssd.conf duplication in test_ldap.py
* intg: Fix RFC2307bis group member creation
* intg: Do not use non-existent pre-increment
* CI: Do not skip tests not checked with Valgrind
* CI: Handle dashes in valgrind-condense
* intg: Fix all PEP8 issues
* CI: Enforce coverage make check failures
* intg: Add more LDAP tests
Pavel Březina (23):
* sss tools: improve option handling
* sbus codegen tests: free ctx
* cache_req: provide extra flag for oob request
* cache_req: add support for UPN
* cache_req tests: reduce code duplication
* cache_req: remove raw_name and do not touch orig_name
* sss_override: fix comment describing format
* sss_override: explicitly set ret = EOK
* sss_override: steal msgs string to objs
* nss: send original name and id with local views if possible
* sudo: search with view even if user is found
* sudo: send original name and id with local views if possible
* sss_tools: always show common and help options
* sss_override: fix exporting multiple domains
* sss_override: add user-find
* sss_override: add group-find
* sss_override: add user-show
* sss_override: add group-show
* sss_override: do not free ldb_dn in get_object_dn()
* sss_override: use more generic help text
* sss_tools: do not allow unexpected free argument
* BE: Add IFP to known clients
* AD: remove annoying debug message
Pavel Reichl (12):
* AD: add debug messages for netlogon get info
* confdb: warn if memcache_timeout > than entry_cache
* SDAP: Relax POSIX check
* SDAP: optional warning - sizelimit exceeded in POSIX check
* SDAP: allow_paging in sdap_get_generic_ext_send()
* SDAP: change type of attrsonly in sdap_get_generic_ext_state
* SDAP: pass params in sdap_get_and_parse_generic_send
* sss_override: amend man page - overrides do not stack
* sss_override: Removed overrides might be in memcache
* pam-srv-tests: split pam_test_setup() so it can be reused
* pam-srv-tests: Add UT for cached 'online' auth.
* intg: Add test for user and group local overrides
Petr Cech (9):
* DEBUG: Preventing chown_debug_file if journald on
* TEST: Add test_user_by_recent_filter_valid
* TEST: Refactor of test_responder_cache_req.c
* TEST: Refactor of test_responder_cache_req.c
* TEST: Add common function are_values_in_array()
* TEST: Add test_users_by_recent_filter_valid
* TEST: Add test_group_by_recent_filter_valid
* TEST: Refactor of test_responder_cache_req.c
* TEST: Add test_groups_by_recent_filter_valid
Stephen Gallagher (2):
* LDAP: Inform about small range size
* Monitor: Show service pings at debug level 8
Sumit Bose (5):
* PAM: only allow missing user name for certificate authentication
* fix ldb_search usage
* fix upn cache_req for sub-domain users
* nss: fix UPN lookups for sub-domain users
* cache_req: check all domains for lookups by certificate