Jakub Hrozek
2013-12-19 18:53:28 UTC
=== SSSD 1.11.3 ===
The SSSD team is proud to announce the release of version 1.11.3 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora 19, 20 and rawhide shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* This release mostly focuses on bug fixes, especially in the AD provider
* The AD provider is able to resolve group memberships for groups with
Global and Universal scope
* The initgroups (get groups for user) operation for users from trusted
AD domains was made more reliable by reading the required tokenGroups
attribute from LDAP instead of Global Catalog
* A new option ad_enable_gc was added to the AD provider. This option
allows the administrator to force SSSD to talk to LDAP port only and never
try the Global Catalog
* The AD provider is now able to leverage the tokenGroups attribute even
when POSIX attributes are used, providing better performance during logins.
* A memory leak in the NSS responder that affected long-lived clients that
requested netgroup data was fixed
== Documentation Changes ==
* A new option ldap_group_type was added to LDAP, IPA and AD providers
* A new option ad_enable_gc was added to the AD provider
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1568
[RFE] AD Provider should use tokenGroups with non-ID-mapping
https://fedorahosted.org/sssd/ticket/2077
[RFE] If originalDN is not available during LDAP auth, the SSSD should look it up
https://fedorahosted.org/sssd/ticket/2132
Improve detection of the right domain when processing group with members from several domains
https://fedorahosted.org/sssd/ticket/2133
sss_idmap: add API to free objects allocated by the library
https://fedorahosted.org/sssd/ticket/2137
SSSD fails to fetch netgroup information with setnetgrent failed error
https://fedorahosted.org/sssd/ticket/2138
Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"
https://fedorahosted.org/sssd/ticket/2145
Push patch to bump version-info of libsss_idmap
https://fedorahosted.org/sssd/ticket/2146
sssd can't retrieve auto.master when using the "default_domain_suffix" option in
https://fedorahosted.org/sssd/ticket/2147
sssd_be crashes on manually adding a cleartext password to ldap_default_authtok
https://fedorahosted.org/sssd/ticket/2148
Individual group search returned multiple results in GC lookups
https://fedorahosted.org/sssd/ticket/2154
Incorrect mention of access_filter in sssd-ad manpage
https://fedorahosted.org/sssd/ticket/2156
Non descriptive error message when sssd.conf is missing completely
https://fedorahosted.org/sssd/ticket/2157
sssd_be segfaults if empty grop is resolved using ad_matching_rule
https://fedorahosted.org/sssd/ticket/2161
tokenGroups do not work reliable with Global Catalog
https://fedorahosted.org/sssd/ticket/2165
Update Gentoo init script
https://fedorahosted.org/sssd/ticket/2168
If SSSD starts offline, subdomains list is never read.
https://fedorahosted.org/sssd/ticket/2170
sssd_nss grows memory footprint when netgroups are requested
https://fedorahosted.org/sssd/ticket/2173
sssd_be crashes occasionally
https://fedorahosted.org/sssd/ticket/2178
AD groups with domain-local scope should be filtered out for trusted domains
== Detailed Changelog ==
Aron Parsons (1):
* do not use default_domain_suffix with autofs
Jakub Hrozek (14):
* Updating the version for the 1.11.3 release
* Initialize sid_str to NULL to avoid freeing random data
* LDAP: Split out a request to search for a user w/o saving
* LDAP: Search for original DN during auth if it's missing
* AD: Fix a typo in the man page
* LDAP: Initialize user count for AD matching rule
* SUBDOMAINS: Reuse cached results if DP is offline
* AD: Refresh subdomain data structures on startup
* IPA: Refresh subdomain data structures on startup
* IPA: Call ipa_ad_subdom_refresh when server mode is initialized
* AD: Add a utility function to create list of connections
* AD: Add a new option to turn off GC lookups
* AD: Enable fallback to LDAP of trusted domain
* Updating translations for the 1.11.3 release
Jan Engelhardt (1):
* build: fix ordering of linker flags
Lukas Slebodnik (7):
* NSS: Set packet length for initgroups
* LDAP: Prevent from using uninitialized sdap_options
* SYSDB: Skip malformed netgroup attribute.
* SYSDB: Sanitize filter before sysdb_search_groups
* SYSDB: Sanitize filter before removing ghost attrs
* NSS: Fix memory leak in sss_setnetgrent
* AUTOTOOLS: krb5 1.12 is also supported krb5 libs
Markos Chandras (2):
* sysv/gentoo: Use xdm if possible
* sysv/gentoo: Send debug output to a file instead of stderr
Pavel Březina (11):
* idmap: add API to free allocated SIDs
* free idmapped SIDs correctly
* free idmapped dom SIDs correctly
* free idmapped smb SIDs correctly
* free idmapped binary SIDs correctly
* pac: fix double free
* pac: fix potential memory leaks
* failover: check dns_domain if primary servers lookup failed
* ad: refactor tokengroups initgroups
* ad: use tokengroups even when id mapping is disabled
* Bump sss_idmap version to 3:0:3
Pavel Reichl (3):
* monitor: Specific error message for missing sssd.conf
* SSSD: Improved domain detection
* SSSD: Unit test - sss_ldap_dn_in_search_bases
Sumit Bose (10):
* AD: use LDAP for group lookups
* sss_cache: initialize names member of sss_domain_info
* sss_cache: fix case-sensitivity issue
* Add sysdb_attrs_add_lc_name_alias
* Use sysdb_attrs_add_lc_name_alias to add case-insensitive alias
* Use lower-case name for case-insensitive searches
* Add new option ldap_group_type
* Add sysdb_attrs_get_int32_t
* AD: filter domain local groups for trusted/sub domains
* AD: cross-domain membership fix
The SSSD team is proud to announce the release of version 1.11.3 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora 19, 20 and rawhide shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* This release mostly focuses on bug fixes, especially in the AD provider
* The AD provider is able to resolve group memberships for groups with
Global and Universal scope
* The initgroups (get groups for user) operation for users from trusted
AD domains was made more reliable by reading the required tokenGroups
attribute from LDAP instead of Global Catalog
* A new option ad_enable_gc was added to the AD provider. This option
allows the administrator to force SSSD to talk to LDAP port only and never
try the Global Catalog
* The AD provider is now able to leverage the tokenGroups attribute even
when POSIX attributes are used, providing better performance during logins.
* A memory leak in the NSS responder that affected long-lived clients that
requested netgroup data was fixed
== Documentation Changes ==
* A new option ldap_group_type was added to LDAP, IPA and AD providers
* A new option ad_enable_gc was added to the AD provider
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1568
[RFE] AD Provider should use tokenGroups with non-ID-mapping
https://fedorahosted.org/sssd/ticket/2077
[RFE] If originalDN is not available during LDAP auth, the SSSD should look it up
https://fedorahosted.org/sssd/ticket/2132
Improve detection of the right domain when processing group with members from several domains
https://fedorahosted.org/sssd/ticket/2133
sss_idmap: add API to free objects allocated by the library
https://fedorahosted.org/sssd/ticket/2137
SSSD fails to fetch netgroup information with setnetgrent failed error
https://fedorahosted.org/sssd/ticket/2138
Valgrind sssd "Syscall param socketcall.sendto(msg) points to uninitialised byte(s)"
https://fedorahosted.org/sssd/ticket/2145
Push patch to bump version-info of libsss_idmap
https://fedorahosted.org/sssd/ticket/2146
sssd can't retrieve auto.master when using the "default_domain_suffix" option in
https://fedorahosted.org/sssd/ticket/2147
sssd_be crashes on manually adding a cleartext password to ldap_default_authtok
https://fedorahosted.org/sssd/ticket/2148
Individual group search returned multiple results in GC lookups
https://fedorahosted.org/sssd/ticket/2154
Incorrect mention of access_filter in sssd-ad manpage
https://fedorahosted.org/sssd/ticket/2156
Non descriptive error message when sssd.conf is missing completely
https://fedorahosted.org/sssd/ticket/2157
sssd_be segfaults if empty grop is resolved using ad_matching_rule
https://fedorahosted.org/sssd/ticket/2161
tokenGroups do not work reliable with Global Catalog
https://fedorahosted.org/sssd/ticket/2165
Update Gentoo init script
https://fedorahosted.org/sssd/ticket/2168
If SSSD starts offline, subdomains list is never read.
https://fedorahosted.org/sssd/ticket/2170
sssd_nss grows memory footprint when netgroups are requested
https://fedorahosted.org/sssd/ticket/2173
sssd_be crashes occasionally
https://fedorahosted.org/sssd/ticket/2178
AD groups with domain-local scope should be filtered out for trusted domains
== Detailed Changelog ==
Aron Parsons (1):
* do not use default_domain_suffix with autofs
Jakub Hrozek (14):
* Updating the version for the 1.11.3 release
* Initialize sid_str to NULL to avoid freeing random data
* LDAP: Split out a request to search for a user w/o saving
* LDAP: Search for original DN during auth if it's missing
* AD: Fix a typo in the man page
* LDAP: Initialize user count for AD matching rule
* SUBDOMAINS: Reuse cached results if DP is offline
* AD: Refresh subdomain data structures on startup
* IPA: Refresh subdomain data structures on startup
* IPA: Call ipa_ad_subdom_refresh when server mode is initialized
* AD: Add a utility function to create list of connections
* AD: Add a new option to turn off GC lookups
* AD: Enable fallback to LDAP of trusted domain
* Updating translations for the 1.11.3 release
Jan Engelhardt (1):
* build: fix ordering of linker flags
Lukas Slebodnik (7):
* NSS: Set packet length for initgroups
* LDAP: Prevent from using uninitialized sdap_options
* SYSDB: Skip malformed netgroup attribute.
* SYSDB: Sanitize filter before sysdb_search_groups
* SYSDB: Sanitize filter before removing ghost attrs
* NSS: Fix memory leak in sss_setnetgrent
* AUTOTOOLS: krb5 1.12 is also supported krb5 libs
Markos Chandras (2):
* sysv/gentoo: Use xdm if possible
* sysv/gentoo: Send debug output to a file instead of stderr
Pavel Březina (11):
* idmap: add API to free allocated SIDs
* free idmapped SIDs correctly
* free idmapped dom SIDs correctly
* free idmapped smb SIDs correctly
* free idmapped binary SIDs correctly
* pac: fix double free
* pac: fix potential memory leaks
* failover: check dns_domain if primary servers lookup failed
* ad: refactor tokengroups initgroups
* ad: use tokengroups even when id mapping is disabled
* Bump sss_idmap version to 3:0:3
Pavel Reichl (3):
* monitor: Specific error message for missing sssd.conf
* SSSD: Improved domain detection
* SSSD: Unit test - sss_ldap_dn_in_search_bases
Sumit Bose (10):
* AD: use LDAP for group lookups
* sss_cache: initialize names member of sss_domain_info
* sss_cache: fix case-sensitivity issue
* Add sysdb_attrs_add_lc_name_alias
* Use sysdb_attrs_add_lc_name_alias to add case-insensitive alias
* Use lower-case name for case-insensitive searches
* Add new option ldap_group_type
* Add sysdb_attrs_get_int32_t
* AD: filter domain local groups for trusted/sub domains
* AD: cross-domain membership fix