Announcing SSSD 2.4.0
by Pavel Březina
# SSSD 2.4.0
The SSSD team is proud to announce the release of version 2.4.0 of the
System Security Services Daemon. The tarball can be downloaded from:
https://github.com/SSSD/sssd/releases/tag/sssd-2_4_0
See the full release notes at:
https://sssd.io/docs/users/relnotes/notes_2_4_0
RPM packages will be made available for Fedora shortly.
## Feedback
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
## Highlights
- `libnss` support was dropped, SSSD now supports only `openssl`
cryptography
### New features
- Session recording can now exclude specific users or groups when
`scope` is set to `all` (see `exclude_users` and `exclude_groups` options)
- Active Directory provider now sends CLDAP pings over UDP protocol to
Domain Controllers in parallel to determine site and forest to speed up
server discovery
### Packaging changes
- python2 bindings are disable by default, use `--with-python2-bindings`
to build it
### Documentation Changes
- Default value of `client_idle_timeout` changed from 60 to 300 seconds
for KCM, this allows more time for user interaction (e.g. during `kinit`)
- Added `exclude_users` and `exclude_groups` option to
`session_recording` section, this allows to exclude user or groups from
session recording when `scope` is set to `all`
- Added `ldap_library_debug_level` option to enable debug messages from
`libldap`
- Added `dyndns_auth_ptr` to set authentication mechanism for PTR DNS
records update
- Added `ad_allow_remote_domain_local_groups` to be compatible with
other solutions
3 years, 6 months
[sssd PR#5257][opened] git-template: add tags to help with release notes automation
by pbrezina
URL: https://github.com/SSSD/sssd/pull/5257
Author: pbrezina
Title: #5257: git-template: add tags to help with release notes automation
Action: opened
PR body:
"""
This commits add information on several tags that should be used
so we are able to generate release notes on each new release
automatically. This will make release notes more thorough and it
will also simplify the process a lot since it take lots of time
to do it manually.
Why I chose `:tag:` format>
1. Using @ notation creates user references in github so I wanted
to use something different.
2. Using a plain text like (Resolves) leads people to create their
own variations (Fixes, Resolves XYZ, ...) which adds additional
burden to maintainers. Using this format makes it less error
prone and easier to parse.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5257/head:pr5257
git checkout pr5257
3 years, 6 months
[sssd PR#5303][opened] tests: run TIER-0 multihost tests in PRCI
by pbrezina
URL: https://github.com/SSSD/sssd/pull/5303
Author: pbrezina
Title: #5303: tests: run TIER-0 multihost tests in PRCI
Action: opened
PR body:
"""
I currently expect failure on rhel-7 box since there are problems
with nss which prohibits me from creating a new vagrant box that
is required for these tests.
I had to revert "libdirsrv should be modified to be compatible with new DS"
as it does not provision the directory server correctly, this needs to be
fixed.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5303/head:pr5303
git checkout pr5303
3 years, 6 months
[sssd PR#5356][opened] krb5_child: Harden credentials validation code
by simo5
URL: https://github.com/SSSD/sssd/pull/5356
Author: simo5
Title: #5356: krb5_child: Harden credentials validation code
Action: opened
PR body:
"""
The krb5_verify_init_creds() call is used to validate the credentials
just obtained by trying to acquire a ticket from the KDC that we can
decrypti. This insures the KDC is indeed legitimate as it proves
possesion of the shared key.
However this function will *enforce* this behavior only if the
KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL options is set to the value
TRUE.
If this option is unset it defaults to FALSE which means verify will
silently return success if no key is available.
SSSD *does* ensure that a key is always available for validation, so
this is not a security bug with the current code. However we add belt
and suspenders here to futureproof this code in case of future
inadvertent changes that may lead to a code path where a key may be
missing.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5356/head:pr5356
git checkout pr5356
3 years, 6 months