=== SSSD 1.11.0 ===
The SSSD team is proud to announce the final release of version 1.11 of
the System Security Services Daemon.
This release focuses on changes not visible to the end-user. The aim is
to support new features used by the forthcoming version 3.3 of FreeIPA and
targets supporting legacy (non-SSSD) clients in a setup where the FreeIPA
server established a trust relationship with an Active Directory Forest.
As always, the source is available from
https://fedorahosted.org/sssd.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel or
sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* This release focuses on changes not visible to the end-user. The aim is
to support new features used by the forthcoming version 3.3 of FreeIPA and
targets supporting legacy (non-SSSD) clients in a setup where the FreeIPA
server established a trust relationship with an Active Directory Forest.
- The handling of ID ranges in the providers has been changed to use
a plugin interface where each provider can use a different plugin
- The libsss_idmap library has been enhanced in several ways such as
handling "external mappings" or supporting base RIDs other than 0
- The assumption that subdomain users always have a primary
user-private-group (UPG) has been removed
- When SSSD is running on the IPA server, it is able to perform lookups
for trusted users directly against the AD server using the AD provider
lookups including enumeration and site location
* The sudo integration was made more robust. SSSD is now able to
gracefully handle situations where it is not able to resolve the client
host name or sudo rules have multiple name attributes
* Several nested group membership bugs were fixed
* The PAC responder was made more robust and efficient, modifying
existing cache entries instead of always recreating them.
* The Kerberos provider now supports the new KEYRING ccache type. This
feature depends on yet unreleased libkrb5 and kernel patches.
== Packaging changes ==
* The sssd_pac binary was moved to the IPA and AD provider subpackages
from the krb5-common subpackage
== Tickets fixed ==
https://fedorahosted.org/sssd/ticket/1938
[RFE] Add a new call to libsss_idmap to add a new mapping where the first RID is not 0
https://fedorahosted.org/sssd/ticket/1960
[RFE] Add range type for ID mapping in AD to libsss_idmap
https://fedorahosted.org/sssd/ticket/1961
[RFE] Add plugin to LDAP provider to find new ranges
https://fedorahosted.org/sssd/ticket/1962
[RFE] Integrate AD provider lookup code into IPA subdomain user lookup
https://fedorahosted.org/sssd/ticket/1979
[RFE] Add an optional unique range identifier
https://fedorahosted.org/sssd/ticket/1993
[RFE] Add a new option to denote server mode
https://fedorahosted.org/sssd/ticket/1965
man: document that the default access provider in AD provider is "permit"
https://fedorahosted.org/sssd/ticket/1988
[RFE] sss_cache has no option to clear all cached entries of all types
https://fedorahosted.org/sssd/ticket/1997
When resolving a SID, search for groups first, then users
https://fedorahosted.org/sssd/ticket/1998
sssd-ad man page states that ad_server can be an IP address even though SSSD doesn't support that
https://fedorahosted.org/sssd/ticket/2005
SSSD filter out ldap user/group if uid/gid is zero
https://fedorahosted.org/sssd/ticket/2009
Disallow or warn if full_name_format is set to a non-default value when IPA server mode is on
https://fedorahosted.org/sssd/ticket/2023
AD provider in server mode follows referrals
https://fedorahosted.org/sssd/ticket/2025
pysss module linking is broken
https://fedorahosted.org/sssd/ticket/1408
It should be possible to use uid/gid defined in AD instead of SIDs
https://fedorahosted.org/sssd/ticket/1821
Allow using UIDs and GIDs from AD in trust case
https://fedorahosted.org/sssd/ticket/1881
Determine how to map SID to UID/GID based on IdM server configuration
https://fedorahosted.org/sssd/ticket/1942
convert enumeration timer to be_ptask
https://fedorahosted.org/sssd/ticket/1963
[RFE] Implement or Improve enumeration
https://fedorahosted.org/sssd/ticket/1964
[RFE] Enhance IPA SRV plugin to do AD site lookups as well
https://fedorahosted.org/sssd/ticket/1996
PAC responder: update cached user object instead of deleting and recreating them
https://fedorahosted.org/sssd/ticket/2027
Domain Users memberships removed in subsequent lookups in server_mode
https://fedorahosted.org/sssd/ticket/2032
sssd sees gid as 0 for AD trust posix users causing lookup failures
https://fedorahosted.org/sssd/ticket/2035
amend the docs of sss_nss_getnamebysid to make it clear it only works for id_provider=ad
https://fedorahosted.org/sssd/ticket/2044
Update sssd-ad manpage to reflect "trust between domains in single forest are supported"
== Detailed changelog ==
Alexander Bokovoy (3):
* build: fix dependencies for pysss module
* pysss: add pysss.getgrouplist(username)
* pysss: prevent crashing when group is unresolvable
Jakub Hrozek (58):
* Updating the version for the 1.10.1 release
* Bump version to track 1.11 development
* IPA: Add a server mode option
* LDAP: Add utility function sdap_copy_map
* AD: decouple ad_id_ctx initialization
* AD: initialize failover with custom realm, domain and failover service
* IPA: Initialize server mode ctx if server mode is on
* AD: Move storing sdap_domain for subdomain to generic LDAP code
* IPA: Create and remove AD id_ctx for subdomains discovered in server mode
* IPA: Look up AD users directly if IPA server mode is on
* Updating translations for the 1.11 beta1 release
* Bumping the version for the 1.11 beta2 release
* RPM: Move sssd_pac to the krb5-common subpackage
* DB: sysdb_search_user_by_name: search by both name and alias
* LDAP: When resolving a SID, search for groups first, then users
* RPM: Require libsss_idmap from sssd-common
* MAN: clarify the default access provider for AD
* MAN: IP addresss does not work when used for ad_server
* MAN: Clarify the min_id/max_id limits further
* Remove unused be_ctx->sigchld_ctx
* IPA: warn if full_name_format is customized in server mode
* AD: Set the bool value same as default value in opts
* Fix the default FQDN format
* SUDO: realloc with sizeof(uint32_t) when adding uint32_t
* KRB5: Do not send PAC in server mode
* LDAP: Use domain-specific name where appropriate
* Updating translations for the 1.11 beta2 release
* Bumping the version for the 1.11 beta3 release
* Use GID if subdomain is not MPG
* PAM: Check negcache when searching for fully qualified users, too
* PAM: Set negcache if user is not found after provider check
* Use the correct resolv timeout
* Remove unused constant
* AD: Use the correct include guard
* UTIL: Remove obsolete compat macros
* KRB5: Formatting changes
* KRB5: Do not log to syslog on each login
* MAN: AD provider only supports trusted domains from the same forest
* PAC: Skip SIDs that cannot be resolved to domain
* IPA: Enable AD sites when in server mode
* DB: Update sss_domain_info with new updated data
* DB: remove unused realm parameter from sysdb_master_domain_add_info
* LDAP: Add enum_{users,groups}_recv to follow the tevent_req style
* LDAP: Remove unused constant
* LDAP: Move the ldap enum request to its own reusable module
* LDAP: Convert enumeration to the ptask API
* LDAP: Make cleanup synchronous
* LDAP: Make the cleanup task reusable for subdomains
* LDAP: Make sdap_id_setup_tasks reusable for subdomains
* SYSDB: Store enumerate flag for subdomain
* Read enumerate state for subdomains from cache
* Add a new option to control subdomain enumeration
* IPA: enable enumeration if parent domain enumerates in server mode
* NSS: Descend into subdomains if enumerate=true
* IPA: Add forgotten declaration
* DP: Use the correct type for DBus boolean
* Updating translations for the 1.11.0 release
* Updating the version for the 1.11.0 release
Jim Collins (1):
* ldap: only update shadowLastChange when password change is successful
Lukas Slebodnik (35):
* BUILD: Use pkg-config to detect cmocka
* Return right directory name for dircache
* Use conditional build for retrieving ccache.
* Remove unused function parameter
* Every time use permissive control in function memberof_mod.
* Fix clang format string warning.
* Use functionm ldb_dn_get_linearized to format struct ldb_dn
* Add mising argument required by format string
* Remove unused memory context from function unpack_authtok
* Fix warnings: uninitialized variable
* Fix autotols warnings: macro xyz not found in library
* Fix possible dereference of a NULL pointer.
* Every time release allocated memory in function py_sss_getgrouplist
* Prevent using uninitialized "group_name" in done section.
* Remove unused memory context
* SSH: Ensure that cmd_ctx->name will not be NULL.
* Add script make_srpm.sh to dist tarball.
* NSS: allow removing entries from netgroup hash table
* NSS: Clear cached netgroups if a request comes in from the sss_cache
* Enable removing nonexisting dn in sdap_handle_account_info
* proxy: Alocate auth tokens in struct authtok_conv
* Check whether servername is not empty string.
* Remove include recursion
* Remove include recursion
* Use brackets around macros.
* Fix memory leak insss_krb5_get_error_message
* mmap_cache: Skip records which doesn't have same hash
* mmap_cache: Use stricter check for hash keys.
* UTIL: Create new wraper header file sss_endian.h
* CLIENT: Fix non gnu sss_strnlen implementation
* MONITOR: Move function declaration out of conditional build
* UTIL: Explicitly include header file sys/socket.h
* MEMBEROF: Remove temporary workaround
* IPA_HBAC: Explicitelly include header file time.h
* CONFIGURE: Get rid of bashism
Michal Zidek (16):
* sss_cache: Add option to invalidate all entries
* Always set port status to neutral when resetting service.
* Missing space in debug message
* Remove unused constant.
* Set default DNS resolution timeout to 6 seconds.
* Lower timeout to contact DNS server
* resolv-tests failing with memory leak
* ldap, krb5: More descriptive msg on chpass failure.
* mmap_cache: Check if slot and name_ptr are not invalid.
* mmap_cache: Check data->name value in client code
* mmap_cache: Remove triple checks in client code.
* mmap_cache: Off by one error.
* mmap_cache: Use better checks for corrupted mc in responder
* mmap_cache: Store corrupted mmap cache before reset
* mmap_cache: Use sss_atomic_write_s instead of write.
* pam: Bad debug message format and parameter.
Ondrej Kos (9):
* Do not copy special files when creating homedir
* KRB5_CHILD: Fix handling of get_password return code
* Do not try to set password when authtok_length is zero
* KRB: Handle empty password gracefully
* KRB: Replace multiple calls with variable
* TOOLS: Update all services with sss_debuglevel
* Clarify that getnamebysid currently works only with ipa/ad id_provider
* AD: Cast SASL callbacks to propper type
* DP: Notify propperly when removing PAC responder
Pavel Březina (13):
* remove unused variable
* print hint about password complexity when new password is rejected
* dyndns timeout test: catch SIGCHLD handler events
* SIGCHLD handler: do not call callback when pvt data where freed
* Fix netgroup lookup when using fully qualified name
* sudo: skip rule on error instead of failing completely
* sudo: print better debug message when a rule has multiple cn values
* simple access provider: allow fully qualified names
* add simple access provider init test
* sudo: continue if we are unable to resolve fqdn
* sudo: do not fail to store the rule if we can't read usn
* sudo: do not strdup usn on ENOENT
* sss_packet_grow: correctly pad packet length to 512B
Simo Sorce (5):
* Add a commit template
* sssd_ad: Add hackish workaround for sasl ad_compat
* proxy: Allow initgroup to return NOTFOUND
* krb5_common: Refactor to use a talloc temp context
* BUILD: Remove unnecessary patch and configure opts
Stephen Gallagher (14):
* Move pre and post scripts to sssd-common
* Remove sysv->systemd upgrade routines
* Move sssd_pac binary to the IPA and AD providers
* Netgroups should ignore the 'use_fully_qualified_names' setting
* BUILD: Fix contrib build macros to display warnings
* gitignore: Add Eclipse project files to ignore list
* KRB5: Add new #define for collection cache types
* KRB5: Refactor cc_*_check_existing
* KRB5: Only set active and valid on success
* KRB5: Add low-level debugging to sss_get_ccache_name_for_principal
* KRB5: Remove unnecessary call to become_user()
* KRB5: Add support for KEYRING cache type
* BUILD: Ignore translations when building RPMs
* krb5: Fetch ccname template from krb5.conf
Sumit Bose (36):
* idmap: allow first RID to be set
* idmap: add optional unique range id
* idmap: add option to indicate external_mapping
* idmap: allow NULL domain sid for external mappings
* idmap: add calls to check if ID mapping conforms to ranges
* idmap: add sss_idmap_domain_has_algorithmic_mapping
* Add cmocka based tests for libsss_idmap
* Add now options ldap_min_id and ldap_max_id
* SDAP IDMAP: Add configured domain to idmap context
* Allow different methods to find new domains for idmapping
* Add sdap_idmap_domain_has_algorithmic_mapping()
* Replace SDAP_ID_MAPPING checks with sdap_idmap_domain_has_algorithmic_mapping
* Add ipa_idmap_init()
* Add support for new ipaRangeType attribute
* Replace new_subdomain() with find_subdomain_by_name()
* IPA: read ranges before subdomains
* Save mpg state for subdomains
* Read mpg state for subdomains from cache
* Fix memory context for a state member
* Fix memory context for hash entries
* ipa_s2n_get_user_done: free group_attrs as well
* ipa_s2n_get_user_done: make sure ALIAS name is lower case
* sdap_get_initgr_done: use the right SID to get a GID
* sdap_save_user: save original primary GID of subdomain users
* fill_initgr: add original primary GID if available
* sdap_add_incomplete_groups: use fully qualified name if needed
* save_rfc2307bis_user_memberships: use fq names for subdomains
* sysdb_add_incomplete_group: store SID string is available
* check_cc_validity: make sure _valid is always set
* PAC: if user entry already exists keep it
* PAC: do not create users with missing GID
* PAC: handle non-POSIX groups in cache
* PAC: read user DN instead of constructing it
* PAC: do not fail if a single group cannot be added/removed
* PAC: use SID instead of GID to search for groups
* ipa-server-mode: add IPA group memberships to AD users
Yuri Chornoivan (1):
* Fix two minor typos
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users