=== SSSD 1.12.4 ===
The SSSD team is proud to announce the release of version 1.12.4 of
the System Security Services Daemon.
As always, the source is available from
https://fedorahosted.org/sssd
RPM packages will be made available for Fedora 21, 22 and rawhide shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* This is mostly a bug fixing release with only minor enhancements visible
to the end user
* Contains many fixes and enhancements related to the ID views functionality
of FreeIPA servers
* Several fixes related to retrieving AD group membership in an IPA-AD
trust scenario
* Fixes a bug where the GPO access control previously didn't work at all
if debugging was enabled in smb.conf.
* SSSD can now be pinned to a particular AD site instead of autodiscovering
the site
* A regression that caused setting the SELinux context for IPA users to
fail, was fixed
* Fixed a potential crash caused by a double-free error when an SSSD
service was killed by the monitor process
== Packaging Changes ==
* Several patches that allow building the Python code in SSSD with python3
were merged
== Documentation Changes ==
* A new option ad_site was added. When this option is set, SSSD will
attempt to connect to DCs from this particular AD site instead of looking
up the site via DNS
* The ad_gpo_map_permit option now also includes the systemd-user service
to avoid errors in processing of the PAM session stack
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1991
Make return codes of basic sysdb operations consistent
https://fedorahosted.org/sssd/ticket/2203
Write message to syslog about users with duplicated UID
https://fedorahosted.org/sssd/ticket/2376
Investigate Kerberized NFS4 setup with the new NFS plugin
https://fedorahosted.org/sssd/ticket/2486
[RFE] ad provider dns_discovery_domain option: kerberos discovery is not using this
option
https://fedorahosted.org/sssd/ticket/2515
sssd-ad: The man page description to enable GPO HBAC Policies are unclear
https://fedorahosted.org/sssd/ticket/2525
Monitor SIGKILL timer issue and service restart failure
https://fedorahosted.org/sssd/ticket/2527
sssd.conf(5) man page gives bad advice about domains parameter
https://fedorahosted.org/sssd/ticket/2531
sssd_be crashes in nested LDAP code with a use-after-free error
https://fedorahosted.org/sssd/ticket/2542
GPO offline processing rejects access if no applicable GPOs are find in the cache
https://fedorahosted.org/sssd/ticket/2543
GPO code fails if no LDAP URI can be resolved
https://fedorahosted.org/sssd/ticket/2544
GPO: libsmbclient logs to stdout by default, cluttering gpo_child output
https://fedorahosted.org/sssd/ticket/2547
gzip: stdin: file size changed while zipping when rotating logfile
https://fedorahosted.org/sssd/ticket/2548
Document that dyndns_iface only supports a single interface
https://fedorahosted.org/sssd/ticket/2550
libsss_simpleifp should pull sssd-dbus
https://fedorahosted.org/sssd/ticket/2556
add systemd-user to default gpo list
https://fedorahosted.org/sssd/ticket/2557
pam_sss(sshd:auth): authentication failure with user from AD
https://fedorahosted.org/sssd/ticket/2559
PAC responder is called after krb5_child switches to the user logging in
https://fedorahosted.org/sssd/ticket/2560
Users saved throug extop don't have the originalMemberOf attribute
https://fedorahosted.org/sssd/ticket/2563
Need to set different umask in selinux_child
https://fedorahosted.org/sssd/ticket/2564
selinux_child needs to setuid(0) to make libselinux work as non-root
https://fedorahosted.org/sssd/ticket/2566
Uncached SIDs cannot be resolved
https://fedorahosted.org/sssd/ticket/2567
Same member saved as ghost and as member in IPA server mode
https://fedorahosted.org/sssd/ticket/2571
IPA initgroups don't work correctly in non-default view
https://fedorahosted.org/sssd/ticket/2572
[abrt] sssd-common: talloc_abort(): sssd killed by SIGABRT
https://fedorahosted.org/sssd/ticket/2586
user_attributes missing from ifp schema
== Detailed Changelog ==
Bohuslav Kabrda (1):
* Python3 support in SSSD
Jakub Hrozek (23):
* Updating the version to the 1.12.4 release
* GPO: Ignore ENOENT result from sysdb_gpo_get_gpo_result_setting()
* TESTS: Cover sysdb_gpo.c with unit tests
* GPO: Set libsmb debugging to stderr
* UTIL: Allow dup-ing child pipe to a different FD
* GPO: Don't use stdout for output in gpo_child
* GPO: Extract server hostname after connecting
* krb5_child: Return ERR_NETWORK_IO on KRB5_KDCREP_SKEW
* Open the PAC socket from krb5_child before dropping root
* IPA: Use attr's dom for users, too
* SELINUX: Call setuid(0)/setgid(0) to also set the real IDs to root
* SELINUX: Set and reset umask when caling set_seuser from deamon code
* LDAP: Add UUID when saving incomplete groups
* IPA: Resolve IPA user groups' overrideDN in non-default view
* LDAP: Rename the _res output parameter to avoid clashing with libresolv in tests
* RESOLV: Add an internal function to read TTL from a DNS packet
* resolv: Fix a typo
* SELINUX: Check the return value of setuid and setgid
* BUILD: Include python-test.py in the tarball
* GPO: Better debugging for gpo_child's mkdir
* LDAP: Add better DEBUG messages to the cleanup task
* LDAP: Handle ENOENT better in the cleanup task
* Updating translations for the 1.12.4 release
Lukas Slebodnik (11):
* logrotate: Fix warning file size changed while zipping
* PROXY: Fix use after free
* pysss: Fix double free
* MONITOR: Fix double free
* SSSDConfig: Remove unused exception name
* SSSDConfig: Port missing parts to python3
* Remove strict requirements of python2
* sbus_codegen: Port to python3
* Add missing new lines to debug messages
* CONFIGURE: Do not use macro AC_PROG_MKDIR_P twice
* RESPONDERS: Warn to syslog about colliding objects
Pavel Březina (1):
* spec: sifp requires sssd-dbus
Pavel Reichl (6):
* GPO: add systemd-user to gpo default permit list
* MAN: dyndns_iface supports only one interface
* MAN: add dots as valid character in domain names
* AD: add new option ad_site
* AD: support for AD site override
* MAN: amend sss_ssh_authorizedkeys
Rob Crittenden (1):
* Add user_attributes to ifp section of API schema
Sumit Bose (24):
* IPA: add get_be_acct_req_for_user_name()
* IPA: resolve ghost members if a non-default view is applied
* sysdb: fix group members with overridden names
* IPA: ipa_resolve_user_list_send() take care of overrides
* IPA: do not look up overrides on client with default view
* IPA: make version check more precise
* IPA: add missing break
* IPA: process_members() optionally return missing members list
* IPA: rename ipa_s2n_get_groups_send() to ipa_s2n_get_fqlist_send()
* IPA: resolve missing members
* IPA: set SYSDB_INITGR_EXPIRE for RESP_USER_GROUPLIST
* krb5: fix entry order in MEMORY keytab
* nss: make fill_orig() multi-value aware
* nss: refactor fill_orig()
* nss: Add original DN and memberOf to origbyname request
* views: fix GID overrride for mpg domains
* IPA: properly handle mixed-case trusted domains
* nss: fix SID lookups
* sysdb: remove ghosts in all sub-domains as well
* IPA: resolve IPA group-memberships for AD users
* IPA: process_members() add ghosts only once
* ipa_s2n_save_objects: properly handle fully-qualified group names
* AD: use GC for SID requests as well
* fill_id() fix LE/BE issue with wrong data type