=== SSSD 1.11.8 ===
The SSSD team is proud to announce the release of version 1.11.8 of
the System Security Services Daemon.
As always, the source is available from
https://fedorahosted.org/sssd
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* This release focuses on backporting bug fixes from the 1.12 and 1.13
releases. At the moment, the SSSD upstream does not plan on releasing
1.11.9, barring security issues or regressions in this release. We
recommend that all users of 1.11 upgrade to 1.12 or 1.13.
* Several bugs related to using id_provider=ldap together with ID mapping
enabled were fixed
* Fixed a potential use-after-free error in the nested groups resolution code
* The service restart code in the main "sssd" process was improved
* The PAC responder can be built with MIT Kerberos versions 1.13 and 1.14
* A potential segfault in the memberof ldb plugin was fixed
* The LDAP child no longer leaves a stray temporary file behind in case
acquiring the credentials fails
* The sudo responder works correctly even for users or groups whose name
contains an LDAP special character such as )
* The autofs responder now works even with setups that enable the
default_domain_suffix option
* A memory leak in the NSS responder when a non-existing netgroup was
requested is fixed in this release
* The SSSD no longer leaks a file descriptor if service discovery times
out when discovering an LDAP server
* The sudo responder fixed the logic to sort entries with the sudoOrder
attribute to match the sudo's native LDAP code
== Documentation Changes ==
* The ldap_use_tokengroups option defaults to false in the generic LDAP
provider. Previously, both the AD and LDAP provider (with ldap_schema
set to ad) attempted to use the tokenGroups, resulting in numerous bugs.
== Tickets Fixed ==
*
https://fedorahosted.org/sssd/ticket/2412
Error processing universal groups with cross-domain membership in
SSSD server mode
*
https://fedorahosted.org/sssd/ticket/2471
RHEL6.6 sssd (1.11) fails if IPA permissions and roles have the
same name
*
https://fedorahosted.org/sssd/ticket/2484
Password change over ssh doesn't work with OTP and FreeIPA
*
https://fedorahosted.org/sssd/ticket/2448
MAN: If ldap_group_base is set, tokengroups might not be able to
convert all GIDs to names
*
https://fedorahosted.org/sssd/ticket/2445
Race condition while invalidating memory cache in client code
*
https://fedorahosted.org/sssd/ticket/2492
Group membership gets lost in IPA server mode
*
https://fedorahosted.org/sssd/ticket/2573
Use after free in proxy provider.
*
https://fedorahosted.org/sssd/ticket/2611
sssd_be dumping core if enumeration times out
*
https://fedorahosted.org/sssd/ticket/2525
Monitor SIGKILL timer issue and service restart failure
*
https://fedorahosted.org/sssd/ticket/2572
[abrt] sssd-common: talloc_abort(): sssd killed by SIGABRT
*
https://fedorahosted.org/sssd/ticket/2430
sssd segfaults repeatedly with error 4 in memberof.so
*
https://fedorahosted.org/sssd/ticket/1096
Clock skew in krb5 auth should result in offline operation, not failure
*
https://fedorahosted.org/sssd/ticket/2592
ccname_file_dummy is not unlinked on error
*
https://fedorahosted.org/sssd/ticket/2613
sysdb sudo search doesn't escape special characters
*
https://fedorahosted.org/sssd/ticket/2625
Sudo responder does not respect filter_users and filter_groups
*
https://fedorahosted.org/sssd/ticket/2643
autofs provider fails when default_domain_suffix and
use_fully_qualified_names set
*
https://fedorahosted.org/sssd/ticket/2634
sssd nss responder gets wrong number of secondary groups
*
https://fedorahosted.org/sssd/ticket/2644
ignore_group_members doesn't work for subdomains
*
https://fedorahosted.org/sssd/ticket/2659
IPA enumeration provider crashes
*
https://fedorahosted.org/sssd/ticket/2663
id lookup for non-root domain users doesn't return all groups on
first attempt
*
https://fedorahosted.org/sssd/ticket/2681
SSSD cache is not updated after user is deleted from ldap server
*
https://fedorahosted.org/sssd/ticket/2744
cleanup_groups should sanitize dn of groups
*
https://fedorahosted.org/sssd/ticket/2800
Relax POSIX check
*
https://fedorahosted.org/sssd/ticket/2803
Memory leak / possible DoS with krb auth.
*
https://fedorahosted.org/sssd/ticket/2792
SSSD is not closing sockets properly
*
https://fedorahosted.org/sssd/ticket/2888
SRV lookups with id_provider=proxy and auth_provider=krb5
*
https://fedorahosted.org/sssd/ticket/2865
sssd_nss memory usage keeps growing on sssd-1.12.4-47.el6.x86_64
(RHEL6.7) when trying to retrieve non-existing netgroups
*
https://fedorahosted.org/sssd/ticket/2682
sudoOrder not honored as expected
== Detailed Changelog ==
Adam Tkac (1):
* Option filter_users had no effect for retrieving sudo rules
Aron Parsons (1):
* autofs: fix 'Cannot allocate memory' with FQDNs
Dan Lavu (1):
* MAN: page edit for ldap_use_tokengroups
Daniel Hjorth (1):
* LDAP: unlink ccname_file_dummy if there is an error
Jakub Hrozek (8):
* Updating the version for the 1.11.8 development
* IPA: Use GC for group lookups in server mode
* LDAP: Do not clobber return value when multiple controls are returned
* PAC: krb5_pac_verify failures should not be fatal
* LDAP: return after tevent_req_error
* KRB5: Go offline in case of clock skew
* Download complete groups if ignore_group_members is set with tokengroups
* DP: Set extra_value to NULL for enum requests
Jan Engelhardt (1):
* build: call AC_BUILD_AUX_DIR before anything else
Lukas Slebodnik (16):
* Revert "LDAP: Change defaults for ldap_user/group_objectsid"
* LDAP: Disable token groups by default
* sss_client: Extract destroying of mmap cache to function
* sss_client: Fix race condition in memory cache
* PROXY: Fix use after free
* pysss_nss_idmap: Use wrapper for older python
* MONITOR: Fix double free
* TEST: Test empty results from functions sysdb_search_*
* SDAP: Do not set gid 0 twice
* nss: Do not ignore default vaue of SYSDB_INITGR_EXPIRE
* SDAP: Set initgroups expire attribute at the end
* SDAP: Remove user from cache for missing user in LDAP
* LDAP: Sanitize group dn before using in filter
* LDAP: Fix leak of file descriptors
* BUILD: Accept krb5 1.14 for building the PAC plugin
* BUILD: Fix linking issues on debian
Michal Zidek (1):
* LDAP: Change defaults for ldap_user/group_objectsid
Nalin Dahyabhai (1):
* Accept krb5 1.13 for building the PAC plugin
Nikolai Kondrashov (1):
* build: Don't install ad and ipa man pages unnecessarily
Pavel Březina (4):
* IPA: use ipaUserGroup object class for groups
* enumeration: fix talloc context
* sudo: sanitize filter values
* sudo: use "higher value wins" when ordering rules
Pavel Reichl (14):
* LDAP: retain external members
* SDAP: return after tevent_req_error
* sudo: return after tevent_req_error
* monitor: use-after-free bugfix
* monitor: monitor_kill_service - refactor
* monitor: memory-leak bug
* SYSDB: sysdb_search_entry fix memory leak
* SYSDB: sysdb_search_custom fix memory leak
* TESTS: sysdb_search_return_ENOENT - check mem leaks
* SDAP: Relax POSIX check
* NSS: sysdb_getnetgr check return value first
* NSS: sysdb_getnetgr refactor
* NSS: fix memory leak in sysdb_getnetgr
* NSS: Fix memory leak netgroup
Petr Cech (1):
* KRB5: Adding DNS SRV lookup for krb5 provider
Simo Sorce (1):
* Signals: Remove unused functions
Stephen Gallagher (2):
* monitor: Service restart fixes
* UTIL: Do not change SSSD domains in get_domains_head
Sumit Bose (2):
* memberof: check for empty arrays to avoid segfaults
* ldap: use proper sysdb name in groups_by_user_done()
Thomas Oulevey (1):
* Fix memory leak in sssdpac_verify()