=== SSSD 1.11.2 ===
The SSSD team is proud to announce the release of version 1.11.2 of the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora 19, 20 and rawhide shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* A new option ad_access_filter was added. This option allows the administrator to easily configure LDAP search filter that the users logging in must match in order to be granted access * Group resolution now supports resolving group members from different trusted AD domains in a single forest * A bug that prevented a configuration file with trailing spaces to be loaded was fixed * SSSD no longer crashes if the LDAP connection is terminated while LDAP requests are still in progress * Several important bugs related to the Global Catalog support were fixed: * SSSD now correctly falls back to LDAP lookups in case Global Catalog is not reachable * If the AD servers were specified using the ad_server option and not autodiscovered, server fail over did not work correctly with 1.11.1
== Feature removal ==
* The Kerberos provider is no longer able to create public directories when evaluating the krb5_ccachedir option. This is a backwards-incompatible change. Creating public directories is something the system administrator should perform in order for the directories to have the correct permissions and allow the authentication daemon to create user directories as private only.
== Documentation Changes ==
* The decimal debug levels are now recommended instead of the advanced hexadecimal levels which are more suitable for developers
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1968 Memory grows if subdomain goes away in the AD provider https://fedorahosted.org/sssd/ticket/2030 getent response requires sssd restart after trust add https://fedorahosted.org/sssd/ticket/2064 ad: unable to resolve membership when user is from different domain than group https://fedorahosted.org/sssd/ticket/2071 Ccache directory creation leads to unexpected results https://fedorahosted.org/sssd/ticket/2082 [RFE] Add a new option ad_access_filter https://fedorahosted.org/sssd/ticket/2092 Group lookup is not returned immediately after service startup https://fedorahosted.org/sssd/ticket/2100 sudo responder does not support specifying just one of sudoNotBefore/sudoNotAfter https://fedorahosted.org/sssd/ticket/2101 Use idrange of forest root if there is none for a member domain and type is ipa-ad-trust-posix https://fedorahosted.org/sssd/ticket/2104 AD provider should fall back the LDAP if Global Catalog is not reachable https://fedorahosted.org/sssd/ticket/2105 Do not show 'Could not add new domain' error messages if ldap_id_mapping=false https://fedorahosted.org/sssd/ticket/2112 Coverity reported potential NULL dereference https://fedorahosted.org/sssd/ticket/2116 SID looksups are not handled if noexist_delete flag is set https://fedorahosted.org/sssd/ticket/2121 ipa ad trusted user lookups failed with sssd_be crash https://fedorahosted.org/sssd/ticket/2123 Creating system accounts on a IdM client takes up to 10 minutes when AD trust is configured in the IdM. https://fedorahosted.org/sssd/ticket/2124 sssd_nss exited abnormally and generated core files. https://fedorahosted.org/sssd/ticket/2126 sssd_be segfault when authenticating against active directory https://fedorahosted.org/sssd/ticket/2131 NSS responder doesn't qualify memberuid and ghost users of groups that contain members from different domains
== Detailed Changelog ==
Jakub Hrozek (23): * Updating the version for the 1.11.2 release * krb5: Fix unit tests * INI: Disable line-wrapping functionality * KRB5: Return PAM_ACCT_EXPIRED when logging in as expired AD user * PROXY: Fix memory hierarchy when enumerating services * Inherit ID limits of parent domains if set * SYSDB: Add sysdb_delete_by_sid * LDAP: Delete entry by SID if not found * LDAP: Amend sdap_access_check to allow any connection * LDAP: Parse FQDN into name/domain for subdomain users * AD: Add a new option ad_access_filter * AD: Use the ad_access_filter if it's set * AD: Search GC by default during access control, fall back to LDAP * AD: Add extended access filter * TEST: Test getgrnam with emphasis on members * NSS: Print FQDN for groups with mixed domain membership * KRB5: Handle ERR_CHPASS_FAILED * NSS: Fix service enumeration * MAN: Document that krb5 directories can only be created as private * LDAP: Check all search bases during nested group processing * NSS: Fix parenthesis * AD: Fix ad_access_filter parsing with empty filter * Updating translation for the 1.11.2 release
Lukas Slebodnik (9): * LDAP: Set default value for dyndns update to false * krb5: Remove warning dereference of a null pointer * krb5: Use right function to free data. * AD: Prefer GC port from SRV record * AD: fall back to LDAP if GC is not available. * tests: Use right format string for type size_t * Makefile: Add missing libraries * Makefile: Remove unused variable TEST_MOCK_OBJ * LDAP: Return correct error code
Pavel Březina (23): * sudo: allow specifying only one time restriction * sudo: improve time restrictions debug messages * nss: wait for initial subdomains request to finish * subdomains: first destroy ptask then remove sdom * dp: make subdomains refresh interval configurable * dp: store list of ongoing requests * utils: add ERR_DOMAIN_NOT_FOUND error code * dp: set request domain * dp: add function to terminate request of specific domain * dp: free sdap domain if subdomain is removed * be_ptask: add be_ptask_create_sync() * dp: convert cleanup task to be_ptask * ipa: destroy cleanup task when subdomain is removed * ad: destroy ptasks when subdomain is removed * sdap_save_user: try to determine domain by SID * sdap_save_group: try to determine domain by SID * free sid obtained from sss_idmap_unix_to_sid() * ad: shortcut if possible during get object by ID or SID * sdap: store base dn in sdap_domain * sdap: add sdap_domain_get_by_dn() * ghosts: pick correct domain for every member * sdap_fill_memberships: pick correct domain for every member * nested groups: pick correct domain for cache lookups
Simo Sorce (1): * krb5: Remove ability to create public directories
Stephen Gallagher (4): * SYSDB: Fix incorrect DEBUG message * MAN: Clarify debug level documentation * MAN: Reflow debug_levels.xml * BUILD: Update bashrc macros
Sumit Bose (17): * AD: properly intitialize GC from ad_server option * LDAP: handle SID requests if noexist_delete is set * IPA server mode: properly initialize ext_groups * idmap: add internal function to free a domain struct * idmap: fix a memory leak if a collision is detected * idmap: allow ranges with external mapping to overlap * sdap_idmap: add sdap_idmap_get_configured_external_range() * sdap_idmap: properly handle ranges for external mappings * Add unconditional online callbacks * IPA: add callback to reset subdomain timeouts * sdap_get_generic_ext_send: check if we a re still connected * find_subdomain_by_sid: skip domains with missing domain_id * idmap: add sss_idmap_domain_by_name_has_algorithmic_mapping() * sdap_idmap_domain_has_algorithmic_mapping: add domain name argument * IPA: add trusted domains with missing idrange * ad_subdom_store: check ID mapping of the domain not of the parent * be_spy_create: free be_req and not the long living data
On Thu, 2013-10-31 at 00:25 +0100, Jakub Hrozek wrote:
== Feature removal ==
- The Kerberos provider is no longer able to create public directories when evaluating the krb5_ccachedir option. This is a backwards-incompatible change. Creating public directories is something the system administrator should perform in order for the directories to have the correct permissions and allow the authentication daemon to create user directories as private only.
Just a little note about this. The reason why the feature was removed is that it was impossible to determine when the admin wanted a public vs private dir w/o changing the format, so we thought it better to avoid the situation entirely.
If anyone was relying on this behavior (unlikely) to create dirs in tmpfs like filesystems, they can instead use the tmpfiles.d(5) facility on Fedora and elsewhere to automatically create directories with whatever ownership and permissions at boot time.
HTH, Simo.
sssd-users@lists.fedorahosted.org