The SSSD team is proud to announce the seventh beta release of version
1.9 of the System Security Services Daemon.
This is a bugfix release only, no new features were added in this
version. This release was originally planned to be a Release Candidate,
however we are still actively working on fixing several crasher bugs.
A proper Release Candidate will be released once we fix the known
crashes. We will be focusing on more stabilizing after that point
until the final 1.9.0 release which is tentatively scheduled for
September 13, although that release date will probably slip a couple of
days.
As always, you can download the latest sources at
https://fedorahosted.org/sssd/
== Highlights ==
* Fixed security bug CVE-2012-3462 - HBAC rules were ignored when the
SELinux login context support was enabled
* Mutexes in the nss_sss module are now released correctly if one thread
in a multithreaded application is cancelled while the mutex is locked
* The fail over code works correctly when the IPA provider is not able to
establish a GSSAPI-encrypted connection to an IPA server
* The SSSD correctly accepts -1 as a valid value of the shadow attributes
* When the SSSD is unable to resolve a host name, it tries the next
configured server now instead of going offline
* The default SELinux login context for IPA users was changed to unconfined_t
when there are no rules on the server
* A file descriptor leak in cases the SSSD was unable to establish SSL
connection to an LDAP server was fixed
== Packaging Changes ==
* A new Python wrapper around the murmur hash library has been
introduced. It is only useful to the FreeIPA server at the moment.
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/734
on reconnect we need to detect that a ipa/ds server has been reinitialized
https://fedorahosted.org/sssd/ticket/1156
Do not use "goto" to jump backwards in the proxy code
https://fedorahosted.org/sssd/ticket/1194
when nesting limit is reached, the LDAP provider tries to establish link to members
outside the nesting limit
https://fedorahosted.org/sssd/ticket/1345
sssd does not warn into sssd.log for broken configurations
https://fedorahosted.org/sssd/ticket/1365
ipv6 address with square brackets doesn't work for krb5_server
https://fedorahosted.org/sssd/ticket/1388
domain.remove_provider() does not work
https://fedorahosted.org/sssd/ticket/1390
Add support for nested automount maps
https://fedorahosted.org/sssd/ticket/1393
shadow attributes should accept -1
https://fedorahosted.org/sssd/ticket/1396
Kerberos validation algorithm is insufficient for cross-realm trusts
https://fedorahosted.org/sssd/ticket/1415
Group lookups no longer work when fastcache cannot be initialized
https://fedorahosted.org/sssd/ticket/1416
sssd_be crashes on using inappropriate keytab file
https://fedorahosted.org/sssd/ticket/1430
Password change prompt doesn't appear when "User must change password on next
logon" is set for a AD user.
https://fedorahosted.org/sssd/ticket/1436
LOCAL domain lookups don't work
https://fedorahosted.org/sssd/ticket/1446
sssd does not try another server when unable to resolve hostname
https://fedorahosted.org/sssd/ticket/1447
Fail over does not work correctly when IPA server is establishing a GSSAPI-encrypted
LDAP connection
https://fedorahosted.org/sssd/ticket/1453
proxy provider: value stored to status is never read in get_pw_name
https://fedorahosted.org/sssd/ticket/1455
SELinux code must fall back to default only if there are no rules on the server
https://fedorahosted.org/sssd/ticket/1456
Attempt to close the same file stream twice
https://fedorahosted.org/sssd/ticket/1457
Insecure temporary file in IPA subdomain provider
https://fedorahosted.org/sssd/ticket/1459
SRV servers are always marked as back up
https://fedorahosted.org/sssd/ticket/1460
SSSD thread issue can cause the application to not get any identity information
https://fedorahosted.org/sssd/ticket/1470
FreeIPA HBAC rules ignored when FreeIPA and SSSD are configured to set SELinux user
context
https://fedorahosted.org/sssd/ticket/1472
Duplicate detection in fail over does not work
https://fedorahosted.org/sssd/ticket/1478
ldap_autofs_* options missing from /usr/share/sssd/sssd.api.d/sssd-ldap.conf
https://fedorahosted.org/sssd/ticket/1480
1.9.0b6 does not build with SELinux disabled
https://fedorahosted.org/sssd/ticket/1488
Segfault in IPA subdomain provider
https://fedorahosted.org/sssd/ticket/1490
SSSD does not close TCP connections when SSL fails
https://fedorahosted.org/sssd/ticket/1491
Consolidate functions that make a realm upper-case
https://fedorahosted.org/sssd/ticket/1492
There is no /etc/selinux/targeted/logins on RHEL5
https://fedorahosted.org/sssd/ticket/1500
SSSD's default ccache location needs to be updated (again), and the man pages
should reflect it
== Detailed Changelog ==
Ariel Barria (1):
* SIGUSR2 should force SSSD to reread resolv.conf as well
Jakub Hrozek (32):
* Bumping version for the 1.9.0 release
* Don't call fo_set_{server,port}_status for SRV servers
* Fix the version number
* SYSDB: Check the return value
* SYSDB: Use ldb_msg_add_string for simple string additions
* Failover: Return last tried server if it's still being tried
* Subdomains: Send the DP reply in the correct format
* Always mark SRV servers as primary
* Allocate on top of a talloc context, not NULL
* Abort PAM access phase if HBAC does not return PAM_SUCCESS
* Change default for ldap_idmap_range_min to 200000
* Don't use server after SRV data collapsed
* Document entry_cache_autofs_timeout
* Add autofs-related options to configAPI
* sss_client: Group lookups should work even when fastcache cannot be initialized
* FO: Don't retry the same server if it's not working
* FO: Return EAGAIN if there are more servers to try
* KRB5: Only return PAM error for unreachable kpasswd when performing chpass
* Build SELinux code in responder conditionally
* Do not try to remove the temp login file if already renamed
* Only create the SELinux login file if there are mappings on the server
* Fix compilation error in Python murmurhash bindings
* Process all groups from a single nesting level
* Use PTHREAD_MUTEX_ROBUST to avoid deadlock in the client
* RPM: Switch the default ccache location
* RPM: Always include the patch file
* Check if the SELinux login directory exists
* SYSDB: Commit transaction in sysdb_store_user
* SYSDB: Abort unit test if sysdb_getpwnam fails
* Retry the next server if bind during LDAP auth times out
* Don't terminate the same connection twice
* Update translations for 1.9.0 beta 7 release
Jan Cholasta (3):
* SSH: Return error code in SSH utility functions
* SSH: Simplify public key formatting function
* SSH: Add support for OpenSSH-style public keys
Michal Zidek (10):
* Return value of fread in src/tools/sss_debuglevel.c no longer ignored.
* Change default value of ldap_sasl_string to host/hostname@REALM in man page.
* SRV resolution for backup servers should not be permitted.
* When ldap_group_nesting_level was reached, the LDAP provider tried to link group
members with groups outside nesting limit.
* Duplicate detection in fail over did not work.
* Typo in debug message (SSSd -> SSSD).
* Unify usage of sysdb transactions
* Fix: IPv6 address with square brackets doesn't work.
* Adding -std=gnu99 flag.
* Unify usage of sysdb transactions (part 2).
Nick Guay (1):
* remove duplicate sss_obfuscate reference in seealso manpage section
Ondrej Kos (5):
* Removed unused variable assignment
* Replaced "id_max" & "id_min"
* Backward GOTOs rewritten into do-while loops.
* AD context was set to null due to type mismatch
* Consolidation of functions that make realm upper-case
Pavel Březina (12):
* tests: build sysdb ssh tests conditionally
* shadow attributes can contain -1
* Add end of line to debug message
* monitor: set debug level when unable to load configuration
* Remove redefinition of some SYSDB_* macros
* Rename SYSDB_SUDO_CACHE_AT_OC to SYSDB_SUDO_CACHE_OC
* Remove SYSDB_SUDO_CACHE_OC from attribute lists
* Fix LOCAL domain lookups
* Close LDAP connection when unable to install TLS
* Unbreak build on RHEL5: replace ldap_destroy() with ldap_unbind_ext()
* Remove compilation warning: ret may be uninitialized
* Clean up cache on server reinitialization
Stephen Gallagher (6):
* SSSDConfig: Fix nonfunctional SSSDDomain.remove_provider()
* IPA: Do not attempt to close the same file twice
* IPA: Securely set umask for mkstemp in subdomain provider
* MAN: Fix minor typo in ldap_search_base section
* MAN: Improve description of ldap_*_search_base options
* SYSDB: Make sysdb_attrs_get_el_int() public
Sumit Bose (5):
* Add python bindings for murmurhash3
* accept_fd_handler: add missing return
* Fix fallback in validate_tgt()
* Use new debug levels in validate_tgt()
* Check flat names when searching for sub-domains as well
Yuri Chornoivan (1):
* Fix various typos in documentation.