On Tue, Jul 25, 2017 at 08:39:59AM +0200, Lukas Slebodnik wrote:
On (24/07/17 18:34), Jakub Hrozek wrote:
>Hi,
>
>I would really like to release 1.15.3 soon (like, today, at worst
>tomorrow if we can't merge PR #328 and #331 today). The release notes
>are here:
>
https://pagure.io/fork/jhrozek/SSSD/docs
>
>You can either clone the repo and run 'make html' or, for your
>convenience, I'm pasting the RST-formatted release notes below:
>
>SSSD 1.15.3
>===========
>
>Highlights
>----------
>
>New Features
>^^^^^^^^^^^^
> * In a setup where an IPA domain trusts an Active Directory domain,
> it is now possible to `define the domain resolution order
> <
http://www.freeipa.org/page/Releases/4.5.0#AD_User_Short_Names>`_.
> Starting with this version, SSSD is able to read and honor the domain
> resolution order, providing a way to resolve Active Directory users by
> just their short name. SSSD also supports a new option
> ``domain_resolution_order`` applicable in the ``[sssd]`` section
> that allows to configure short names for AD users in setup with
> ``id_provider=ad`` or in a setup with an older IPA server that doesn't
> support the ``ipa config-mod --domain-resolution-order``
> configuration option. Also, it is now possible to use
> ``use_fully_qualified_names=False`` in a subdomain configuration, but
> please note that the user and group output from trusted domains will
> always be qualified to avoid conflicts.
>
> * Design page - `Shortnames in trusted domains
<
https://docs.pagure.org/SSSD.sssd/design_pages/shortnames.html>`_
>
> * SSSD ships with a new service called KCM. This service acts as a
> storage for Kerberos tickets when ``libkrb5`` is configured to use
> ``KCM:`` in ``krb5.conf``. Compared to other Kerberos credential
> cache types, KCM is better suited for containerized environments and
> because the credential caches are managed by a stateful daemon, in
> future releases will also allow to renew tickets acquired outside SSSD
> (e.g. with ``kinit``) or provide notifications about ticket changes.
>
Maybe we can mention that it is an optional feature and can be disabled
at configure time if users does not want additional build/runtime time
dependencies.
Done
> * Design page - `KCM server for SSSD
<
https://docs.pagure.org/SSSD.sssd/design_pages/kcm.html>`_
>
> * `NOTE`: There are several known issues in the ``KCM`` responder that
> will be handled in the next release such as
> `issues with very large tickets
<
https://pagure.io/SSSD/sssd/issue/3386>`_
> or `tracking the SELinux label of the peer
<
https://pagure.io/SSSD/sssd/issue/3434>`_
>
> * Support for user and group resolution through the D-Bus interface and
> authentication and/or authorization through the PAM interface even
> for setups without UIDs or Windows SIDs present on the LDAP directory
> side. This enhancement allows SSSD to be used together with `apache
> modules <
https://github.com/adelton/mod_lookup_identity>`_ to provide
> identities for applications
>
> * Design page - `Support for non-POSIX users and groups
<
https://docs.pagure.org/SSSD.sssd/design_pages/non_posix_support.html>`_
>
> * SSSD ships a new public library called ``libsss_certmap`` that allows
> a flexible and configurable way of mapping a certificate to a user
> identity. This is required e.g. in environments where it is not possible
> to add the certificate to the LDAP user entry, because the certificates
> are issued externally or the LDAP schema cannot be modified. Additionally,
> specific matching rules allow a specific certificate on a smart card to
> be selected for authentication.
>
> * Design page - `Matching and Mapping Certificates
<
https://docs.pagure.org/SSSD.sssd/design_pages/matching_and_mapping_certi...
>
> * The Kerberos locator plugin can be disabled using an environment variable
> ``SSSD_KRB5_LOCATOR_DISABLE``. Please refer to the
> ``sssd_krb5_locator_plugin`` manual page for mode details.
>
> * The ``sssctl`` command line tool supports a new command ``user-checks``
> that enables the administrator to check whether a certain user should be
> allowed or denied access to a certain PAM service.
>
> * The ``secrets`` responder now forwards requests to a proxy Custodia
> back end over a secure channel.
>
>Notable bug fixes
>^^^^^^^^^^^^^^^^^
>
> * The IPA HBAC evaluator no longer relies on ``originalMemberOf``
> attributes to construct the list of groups the user is a member of.
> Maintaining the ``originalMemberOf`` attribute was unreliable and
> was causing intermittent HBAC issues.
>
> * A bug where the cleanup operation might erroneously remove cached users
> during their cache validation in case SSSD was set up with
> ``enumerate=True`` was fixed.
>
> * Several bugs related to configuration of trusted domains were fixed, in
> particular handling of custom LDAP search bases set for trusted domains.
>
> * Password changes for users from trusted Active Directory domains
> were fixed
>
>Packaging Changes
>-----------------
>
> * A new KCM responder was added along with a manpage. The upstream
> reference specfile packages the responder in its own subpackage called
> ``sssd-kcm`` and a krb5.conf snippet that enables the ``KCM``
> credentials cache simply by installing the subpackage
>
Would be good to merge
https://github.com/SSSD/sssd/pull/244 because
/etc/krb5.conf.d/ is fedora/el7 specific which is not ideal from
upstream POV.
Done.