Hi,
I would really like to release 1.15.3 soon (like, today, at worst
tomorrow if we can't merge PR #328 and #331 today). The release notes
are here:
https://pagure.io/fork/jhrozek/SSSD/docs
You can either clone the repo and run 'make html' or, for your
convenience, I'm pasting the RST-formatted release notes below:
SSSD 1.15.3
===========
Highlights
----------
New Features
^^^^^^^^^^^^
* In a setup where an IPA domain trusts an Active Directory domain,
it is now possible to `define the domain resolution order
<
http://www.freeipa.org/page/Releases/4.5.0#AD_User_Short_Names>`_.
Starting with this version, SSSD is able to read and honor the domain
resolution order, providing a way to resolve Active Directory users by
just their short name. SSSD also supports a new option
``domain_resolution_order`` applicable in the ``[sssd]`` section
that allows to configure short names for AD users in setup with
``id_provider=ad`` or in a setup with an older IPA server that doesn't
support the ``ipa config-mod --domain-resolution-order``
configuration option. Also, it is now possible to use
``use_fully_qualified_names=False`` in a subdomain configuration, but
please note that the user and group output from trusted domains will
always be qualified to avoid conflicts.
* Design page - `Shortnames in trusted domains
<
https://docs.pagure.org/SSSD.sssd/design_pages/shortnames.html>`_
* SSSD ships with a new service called KCM. This service acts as a
storage for Kerberos tickets when ``libkrb5`` is configured to use
``KCM:`` in ``krb5.conf``. Compared to other Kerberos credential
cache types, KCM is better suited for containerized environments and
because the credential caches are managed by a stateful daemon, in
future releases will also allow to renew tickets acquired outside SSSD
(e.g. with ``kinit``) or provide notifications about ticket changes.
* Design page - `KCM server for SSSD
<
https://docs.pagure.org/SSSD.sssd/design_pages/kcm.html>`_
* `NOTE`: There are several known issues in the ``KCM`` responder that
will be handled in the next release such as
`issues with very large tickets <
https://pagure.io/SSSD/sssd/issue/3386>`_
or `tracking the SELinux label of the peer
<
https://pagure.io/SSSD/sssd/issue/3434>`_
* Support for user and group resolution through the D-Bus interface and
authentication and/or authorization through the PAM interface even
for setups without UIDs or Windows SIDs present on the LDAP directory
side. This enhancement allows SSSD to be used together with `apache
modules <
https://github.com/adelton/mod_lookup_identity>`_ to provide
identities for applications
* Design page - `Support for non-POSIX users and groups
<
https://docs.pagure.org/SSSD.sssd/design_pages/non_posix_support.html>`_
* SSSD ships a new public library called ``libsss_certmap`` that allows
a flexible and configurable way of mapping a certificate to a user
identity. This is required e.g. in environments where it is not possible
to add the certificate to the LDAP user entry, because the certificates
are issued externally or the LDAP schema cannot be modified. Additionally,
specific matching rules allow a specific certificate on a smart card to
be selected for authentication.
* Design page - `Matching and Mapping Certificates
<
https://docs.pagure.org/SSSD.sssd/design_pages/matching_and_mapping_certi...
* The Kerberos locator plugin can be disabled using an environment variable
``SSSD_KRB5_LOCATOR_DISABLE``. Please refer to the
``sssd_krb5_locator_plugin`` manual page for mode details.
* The ``sssctl`` command line tool supports a new command ``user-checks``
that enables the administrator to check whether a certain user should be
allowed or denied access to a certain PAM service.
* The ``secrets`` responder now forwards requests to a proxy Custodia
back end over a secure channel.
Notable bug fixes
^^^^^^^^^^^^^^^^^
* The IPA HBAC evaluator no longer relies on ``originalMemberOf``
attributes to construct the list of groups the user is a member of.
Maintaining the ``originalMemberOf`` attribute was unreliable and
was causing intermittent HBAC issues.
* A bug where the cleanup operation might erroneously remove cached users
during their cache validation in case SSSD was set up with
``enumerate=True`` was fixed.
* Several bugs related to configuration of trusted domains were fixed, in
particular handling of custom LDAP search bases set for trusted domains.
* Password changes for users from trusted Active Directory domains
were fixed
Packaging Changes
-----------------
* A new KCM responder was added along with a manpage. The upstream
reference specfile packages the responder in its own subpackage called
``sssd-kcm`` and a krb5.conf snippet that enables the ``KCM``
credentials cache simply by installing the subpackage
* The ``libsss_certmap`` library was packaged in a separate package. There
is also a ``libsss_certmap-devel`` subpackage in the upstream packaging.
Documentation Changes
---------------------
* ``sssd-kcm`` and ``libsss_certmap`` are documented in their own
manual pages.
* A new option ``domain_resolution_order`` was added. This option allows to
specify the lookup order (especially w.r.t. trusted domains) that sssd will
follow. Please see the `Shortnames in trusted domains
<
https://docs.pagure.org/SSSD.sssd/design_pages/shortnames.html>`_ design page.
for mode details.
* New options ``pam_app_services`` and ``domain_type`` were added. These
options can be used to only limit certain PAM services to reach certain
SSSD domains that should only be exposed to non-OS applications. For
more details, refer to the `Support for non-POSIX users and groups
<
https://docs.pagure.org/SSSD.sssd/design_pages/non_posix_support.html>`_
design page.
* The ``secrets`` responder supports several new options related to TLS
setup and handling including ``verify_peer``, ``verify_host``,
``capath``, ``cacert`` and ``cert``. These options are all described
in the ``sssd-secrets`` manual page.
Tickets Fixed
-------------
* `#3447 <
https://pagure.io/SSSD/sssd/issue/#3447>`_ - files provider should not
use LOCAL_pam_handler but call the backend
* `#3435 <
https://pagure.io/SSSD/sssd/issue/#3435>`_ - Create a function to copy
search bases between sdap_domain structures
* `#3431 <
https://pagure.io/SSSD/sssd/issue/#3431>`_ - Loading enterprise
principals doesn't work with a primed cache
* `#3426 <
https://pagure.io/SSSD/sssd/issue/#3426>`_ - IPA client cannot change AD
Trusted User password
* `#3418 <
https://pagure.io/SSSD/sssd/issue/#3418>`_ - Segfault in access_provider
= krb5 is set in sssd.conf due to an off-by-one error when constructing the child send
buffer
* `#3410 <
https://pagure.io/SSSD/sssd/issue/#3410>`_ - python-sssdconfig
doesn't parse hexadecimal debug_level, resulting in set_option():
/usr/lib/python2.7/site-packages/SSSDConfig/__init__.py killed by TypeError
* `#3408 <
https://pagure.io/SSSD/sssd/issue/#3408>`_ - Accept changed principal if
krb5_canonicalize=True
* `#3404 <
https://pagure.io/SSSD/sssd/issue/#3404>`_ - man: Update option
"ipa_server_mode=True" in "man sssd-ipa"
* `#3403 <
https://pagure.io/SSSD/sssd/issue/#3403>`_ - SSSD doesn't handle
conflicts between users from trusted domains with the same name when shortname user
resolution is enabled
* `#3398 <
https://pagure.io/SSSD/sssd/issue/#3398>`_ - MAN: The timeout option
doesn't say after how many heartbeats will the process be killed
* `#3397 <
https://pagure.io/SSSD/sssd/issue/#3397>`_ - ad provider: Child domains
always use autodiscovered search bases
* `#3393 <
https://pagure.io/SSSD/sssd/issue/#3393>`_ - sss_nss_getlistbycert() does
not return results from multiple domains
* `#3391 <
https://pagure.io/SSSD/sssd/issue/#3391>`_ - sss_override doesn't
work with files provider
* `#3389 <
https://pagure.io/SSSD/sssd/issue/#3389>`_ - subdomain_homedir is not
present in cfg_rules.ini
* `#3378 <
https://pagure.io/SSSD/sssd/issue/#3378>`_ - domain_to_basedn() function
should use SDAP_SEARCH_BASE value from the domain code
* `#3377 <
https://pagure.io/SSSD/sssd/issue/#3377>`_ - sssd-ad man page should
clarify that GSSAPI is used
* `#3375 <
https://pagure.io/SSSD/sssd/issue/#3375>`_ - minor typo fix that might
have big impact
* `#3361 <
https://pagure.io/SSSD/sssd/issue/#3361>`_ - sssd_be crashes if
ad_enabled_domains is selected
* `#3359 <
https://pagure.io/SSSD/sssd/issue/#3359>`_ - Allow to disable krb5
locator plugin selectively
* `#3358 <
https://pagure.io/SSSD/sssd/issue/#3358>`_ - [abrt] [faf] sssd:
vfprintf(): /usr/libexec/sssd/sssd_be killed by 11
* `#3354 <
https://pagure.io/SSSD/sssd/issue/#3354>`_ - ifp: Users.FindByCertificate
fails when certificate contains data before encapsilation boundary
* `#3344 <
https://pagure.io/SSSD/sssd/issue/#3344>`_ - Include sssd-secrets in SEE
ALSO section of sssd.conf man page
* `#3343 <
https://pagure.io/SSSD/sssd/issue/#3343>`_ - Properly fall back to local
Smartcard authentication
* `#3340 <
https://pagure.io/SSSD/sssd/issue/#3340>`_ - The option
enable_files_domain does not work if sssd is not compiled with --enable-files-domain
* `#3339 <
https://pagure.io/SSSD/sssd/issue/#3339>`_ - sssd failed to start with
missing /etc/sssd/sssd.conf if compiled without --enable-files-domain
* `#3332 <
https://pagure.io/SSSD/sssd/issue/#3332>`_ - Issue processing ssh keys
from certificates in ssh respoder
* `#3448 <
https://pagure.io/SSSD/sssd/issue/#3448>`_ - Idle nss file descriptors
should be closed
* `#3428 <
https://pagure.io/SSSD/sssd/issue/#3428>`_ - getent failed to fetch
netgroup information after changing default_domain_suffix to ADdomin in
/etc/sssd/sssd.conf
* `#3356 <
https://pagure.io/SSSD/sssd/issue/#3356>`_ - Config file validator
doesn't process entries from application domain
* `#3331 <
https://pagure.io/SSSD/sssd/issue/#3331>`_ - Wrong pam return code for
user from subdomain with
* `#3329 <
https://pagure.io/SSSD/sssd/issue/#3329>`_ - Wrong principal found with
ad provider and long host name
* `#3421 <
https://pagure.io/SSSD/sssd/issue/#3421>`_ - Wrong search base used when
SSSD is directly connected to AD child domain
* `#3406 <
https://pagure.io/SSSD/sssd/issue/#3406>`_ - sssd goes offline when
renewing expired ticket
* `#3394 <
https://pagure.io/SSSD/sssd/issue/#3394>`_ - LDAP to IPA migration
doesn't work in master
* `#3392 <
https://pagure.io/SSSD/sssd/issue/#3392>`_ -
org.freedesktop.sssd.infopipe.GetUserGroups does not resolve groups into names with AD
* `#3382 <
https://pagure.io/SSSD/sssd/issue/#3382>`_ - SSSD should use memberOf,
not originalMemberOf to evaluate group membership for HBAC rules
* `#3381 <
https://pagure.io/SSSD/sssd/issue/#3381>`_ - Per-subdomain LDAP filter is
not applied for subsequent subdomains
* `#3373 <
https://pagure.io/SSSD/sssd/issue/#3373>`_ - Infopipe method
ListByCertificate does not return the users with overrides
* `#3372 <
https://pagure.io/SSSD/sssd/issue/#3372>`_ - crash in sssd-kcm due to a
race-condition between two concurrent requests
* `#3369 <
https://pagure.io/SSSD/sssd/issue/#3369>`_ - ldap_purge_cache_timeout in
RHEL7.3 invalidate most of the entries once the cleanup task kicks in
* `#3362 <
https://pagure.io/SSSD/sssd/issue/#3362>`_ - fiter_users and
filter_groups stop working properly in v 1.15
* `#3351 <
https://pagure.io/SSSD/sssd/issue/#3351>`_ - User lookup failure due to
search-base handling
* `#3347 <
https://pagure.io/SSSD/sssd/issue/#3347>`_ - gpo_child fails when log is
enabled in smb
* `#3318 <
https://pagure.io/SSSD/sssd/issue/#3318>`_ - SSSD in server mode iterates
over all domains for group-by-GID requests, causing unnecessary searches
* `#3310 <
https://pagure.io/SSSD/sssd/issue/#3310>`_ - Support delivering non-POSIX
users and groups through the IFP and PAM interfaces
* `#3050 <
https://pagure.io/SSSD/sssd/issue/#3050>`_ - [RFE] Use one smartcard and
certificate for authentication to distinct logon accounts
* `#3001 <
https://pagure.io/SSSD/sssd/issue/#3001>`_ - [RFE] Short name input
format with SSSD for users from all domains when domain autodiscovery is used or when SSSD
acts as an IPA client for server with IPA-AD trusts
* `#2887 <
https://pagure.io/SSSD/sssd/issue/#2887>`_ - [RFE] KCM ccache daemon in
SSSD
* `#3419 <
https://pagure.io/SSSD/sssd/issue/#3419>`_ - krb5: properly handle
'password expired' information retured by the KDC during PKINIT/Smartcard
authentication
* `#3407 <
https://pagure.io/SSSD/sssd/issue/#3407>`_ - IPA: do not lookup IPA users
via extdom plugin
* `#3405 <
https://pagure.io/SSSD/sssd/issue/#3405>`_ - Handle certmap errors
gracefully during user lookups
* `#3395 <
https://pagure.io/SSSD/sssd/issue/#3395>`_ - Properly support IPA's
promptusername config option
* `#3387 <
https://pagure.io/SSSD/sssd/issue/#3387>`_ - Dbus activate InfoPipe does
not answer some initial request
* `#3385 <
https://pagure.io/SSSD/sssd/issue/#3385>`_ - Smart card login fails if
same cert mapped to IdM user and AD user
* `#3355 <
https://pagure.io/SSSD/sssd/issue/#3355>`_ - application domain requires
inherit_from and cannot be used separately
* `#3327 <
https://pagure.io/SSSD/sssd/issue/#3327>`_ - expect
sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy manuals to be packaged into sssd-common
package
* `#3297 <
https://pagure.io/SSSD/sssd/issue/#3297>`_ - selinux_provider fails in a
container if libsemanage is not available
* `#3268 <
https://pagure.io/SSSD/sssd/issue/#3268>`_ - D-Bus GetUserGroups method
of sssd is always qualifying all group names
* `#3240 <
https://pagure.io/SSSD/sssd/issue/#3240>`_ - Smartcard authentication
with UPN as logon name might fail
* `#3210 <
https://pagure.io/SSSD/sssd/issue/#3210>`_ - [RFE] Read prioritized list
of trusted domains for unqualified ID resolution from IDM server
* `#3192 <
https://pagure.io/SSSD/sssd/issue/#3192>`_ - [sssd-secrets] https proxy
talks plain http
* `#3182 <
https://pagure.io/SSSD/sssd/issue/#3182>`_ - sssd does not refresh
expired cache entries with enumerate=true
* `#3065 <
https://pagure.io/SSSD/sssd/issue/#3065>`_ - sssctl: distinguish between
autodiscovered and joined domains
* `#2940 <
https://pagure.io/SSSD/sssd/issue/#2940>`_ - The member link is not
removed when the last group's nested member goes away
* `#2714 <
https://pagure.io/SSSD/sssd/issue/#2714>`_ - Add SSSD domain as property
to user on D-Bus
* `#1498 <
https://pagure.io/SSSD/sssd/issue/#1498>`_ - sss_ssh_knownhostsproxy
prevents connection if the network is unreachable via one IP address
* `#3330 <
https://pagure.io/SSSD/sssd/issue/#3330>`_ - sssctl config-check does not
give any error when default configuration file is not present
* `#3292 <
https://pagure.io/SSSD/sssd/issue/#3292>`_ - RFE: Create troubleshooting
tool to check authentication, authorization and extended attribute lookup
* `#3133 <
https://pagure.io/SSSD/sssd/issue/#3133>`_ - RFE to add option of check
user access in SSSD
Detailed Changelog
------------------