-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The SSSD team is proud to announce the enhancement release 1.3.0 of the System Security Services Daemon. As usual, it can be downloaded from https://fedorahosted.org/sssd/
== Highlights == * Rewrote the internal LDB cache API. As a synchronous API it is now faster to access and easier to work with * Eugene Indenbom contributed a sizeable amount of code to the LDAP provider * We now handle failover situations much more reliably than we did previously * If a request fails partway through (due to a remote server ceasing to function) we will now restart the conversation with the next server in the failover list * We also will now monitor the GSSAPI kerberos ticket and automatically renew it when appropriate, instead of waiting for a connection to fail * Support for netlink now allows us to more quickly detect situations where we may have come online * New option {{{dns_discovery_domain}}} allows better configuration for using SRV records for failover * Fixes to the HBAC backend for obsolete or removed HBAC entries * Improvements to log messages around TLS and GSSAPI for LDAP * Support for building in environments using --as-needed LDFLAGS * Vast performance improvement for initgroups on RFC2307 LDAP servers * Long-running SSSD clients (e.g. GDM) will now reconnect properly to the daemon if SSSD is restarted
== Detailed Changelog == Alexander Gordeev (1): * Add explicit requests for several operational attrs
David O'Brien (1): * Copy-edit and format review sssd.conf
Dmitri Pal (16): * Adding metadata interface * Adding content to the metadata * Resolve paths for reporting purposes * Acess control and config change checks * Add ability to trace 64bit numbers * Fixing spec file to match version. * Fixing build * Code restructuring * Extending refarray interface * Introducing a comment object * Adding support for explicit 32/64 types (attempt 2). * Addressing initialization issues. * Fixing types in queue and stack interfaces * Fixing memory leaks in the unit test. * Fixing NULL dereferencing in ini_config * Memory leak in case of empty value
Héctor Daniel Cabrera (3): * Updating ES translation * Updating es translation * Updating es translation
Jakub Hrozek (37): * Treat server names as case-insensitive in failover code * Do not mark a request as failed twice * Sort SRV replies according to RFC 2782 * Remove freed server_common entities from list * Support SRV servers in failover * Silence warnings with -O2 * Fix uninitialized variable * Add a README file * Use all available servers in LDAP provider * Improve the offline authentication message * Fix memory hierarchy in the ipa timerules * Use service discovery in backends * SSSDConfigAPI fixes * Try all servers during Kerberos auth * Remove dead code from the PAM responder * Man page fixes * Don't return uninitialized value in proxy provider * Skip empty attributes with warning * Fix realm_str dereference * Fix potential NULL dereference in fail_over.c * Fix Incorrect NULL check in get_server_common() * Add missing break to switch statement * get_uid_from_pid should use fstat rather than lstat * Remove krb5_changepw_principal option * Remove the -g option from useradd * Fix potential resource leak in copy_tree_ctx() * Potential memory leak in _nss_sss_*_r() * Check closedir call in find_uid * Print correct return code * Resend SIGINT as SIGTERM in services * Add dns_discovery_domain option * Use netlink to detect going online * Fix getting default realm in the ldap child * Validate keytab at startup * Fix two problems with --as-needed * Fix check_time_rule() return value on failure * Return proper error value when SRV lookup fails
Petter Reinholdtsen (2): * Allow Debian/Ubuntu build to pass --install-layout=deb to setup.py * Remove bash-isms from configure macros
Piotr Drąg (2): * Update Polish translation * Updating pl translation
Rui Gouveia (2): * Updating pt translation * Update pt translation
Simo Sorce (45): * sysdb: start conversion from async to sync * sysdb: use sysdb_delete_entry in recursive delete * sysdb: convert sysdb_delete_custom * sysdb: convert sysdb_search_entry and sysdb_delete_recursive * sysdb: convert sysdb_search_user_by_name/uid * sysdb: convert sysdb_search_group_by_name/gid * sysdb: convert sysdb_set_entry/user/group_attr * sysdb: convert sysdb_get_new_id * sysdb: convert sysdb_store/add(_basic)_user * sysdb: convert sysdb_store/add(_basic)_group * sysdb: convert sysdb_mod/add/remove_group_member * sysdb: convert sysdb_cache_password * sysdb: convert sysdb_search_custom * sysdb: convert sysdb_store_custom * sysdb: convert sysdb_asq_search * sysdb remove sldb_request_send, not used anymore * sysdb: convert sysdb_search_users * sysdb: convert sysdb_delete_user * sysdb: delete sysdb_delete_group * sysdb: convert sysdb_search_groups * sysdb: convert sysdb_cache_auth * sysdb: remove sysdb_check_handle * tests: remove use of asynchronus transactions * sysdb: add synchronous transaction functions * proxy: complete conversion to synchronous sysdb * Use the sysdb synchronous transaction functions * Remove remaining use of sysdb_transaction_send * sysdb: remove async transactions * sysdb: add automatic transactions where needed * sysdb: convert sysdb_getpwnam * sysdb: convert sysdb_getpwuid * sysdb: convert sysdb_getgrnam * sysdb: convert sysdb_getgrgid * sysdb: convert sysdb_get_user_attr * sysdb: convert sysdb_enumpwent * sysdb: convert sysdb_enumgrent * Adjust fill_pwent and fill_grent * sysdb: convert sysdb_initgroups * sysdb: remove obsolete helpers from sysdb * sysdb: remove remaining traces of sysdb_handle * sysydb: Finally stop using a common event context * Make groupshow synchronous. * tools: remove creation of event_context * Better handle sdap_handle memory from callers. * Avoid freeing sdap_handle too early
Stephen Gallagher (81): * Support docdir and abs_builddir * sysdb: convert sysdb_delete_entry * Bumping version on master to 1.2.90 * Update translations for master branch * Fix merge error for sss_userdel.c * Remove unused configure macro * Fix warning in sysdb-tests.c * Fix ini_config unit test * Give information about ldap_schema in the sample config * Make ID provider init functions clearer * Remove the NSS_LIBS and KRB5_LIBS variables from sssd.spec * Add dns_resolver_timeout option * Fix segfault in GSSAPI reconnect code * Make krb5_kpasswd available for any krb5 provider * Clean up kdcinfo and kpasswdinfo files when exiting * Add callback when the ID provider switches from offline to online * Add dynamic DNS updates to FreeIPA * Revert "Add dynamic DNS updates to FreeIPA" * Properly set up SIGCHLD handlers * Add dynamic DNS updates to FreeIPA * Don't report a fatal error for an HBAC denial * Add a better error message for TLS failures * Add enumerate details to the manpage and examples * Revert "Copy pam data from DBus message" * Display name of PAM action in pam_print_data() * Make data provider id_callback public * Fix error reporting for be_pam_handler * Proxy provider PAM handling in child process * Support password changes in chpass_provider = proxy * Add ldap_access_filter option * Fix typo in Makefile * Fix broken build against older versions of OpenLDAP * Fix typo in Makefile.am * Disable connection callbacks when going online * Change default min_id to 1 * Allow ldap_access_filter values wrapped in parentheses * Properly handle read() and write() throughout the SSSD * Fix misuse of errno in find_uid.c * Avoid potential NULL dereference * Properly handle missing originalMemberOf entry in initgroups * Don't leak directory access resources on errors in directory_list() * Check the correct variable for NULL after creating timer * Properly check that the timeout event was created for cleanup/enum * Check return code of hash_delete in proxy_child_destructor * Eliminate unused variable from pc_init_timeout() * Make sure to close varargs before returning from a function * Properly null-terminate socket path * Add ldap_force_upper_case_realm to example AD config * Don't segfault if ldap_access_filter is unspecified * Handle (ignore) unknown options in get_domain() and get_service() * Remove references to the DP service from the SSSDConfig API tests * Standardize on correct spelling of "principal" for krb5 * Initialize len before looping to read the pidfile * Ensure that all domains are checked for users/groups * Refactor the negative cache * Move setup of filter_users and filter_groups to negcache.c * Honor filter_users in PAM * Fix potential resource leak in remove_tree_with_ctx() * Fix return value from remove_connection_callback() destructor * Protect against segfault in remove_ldap_connection_callbacks * Drop release requirement from versions * Bump libini_config version to 0.6.0 * Replace %define with %global in example spec * Make RootDSE optional * Rename proxy_ctx to proxy_id_ctx for clarity * Split proxy.c into smaller files * Add try_inotify option * Release SSSD 1.2.91 (1.3.0rc1) * Add sss_log() function * Add log notifications for startup and shutdown. * Add syslog messages for LDAP GSSAPI bind * Log TLS errors to syslog * Require -ltalloc for tevent configure check * be_pam_handler(): Fix potential NULL dereference * Add sysdb_attrs_to_list() utility function * Add diff_string_lists utility function * Add sysdb_group_dn_name utility function * Add dup_string_list() utility function * Add sysdb_update_members function * Clean up initgroups processing for RFC2307 * Releasing SSSD 1.3.0
Sumit Bose (52): * Revert "Add better checks on PAM socket" * Use SO_PEERCRED on the PAM socket * Set LDAP_OPT_RESTART for all LDAP connections * Fix a potential memory violation * Make the handling of fd events opaque * Unset authentication tokens if password change fails * Display a message if a password reset by root fails * Fix wrong return value * Fix a wrong return value in IPA HBAC * Split pam_data utilities into a separate file * Create kdcinfo and kpasswdinfo file at startup * Compare the full service name * Add retry option to pam_sss * Add more warnings about nearly expired passwords * Make Kerberos authentication a tevent_req * New version of IPA auth and password migration * Add ldap_krb5_ticket_lifetime option * Defer sbus_dispatch() for 30ms during reconnect * Copy pam data from DBus message * Do not modify IPA_DOMAIN when setting Kerberos realm * Handle Krb5 password expiration warning * Add support for delayed kinit if offline * Fix handling of ccache file when going offline * Move parse_args() to util * Copy pam data from DBus message * Revert "Create kdcinfo and kpasswdinfo file at startup" * Refactor data provider callbacks * Add offline callbacks * Refactor krb5_finalize() * Add run_callbacks flag * Add callback to remove krb5 info files when going offline * Krb5 locator plugin returns KRB5_PLUGIN_NO_HANDLE * Refactor krb5 SIGTERM handler installation * Add krb5 SIGTERM handler to ipa auth provider * Add offline callback to disconnect global SDAP handle * Reset run_online_cb flag even if there are no callbacks * Fix check if LDAP id provider is already initialized * Remove signal event if child was terminated by a signal * Check ipaEnabledFlag * Add sysdb_attrs_get_string_array() * Use sysdb_attrs_get_string_array() instead of sysdb_attrs_get_el() * Use new schema for HBAC service checks * Remove service groups * Compare full service name * Unify sdap and sysdb data handling * Initialize pam_data in Kerberos child. * Avoid a potential double-free * Add a missing initializer * Add a missing free() * Fix SASL authentication * Do not treat missing HBAC rules as an error * Allow sssd clients to reconnect
Yuri Chornoivan (2): * Update Ukrainian translation * Updating uk translation
eindenbom (15): * Avoid accessing half-deallocated memory when using talloc_zfree macro. * GSSAPI ticket expiry time is returned from ldap_child and stored in sdap_handle for future reference. * Added an interface to query number of configured (and currently resolved through SRV records) failover servers. * LDAP connection usage tracking, sharing and failover retry framework. * Add an interface to try next fail-over server after connection to the active server was unexpectedly dropped. * Use new LDAP connection framework to get user account info from LDAP. * Use new LDAP connection framework to get group account info from LDAP. * Use new LDAP connection framework to get user account groups from LDAP. * Use new LDAP connection framework for LDAP user and group enumeration. * Use new LDAP connection framework in LDAP access backend. * Use new LDAP connection framework in IPA access backend. * Use new LDAP connection framework in IPA dynamic DNS forwarder. * Remove remainder of now unused global LDAP connection handle. * Eliminate delayed sdap_handle destruction after fail-over retry. * Fix IPA access backend handling of obsolete and missing HBAC entries:
- -- Stephen Gallagher RHCE 804006346421761
Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/
sssd-devel@lists.fedorahosted.org