Hi,
I prepared release notes for today's release. They are written in anticipation that PR#186 with the subdomain config will be merged.
The RST I pushed to the sssd/docs repo is below:
SSSD 1.15.2 ===========
Highlights ---------- * It is now possible to configure certain parameters of a trusted domain in a configuration file sub-section. In particular, it is now possible to configure which Active Directory DCs the SSSD talks to with a configuration like this::
[domain/ipa.test] # IPA domain configuration. This domain trusts a Windows domain win.test
[domain/ipa.test/win.test] ad_server = dc.win.test
* Several issues related to socket-activating the NSS service, especially if SSSD was configured to use a non-privileged user were fixed. The NSS service now starts as root to avoid triggering a name-service lookup while the NSS service is not running yet. Additionally, the NSS service is started before any other service to make sure username resolution works and the other service can resolve the SSSD user correctly.
* A new option ``cache_first`` allows the administrator to change the way multiple domains are searched. When this option is enabled, SSSD will first try to "pin" the requested name or ID to a domain by searching the entries that are already cached and contact the domain that contains the cached entry first. Previously, SSSD would check the cache and the remote server for each domain. This option brings performance benefit for setups that use multiple domains (even auto-discovered trusted domains), especially for ID lookups that would previously iterate over all domains. Please note that this option must be enabled with care as the administrator must ensure that the ID space of domains does not overlap.
* The SSSD D-Bus interface gained two new methods: ``FindByNameAndCertificate`` and ``ListByCertificate``. These methods will be used primarily by IPA to correctly match multple users who use the same certificate for Smart Card login.
* A bug where SSSD did not properly sanitize a username with a newline character in it was fixed.
Packaging Changes ----------------- None in this release
Documentation Changes --------------------- * A new option ``cache_first`` was added. Please see the Highlights section for more details
* The ``override_homedir`` option supports a new template expansion ``l`` that expands to the first letter of username
Tickets Fixed ------------- Please note that due to a bug in the pagure.io tracker, some tickets that have dependencies set to other tickets cannot be closed at the moment.
* `#3317 https://pagure.io/SSSD/sssd/issue/3317`_ - Newline characters (\n) must be sanitized before LDAP requests take place * `#3316 https://pagure.io/SSSD/sssd/issue/3316`_ - sssd-secrets doesn't exit on idle * `#3314 https://pagure.io/SSSD/sssd/issue/3314`_ - sssd ignores entire groups from proxy provider if one member is listed twice * `#3164 https://pagure.io/SSSD/sssd/issue/3164`_ - when group is invalidated using sss_cache dataExpireTimestamp entry in the domain and timestamps cache are inconsistent * `#2668 https://pagure.io/SSSD/sssd/issue/2668`_ - [RFE] Add more flexible templating for override_homedir config option * `#2599 https://pagure.io/SSSD/sssd/issue/2599`_ - Make it possible to configure AD subdomain in the server mode * `#3223 https://pagure.io/SSSD/sssd/issue/3323`_ - The sssd-$RESPONDER.service units should bind to their socket units * `#3322 https://pagure.io/SSSD/sssd/issue/3322`_ - chown in ExecStartPre of sssd-nss.service hangs forever * `#843 https://pagure.io/SSSD/sssd/issue/843`_ - Login time increases strongly if more than one domain is configured * `#2320 https://pagure.io/SSSD/sssd/issue/2320`_ - use the sss_parse_inp request in other responders than dbus
Detailed Changelog ------------------
On Wed, Mar 15, 2017 at 4:17 PM, Jakub Hrozek jhrozek@redhat.com wrote:
Hi,
I prepared release notes for today's release. They are written in anticipation that PR#186 with the subdomain config will be merged.
The RST I pushed to the sssd/docs repo is below:
SSSD 1.15.2
Highlights
It is now possible to configure certain parameters of a trusted domain in a configuration file sub-section. In particular, it is now possible to configure which Active Directory DCs the SSSD talks to with a configuration like this::
[domain/ipa.test] # IPA domain configuration. This domain trusts a Windows domain win.test
[domain/ipa.test/win.test] ad_server = dc.win.test
Several issues related to socket-activating the NSS service, especially if SSSD was configured to use a non-privileged user were fixed. The NSS service now starts as root to avoid triggering a name-service lookup while the NSS service is not running yet. Additionally, the NSS service is started before any other service to make sure username resolution works and the other service can resolve the SSSD user correctly.
So, this part is not exactly accurate. NSS responder always been only used as root. What we did is not changing the owner of the nss log file for the socket-activated NSS responder.
My suggestion is: "(...). The NSS service now doesn't change the ownership of its log files to avoid triggering (...)"
A new option ``cache_first`` allows the administrator to change the way multiple domains are searched. When this option is enabled, SSSD will first try to "pin" the requested name or ID to a domain by searching the entries that are already cached and contact the domain that contains the cached entry first. Previously, SSSD would check the cache and the remote server for each domain. This option brings performance benefit for setups that use multiple domains (even auto-discovered trusted domains), especially for ID lookups that would previously iterate over all domains. Please note that this option must be enabled with care as the administrator must ensure that the ID space of domains does not overlap.
The SSSD D-Bus interface gained two new methods: ``FindByNameAndCertificate`` and ``ListByCertificate``. These methods will be used primarily by IPA to correctly match multple users who use the same certificate for Smart Card login.
A bug where SSSD did not properly sanitize a username with a newline character in it was fixed.
Packaging Changes
None in this release
Documentation Changes
A new option ``cache_first`` was added. Please see the Highlights section for more details
The ``override_homedir`` option supports a new template expansion ``l`` that expands to the first letter of username
Tickets Fixed
Please note that due to a bug in the pagure.io tracker, some tickets that have dependencies set to other tickets cannot be closed at the moment.
- `#3317 https://pagure.io/SSSD/sssd/issue/3317`_ - Newline characters (\n) must be sanitized before LDAP requests take place
- `#3316 https://pagure.io/SSSD/sssd/issue/3316`_ - sssd-secrets doesn't exit on idle
- `#3314 https://pagure.io/SSSD/sssd/issue/3314`_ - sssd ignores entire groups from proxy provider if one member is listed twice
- `#3164 https://pagure.io/SSSD/sssd/issue/3164`_ - when group is invalidated using sss_cache dataExpireTimestamp entry in the domain and timestamps cache are inconsistent
- `#2668 https://pagure.io/SSSD/sssd/issue/2668`_ - [RFE] Add more flexible templating for override_homedir config option
- `#2599 https://pagure.io/SSSD/sssd/issue/2599`_ - Make it possible to configure AD subdomain in the server mode
- `#3223 https://pagure.io/SSSD/sssd/issue/3323`_ - The sssd-$RESPONDER.service units should bind to their socket units
- `#3322 https://pagure.io/SSSD/sssd/issue/3322`_ - chown in ExecStartPre of sssd-nss.service hangs forever
- `#843 https://pagure.io/SSSD/sssd/issue/843`_ - Login time increases strongly if more than one domain is configured
- `#2320 https://pagure.io/SSSD/sssd/issue/2320`_ - use the sss_parse_inp request in other responders than dbus
Detailed Changelog
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-leave@lists.fedorahosted.org
On Wed, Mar 15, 2017 at 04:27:26PM +0100, Fabiano Fidêncio wrote:
- Several issues related to socket-activating the NSS service, especially if SSSD was configured to use a non-privileged user were fixed. The NSS service now starts as root to avoid triggering a name-service lookup while the NSS service is not running yet. Additionally, the NSS service is started before any other service to make sure username resolution works and the other service can resolve the SSSD user correctly.
So, this part is not exactly accurate. NSS responder always been only used as root. What we did is not changing the owner of the nss log file for the socket-activated NSS responder.
My suggestion is: "(...). The NSS service now doesn't change the ownership of its log files to avoid triggering (...)"
Suggestion taken, the new relnotes can be viewed at: https://pagure.io/SSSD/docs/blob/master/f/users/relnotes/notes_1_15_2.rst
On Wed, Mar 15, 2017 at 04:17:51PM +0100, Jakub Hrozek wrote:
Hi,
I prepared release notes for today's release. They are written in anticipation that PR#186 with the subdomain config will be merged.
The RST I pushed to the sssd/docs repo is below:
SSSD 1.15.2
Highlights
It is now possible to configure certain parameters of a trusted domain in a configuration file sub-section. In particular, it is now possible to configure which Active Directory DCs the SSSD talks to with a configuration like this::
[domain/ipa.test] # IPA domain configuration. This domain trusts a Windows domain win.test
[domain/ipa.test/win.test] ad_server = dc.win.test
Several issues related to socket-activating the NSS service, especially if SSSD was configured to use a non-privileged user were fixed. The NSS service now starts as root to avoid triggering a name-service lookup while the NSS service is not running yet. Additionally, the NSS service is started before any other service to make sure username resolution works and the other service can resolve the SSSD user correctly.
A new option ``cache_first`` allows the administrator to change the way multiple domains are searched. When this option is enabled, SSSD will first try to "pin" the requested name or ID to a domain by searching the entries that are already cached and contact the domain that contains the cached entry first. Previously, SSSD would check the cache and the remote server for each domain. This option brings performance benefit for setups that use multiple domains (even auto-discovered trusted domains), especially for ID lookups that would previously iterate over all domains. Please note that this option must be enabled with care as the administrator must ensure that the ID space of domains does not overlap.
The SSSD D-Bus interface gained two new methods: ``FindByNameAndCertificate`` and ``ListByCertificate``. These methods will be used primarily by IPA to correctly match multple users who use the
^^^^^^^
*be used primarily by IPA and mod_lookup_identity ...
bye, Sumit
same certificate for Smart Card login.
- A bug where SSSD did not properly sanitize a username with a newline character in it was fixed.
Packaging Changes
None in this release
Documentation Changes
A new option ``cache_first`` was added. Please see the Highlights section for more details
The ``override_homedir`` option supports a new template expansion ``l`` that expands to the first letter of username
Tickets Fixed
Please note that due to a bug in the pagure.io tracker, some tickets that have dependencies set to other tickets cannot be closed at the moment.
- `#3317 https://pagure.io/SSSD/sssd/issue/3317`_ - Newline characters (\n) must be sanitized before LDAP requests take place
- `#3316 https://pagure.io/SSSD/sssd/issue/3316`_ - sssd-secrets doesn't exit on idle
- `#3314 https://pagure.io/SSSD/sssd/issue/3314`_ - sssd ignores entire groups from proxy provider if one member is listed twice
- `#3164 https://pagure.io/SSSD/sssd/issue/3164`_ - when group is invalidated using sss_cache dataExpireTimestamp entry in the domain and timestamps cache are inconsistent
- `#2668 https://pagure.io/SSSD/sssd/issue/2668`_ - [RFE] Add more flexible templating for override_homedir config option
- `#2599 https://pagure.io/SSSD/sssd/issue/2599`_ - Make it possible to configure AD subdomain in the server mode
- `#3223 https://pagure.io/SSSD/sssd/issue/3323`_ - The sssd-$RESPONDER.service units should bind to their socket units
- `#3322 https://pagure.io/SSSD/sssd/issue/3322`_ - chown in ExecStartPre of sssd-nss.service hangs forever
- `#843 https://pagure.io/SSSD/sssd/issue/843`_ - Login time increases strongly if more than one domain is configured
- `#2320 https://pagure.io/SSSD/sssd/issue/2320`_ - use the sss_parse_inp request in other responders than dbus
Detailed Changelog
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-leave@lists.fedorahosted.org
On Wed, Mar 15, 2017 at 04:52:18PM +0100, Sumit Bose wrote:
- The SSSD D-Bus interface gained two new methods: ``FindByNameAndCertificate`` and ``ListByCertificate``. These methods will be used primarily by IPA to correctly match multple users who use the
^^^^^^^*be used primarily by IPA and mod_lookup_identity ...
Fixed at: https://pagure.io/SSSD/docs/blob/master/f/users/relnotes/notes_1_15_2.rst
sssd-devel@lists.fedorahosted.org
-
Fabiano Fidêncio -
Jakub Hrozek -
Sumit Bose