Jakub,
On Fri, Jun 8, 2018 at 11:02 AM, Jakub Hrozek <jhrozek(a)redhat.com> wrote:
Hi,
below are the release notes for 1.16.2. Please comment :-)
SSSD 1.16.2
===========
Highlights
----------
New Features
^^^^^^^^^^^^
* The smart card authentication, or in more general certificate authentication
code now supports OpenSSL in addition to previously supported NSS (#3489).
In addition, the SSH responder can now return public SSH keys derived from
the public keys stored in a X.509 certificate. Please refer to the
``ssh_use_certificate_keys`` option in the man pages.
* The files provider now supports mirroring multiple passwd or group
files. This enhancement can be used to use the SSSD files provider instead
of the nss_altfiles module
Notable bug fixes
^^^^^^^^^^^^^^^^^
In this section I'd also mention:
* A potential crash in AUTOFS responder's code was fixed (#3752)
> * A memory handling issue in the ``nss_ex`` interface was fixed. This bug
> would manifest in IPA environments with a trusted AD domain as a crash of
> the ns-slapd process, because a ``ns-slapd`` plugin loads the ``nss_ex``
> interface (#3715)
> * Several fixes for the KCM deamon were merged (see #3687, #3671, #3633)
> * The ``ad_site`` override is now honored in GPO code as well (#3646)
> * Several potential crashes in the NSS responder's netgroup code were fixed
> (#3679, #3731)
> * The LDAP provider now supports group renaming (#2653)
> * The GPO access control code no longer returns an error if one of the
> relevant GPO rules contained no SIDs at all (#3680)
> * A memory leak in the IPA provider related to resolving external AD
> groups was fixed (#3719)
> * Setups that used multiple domains where one of the domains had its ID
> space limited using the ``min_id/max_id`` options did not resolve requests
> by ID properly (#3728)
> * Overriding IDs or names did not work correctly when the domain resolution
> order was set as well (#3595)
> * A version mismatch between certain newer Samba versions (e.g. those shipped
> in RHEL-7.5) and the Winbind interface provided by SSSD was fixed. To further
> prevent issues like this in the future, the correct interface is now detected
> at build time (#3741)
> * The files provider no longer returns a qualified name in case domain
> resolution order is used (#3743)
> * A race condition between evaluating IPA group memberships and AD group
> memberships in setups with IPA-AD trusts that would have manifested as
> randomly losing IPA group memberships assigned to an AD user was fixed
> (#3744)
> * Setting an SELinux login label was broken in setups where the domain
> resolution order was used (#3740)
> * SSSD start up issue on systems that use the libldb library with version
> 1.4.0 or newer was fixed.
>
> Packaging Changes
> -----------------
> * Several new build requirements were added in order to support the OpenSSL
> certificate authentication
>
> Documentation Changes
> ---------------------
> * The files provider gained two new configuration options ``passwd_files``
> and ``group_files.`` These can be used to specify the additional files
> to mirror.
> * A new ``ssh_use_certificate_keys`` option toggles whether the SSH responder
> would return public SSH keys derived from X.509 certificates.
> * The ``local_negative_timeout`` option is now enabled by default. This
> means that if SSSD fails to find a user in the configured domains,
> but is then able to find the user with an NSS call such as getpwnam,
> it would negatively cache the request for the duration of the
> local_negative_timeout option.
> _______________________________________________
> sssd-devel mailing list -- sssd-devel(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-devel-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahost...