The SSSD team is proud to announce the first beta of our upcoming 1.9.0
release. We plan to have three beta releases, the first today, the
second in mid-June and the last at the end of July. Each beta release
will provide a set of new enhancements (mostly revolving around Kerberos
cross-realm trust support and Active Directory integration).
As always, you can download the latest sources at
https://fedorahosted.org/sssd/
== Highlights ==
* Add native support for autofs to the IPA provider
* Support for ID-mapping when connecting to Active Directory
* Support for handling very large (> 1500 users) groups in Active
Directory
* Support for sub-domains (will be used for dealing with trust
relationships)
* Add a new fast in-memory cache to speed up lookups of cached data on
repeated requests
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/357
SSSD should provide fast in memory cache to provide similar
functionality as NSCD currently provides
https://fedorahosted.org/sssd/ticket/783
Support range retrievals
https://fedorahosted.org/sssd/ticket/887
Implement mechanism to fetch and store domain info
https://fedorahosted.org/sssd/ticket/917
Document sss_tools better
https://fedorahosted.org/sssd/ticket/949
Filter out inappropriate IP addresses from IPA dynamic DNS update
https://fedorahosted.org/sssd/ticket/996
RFE: Allow Constructing uid from Active Directory objectSid
https://fedorahosted.org/sssd/ticket/1031
[RFE] Implement "AD friendly" schema mapping
https://fedorahosted.org/sssd/ticket/1064
Sub-Domains: define new get_domains method
https://fedorahosted.org/sssd/ticket/1065
Sub-Domains: implement new get_domains method in IPA provider
https://fedorahosted.org/sssd/ticket/1067
Sub-Domains: add new get_domains method to responders
https://fedorahosted.org/sssd/ticket/1114
get_uid_from_pid() perfoms an improper read
https://fedorahosted.org/sssd/ticket/1119
Monitor SIGKILL time should be configurable
https://fedorahosted.org/sssd/ticket/1140
RFE Request for including pam_pwd_expiration_warning = 0 in
sssd.conf
https://fedorahosted.org/sssd/ticket/1170
sss_cache should support invalidating services and autofs maps
https://fedorahosted.org/sssd/ticket/1172
Bad check for id_provider=local and access_provider=permit
https://fedorahosted.org/sssd/ticket/1174
sssd.conf has wrong defaults for the "command" parameter
https://fedorahosted.org/sssd/ticket/1176
SSH: Add dp_get_host_send to common responder code
https://fedorahosted.org/sssd/ticket/1181
Typos in sssd manual
https://fedorahosted.org/sssd/ticket/1203
Hash the hostname/port information in the known_hosts file.
https://fedorahosted.org/sssd/ticket/1209
Convert all read and write loops to use atomic I/O function
https://fedorahosted.org/sssd/ticket/1233
Memory leak in sss_sudo_send_recv_generic
https://fedorahosted.org/sssd/ticket/1250
Add default home directory mapping
https://fedorahosted.org/sssd/ticket/1271
Stop using HTML_FOOTER_DESCRIPTION in doxygen docs
https://fedorahosted.org/sssd/ticket/1281
Add unit test for compatibility of ldap options between schemas
https://fedorahosted.org/sssd/ticket/1289
Create a way to define a default shell for cases when there no shell
https://fedorahosted.org/sssd/ticket/1297
Use keytab to select etypes for krb5_get_init_creds_keytab()
https://fedorahosted.org/sssd/ticket/1298
Invalid cache file created when canoning principals during
krb5_get_init_creds_keytab()
https://fedorahosted.org/sssd/ticket/1301
sss_cache does nothing when executed without any options.
https://fedorahosted.org/sssd/ticket/1305
sss_cache should return a warning/error while validating unknown
user/group
https://fedorahosted.org/sssd/ticket/1306
sss_cache should return an error, when executed against inactive
domains
https://fedorahosted.org/sssd/ticket/1313
exec_child, execv and friends don't return success
https://fedorahosted.org/sssd/ticket/1316
kpasswd server status set to working when Kerberos auth succeeds
== Detailed Changelog ==
Ariel Barria (1):
* Bad check for id_provider=local and access_provider=permit
Jakub Hrozek (105):
* Fix SSH compilation on RHEL5
* AUTOFS: IPA provider
* Two sssd-ldap manual pages fixes
* Fix group enumeration
* Only fetch SELinux string if the user is found
* Remove setent structure when callback is called
* Allocate setent structure on state, not on the client context
* Fix memory hierarchy when processing nested group memberships
* Fix case insensitive service lookups
* Include the fd_limit configuration option
* End request if ldap_parse_result fails
* remove unused function
* Save errno value before calling DEBUG
* libnl: fix the path to phy80211 subdirectory
* AUTOFS: Invoke implicit setautomntent if needed
* AUTOFS: Search all search bases for automounter map entries
* AUTOFS: speed up the client by requesting multiple entries at once
* Use proper errno code
* Only do one cycle when resolving a server
* krb5_child: set debugging sooner
* Search netgroups by alias, too
* Detect cycle in the fail over on subsequent resolve requests only
* Autofs: operate on contents of double-pointer, not address
* Only free returned values on success
* Save original name into the in-memory cache
* Handle errors from lookup_netgr_step gracefully
* Fix nested groups processing
* Fix netgroup error handling
* Handle empty elements in proxy netgroups:
* Fix uninitialized variable
* Free entry found in negative cache
* Make the string_equal() function public
* Save alias of the primary name, too
* NSS: Look for services with correct case when cache is updated
* AUTOFS: fix copy-and-paste bug in the autofs client
* LDAP services: Keep the protocol around
* Silence Coverity warning in the autofs test tool
* Return correct resolv_status on resolver timeout
* Add sss_get_cased_name_list utility function
* LDAP services: Save lowercased protocol names in case-insensitive
domains
* Proxy services: Save lowercased protocol names and aliases in
case-insensitive domains
* Fix off-by-one error in principal selection
* Catch cases where D-Bus connection is NULL
* Use HTML_TIMESTAMP instead of HTML_FOOTER_DESCRIPTION
* Fix regression in SSSDConfig.py
* netlink integration: ensure that interface name is NULL-terminated
* Remove forgotten DEBUG message
* autofs: load the correct option
* man: document that referral chasing might bring performance penalty
* Prevent printing NULL from DEBUG messages
* Do not call sdap_auth if not needed
* pam_sss: improve error handling in SELinux code
* Remove the "command" option from documentation
* Add sysdb_set_service_attr and sysdb_set_autofsmap_attr
* sss_cache: support invalidating services and autofs maps
* autofs: Raise the maximum key length to PATH_MAX
* sss_cache: Better error reporting
* MAN: timeout can be specified for services, too
* MAN: document the hostid and autofs providers
* proxy: Canonicalize user and group names
* proxy: new option proxy_fast_alias
* Free controls in sdap_rebind_proc
* Make the monitor SIGKILL time configurable
* sdap_check_aliases must not error when detects the same user
* sss_atomic_io: Do not fail reads with EPIPE if there is not enough
data to read
* Move atomic io function to a separate module
* Convert read and write operations to sss_atomic_read
* Document sss_tools better
* Warn on 'make update-po' if there are manpages not listed in po4a.cfg
* Test RFC2307bis and RFC2307 option maps
* Get the RootDSE after binding if not successfull before
* Lowercase group members in case-insensitive domains
* NSS: Only return data from initgroups once
* SUDO: Return ret, not EOK
* SYSDB: return EOK if empty message is passed into get_rm_msg
* SYSDB: check return value
* SSH: return NULL on error in ssh_host_pubkeys_format_known_host_plain
* SERVER: use the correct return code of sss_atomic_write_s
* LDAP: check return value of sysdb_attrs_get_el
* RESPONDER: check return value from confdb_get_int
* PYHBAC: Return NULL on failure
* PAM_SSS: report error code if write fails
* NSS: Check return code of sss_mmap_cache_gr_store
* IPA netgroups: return EOK when there are no netgroups to process
* ipa_get_config_send: remove unused assignment
* HBAC: Prevent NULL dereference in hbac_evaluate
* DP: return correct error message when subdomains back end target is
not configured
* NSS: fix returning group from cache
* SSS_DEBUGLEVEL: silence analyzer warnings
* PROXY: return correct return codes
* IPA: Check return values
* AUTOFS: remove unused assignments
* Rename split_service_name_filter
* SSH: Add dp_get_host_send to common responder code
* Read sysdb attribute name, not LDAP attribute map name
* Kerberos locator: Include the correct krb5.h header file
* Special-case LDAP_SIZELIMIT_EXCEEDED
* krb5 locator: Do not leak addrinfo
* Only reset kpasswd server status when performing a chpass operation
* Try all KDCs when getting TGT for LDAP
* Send the correct enumeration request
* subdomains: Fix error handling in Data Provider
* Filter out IP addresses inappropriate for DNS forward records
* sysdb: return proper error code from sysdb_sudo_purge_all
* SYSDB: Handle user and group renames better
Jan Cholasta (22):
* Add methods for activating and deactivating services to SSSDConfig
* Add ssh service to sssd.api.conf
* SSH: Verify that names received from client are valid UTF-8 in
responder
* SSH: Build man pages conditionally
* SSH: Save SSH host name aliases
* SSH: Refactor responder and client common code
* UTIL: Add function for atomic I/O
* SSH: Continue connecting to SSH server even when SSSD is not running
in sss_ssh_knownhostsproxy
* SSH: Manage global known_hosts file in the responder
* SSH: Don't abort known_hosts update when host search fails
* SSH: Add more debugging messages
* SSH: Add missing break statements to sss_ssh_format_pubkey
* SSH: Use fchmod instead of chmod on known_hosts file
* SSH: Replace blocking getaddrinfo call in the responder with
asynchronous resolver code
* SSH: Remove unused --file option of sss_ssh_knownhostsproxy
* SSH: Update sss_ssh_knownhostsproxy manual page
* Include missing source files to the list of source files which
contain translatable strings
* SSH: Allow clients to explicitly specify host alias
* SSH: Canonicalize host name and do reverse DNS lookup in
sss_ssh_knownhostsproxy
* SSH: Fix infinite loop in sss_ssh_knownhostsproxy
* UTIL: Add HMAC-SHA-1 function
* SSH: Add support for hashed known_hosts
Jan Engelhardt (1):
* build: resolve link failure
Jan Zeleny (34):
* Fixed issue with netgroup update in IPA provider
* Don't give memory context in confdb where not needed
* IPA hosts refactoring
* SELinux related attributes added to config API
* Delete missing attributes from netgroups to be stored
* Modifications to simplify list_missing_attrs
* Fix the script path
* Fixed uninitialized pointer in SSH known host proxy
* Fixed uninitialized pointer in SSH authorized keys client
* Add umask before mkstemp() call in SSH responder
* Fixed resource leak in ssh client code
* Removed a block of dead code in sdap_async_groups.c
* Removed unused block of code is sdap_fill_memberships()
* Removed unused function sysdb_attrs_users_from_ldb_vals()
* Fixed memory context in sdap_fill_memberships()
* Fixed minor memory leak in ldap provider
* Sysdb routines for subdomains
* Add some utility functions for subdomains
* Add conn_name to allow different names for domains and connections
* Responder part of the subdomain retrieval work
* Modified responder_get_domain()
* Retrieve subdomains if there is a request for fully qualified user
* Ask for subdomains in responder in the first request after startup
* New config option for subdomains
* Moved expand_homedir_template() from NSS responder to utility code
* Add ID operations in subdomains
* Send PAM requests for subdomains to the right provider
* Basic support for subdomains in auth provider
* Carry sysdb context and domain info in be_req structure
* Accept be_req instead if be_ctx in LDAP access provider
* Detect subdomain request in IPA access provider
* Utilize sysdb context within be_req in HBAC
* Two fixes in responder subdomain code
* Modify behavior of pam_pwd_expiration_warning
Marco Pizzoli (1):
* Two manual pages fixes
Pavel Březina (16):
* Improve debug messages in sysdb_sudo_check_time()
* SUDO responder: check if the input is a UTF-8 string
* Refactor sss_result into sss_sudo_result
* Redesign purging of the sudo cache
* Honor case_sensitive option in sudo responder
* Move sudo_dom_ctx.user to local variable
* Hide --debug option in sss_debuglevel
* Two memory leaks in sss_sudo_get_values
* Missing debug message if sdap_sudo_refresh_set_timer fails
* Use of unininitialized value in sudosrv_cache_set_entry and
sudosrv_cache_lookup_internal
* Use of unininitialized value in sss_sudo_parse_response
* Potential NULL-dereference in sudosrv_cmd_get_sudorules
* sudo api: check sss_status instead of errnop in
sss_sudo_send_recv_generic()
* Install and uninstall all documentation
* fix copy and paste error in comment
* Fix typo in debug message
Simo Sorce (11):
* nss_group: Cache the result from sssd when the glibc provided buffer
is too small.
* pam_sss: keep selinux optional
* Use the correct hash table for pending requests
* util: Helper headers for shared memory cache
* nsssrv: shared memory cache server initialization
* nsssrv: Add memory cache record handling utils
* nsssrv: add handling of memory cache passwd map
* sss_client: Add common shared memory cache utils
* sss_client: shared memory cache passwd map support
* nsssrv: add handling of memory cache group map
* sss_client: shared memory cache group map support
Stef Walter (6):
* Fix erronous reference to the 'allow' access_provider
* execv, excvp and exec_child never return EOK
* If canon'ing principals, write ccache with updated default principal
* Remove erroneous failure message in find_principal_in_keytab
* Limit krb5_get_init_creds_keytab() to etypes in keytab
* Clearer documentation for use_fully_qualified_names
Stephen Gallagher (96):
* Set version to 1.9dev
* Updating translatable strings for string freeze
* Updating translations
* Remove dead code
* Fix missing NULL check after malloc
* Avoid uninitialized value comparison
* Add missing breaks to switch statements
* Fix uninitialized in_transaction
* Fix bad failure handling in be_sudo_handler()
* Check for failure in sss_packet_grow()
* Fix uninitialized value error in proxy provider
* Ensure NULL-termination in get_uid_from_pid()
* Move sss_ssh_* binaries to the main 'sssd' package
* Always include all manpage XML files in the distribution tarball
* Fix missing %endif in sssd.spec.in
* NSS: Always return the same protocol that was requested
* LDAP: Ignore group member users that do not have name attributes
* RESPONDERS: Allow increasing the file-descriptor limit
* RESPONDERS: Make the fd_limit setting configurable
* Add tool to convert debug levels
* IPA: Add ipa_parse_search_base()
* LDAP: Properly assign orig_dn
* LDAP: Only use paging control on requests for multiple entries
* LDAP: Remove unnecessary filter sanitize
* Eliminate build-time requirement for nscd
* PAM: Don't send PAM_SYSTEM_INFO message if module unset
* Fix typo in autofs option description
* Include the debug_level upgrade tool in the tarball
* Include new manpages in translations
* Fix typo in script name
* Handle cases where UID is -1
* IPA: Set the DNS discovery domain to match ipa_domain
* IPA: Fix segfault with srchost functionality enabled
* DP: Reorganize memory hierarchy of requests
* Prune python provides correctly
* Make RPM spec more explicit
* Build experimental features by default in RPMs
* Properly terminate GIT_CHECKOUT
* LDAP: Make sdap_access_send/recv public
* IPA: Check nsAccountLock during PAM_ACCT_MGMT
* PROXY: Create fake user entries for group lookups
* SSH: Fix missing semicolon
* IPA: Initialize hbac_ctx to NULL
* i18n: Remove empty translations
* LDAP: Add AD 2008r2 schema
* IPA: Allow service lookups
* SYSDB: Save only lowercased aliases in case-insensitive domains
* LDAP: Errors retrieving the RootDSE should not be fatal
* NSS: Fix debug message
* Start SSSD earlier and stop it later
* LDAP: Add better error logging when ldap_result() fails
* LDAP: Fix memory leaks in synchronous_tls_setup
* BUILDSYS: Create common libs for LDAP and KRB5 sources
* Put dp_option maps in their own file
* Add terminator for dp_option
* Add better dp_option tests
* Add terminator for sdap_attr_map
* Add better tests for sdap_attr compability
* Remove old compatibility tests
* Fix building manpages in parallel build dirs
* Clean up log messages about keytab_name
* MAN: Improve ldap_disable_paging documentation
* MAN: Add ldap_sasl_minssf to the manpage
* Fix linker issue with pam_sss
* murmurhash: Relax inline requirement
* Handle endianness issues on older systems
* SYSDB: Handle upgrade script failures better
* LDAP: Add objectSID config option
* LDAP: Add id-mapping option
* SYSDB: Add sysdb routines for ID-mapping
* LDAP: Add helper routines for ID-mapping
* LDAP: Add ID mapping range settings
* LDAP: Initialize ID mapping when configured
* LDAP: Enable looking up ID-mapped users by name
* LDAP: Add autorid compatibility mode
* LDAP: Allow setting a default domain for id-mapping slice 0
* LDAP: Add routine to extract domain SID from an object SID
* LDAP: Allow automatically-provisioning a domain and range
* LDAP: Enable looking up id-mapped users by UID
* LDAP: Allow looking up ID-mapped groups by name
* LDAP: Enable looking up id-mapped groups by GID
* LDAP: Map the user's primaryGroupID
* LDAP: Add helper routine to convert LDAP blob to SID string
* LDAP: Do not remove uidNumber and gidNumber attributes when saving
id-mapped entries
* LDAP: Add helper function to map IDs
* LDAP: Treat groups with unmappable SIDs as non-POSIX groups
* MAN: Add manpage for ID mapping
* LDAP: Add support for enumeration of ID-mapped users and groups
* SSSDConfigAPI: Fix missing option in tests
* NSS: Add fallback_homedir option
* NSS: Add default_shell option
* SYSDB: Add better error logging to sysdb_set_entry_attr()
* LDAP: Add attr_count return value to build_attrs_from_map()
* LDAP: Handle very large Active Directory groups
* Updating translations for 1.9.0 beta 1 release
* Bumping version to 1.8.91 for 1.9.0 beta 1 release
Sumit Bose (13):
* Use curly braces in pkgconfig metadata file
* Keep sysdb context in domain info struct
* Remove sysdb_get_ctx_from_list()
* Always initialize the returned data in sss_krb5_princ_realm()
* Add idmap library
* Check sub-domains in nss_cmd_get{pwuid|grgid}_search()
* data provider: added subdomains
* IPA: Add get-domains target
* Add domain name to get_account_info request
* Add s2n extended operation
* Allow different SID representations in libidmap
* Fix typo in spec file
* Fix endian issue in SID conversion
Yuri Chornoivan (2):
* fix typos in manual
* Fix typo: retreiving->retrieving