The SSSD team is proud to announce the first beta of our upcoming 1.9.0 release. We plan to have three beta releases, the first today, the second in mid-June and the last at the end of July. Each beta release will provide a set of new enhancements (mostly revolving around Kerberos cross-realm trust support and Active Directory integration). As always, you can download the latest sources at https://fedorahosted.org/sssd/ == Highlights == * Add native support for autofs to the IPA provider * Support for ID-mapping when connecting to Active Directory * Support for handling very large (> 1500 users) groups in Active Directory * Support for sub-domains (will be used for dealing with trust relationships) * Add a new fast in-memory cache to speed up lookups of cached data on repeated requests == Tickets Fixed == https://fedorahosted.org/sssd/ticket/357 SSSD should provide fast in memory cache to provide similar functionality as NSCD currently provides https://fedorahosted.org/sssd/ticket/783 Support range retrievals https://fedorahosted.org/sssd/ticket/887 Implement mechanism to fetch and store domain info https://fedorahosted.org/sssd/ticket/917 Document sss_tools better https://fedorahosted.org/sssd/ticket/949 Filter out inappropriate IP addresses from IPA dynamic DNS update https://fedorahosted.org/sssd/ticket/996 RFE: Allow Constructing uid from Active Directory objectSid https://fedorahosted.org/sssd/ticket/1031 [RFE] Implement "AD friendly" schema mapping https://fedorahosted.org/sssd/ticket/1064 Sub-Domains: define new get_domains method https://fedorahosted.org/sssd/ticket/1065 Sub-Domains: implement new get_domains method in IPA provider https://fedorahosted.org/sssd/ticket/1067 Sub-Domains: add new get_domains method to responders https://fedorahosted.org/sssd/ticket/1114 get_uid_from_pid() perfoms an improper read https://fedorahosted.org/sssd/ticket/1119 Monitor SIGKILL time should be configurable https://fedorahosted.org/sssd/ticket/1140 RFE Request for including pam_pwd_expiration_warning = 0 in sssd.conf https://fedorahosted.org/sssd/ticket/1170 sss_cache should support invalidating services and autofs maps https://fedorahosted.org/sssd/ticket/1172 Bad check for id_provider=local and access_provider=permit https://fedorahosted.org/sssd/ticket/1174 sssd.conf has wrong defaults for the "command" parameter https://fedorahosted.org/sssd/ticket/1176 SSH: Add dp_get_host_send to common responder code https://fedorahosted.org/sssd/ticket/1181 Typos in sssd manual https://fedorahosted.org/sssd/ticket/1203 Hash the hostname/port information in the known_hosts file. https://fedorahosted.org/sssd/ticket/1209 Convert all read and write loops to use atomic I/O function https://fedorahosted.org/sssd/ticket/1233 Memory leak in sss_sudo_send_recv_generic https://fedorahosted.org/sssd/ticket/1250 Add default home directory mapping https://fedorahosted.org/sssd/ticket/1271 Stop using HTML_FOOTER_DESCRIPTION in doxygen docs https://fedorahosted.org/sssd/ticket/1281 Add unit test for compatibility of ldap options between schemas https://fedorahosted.org/sssd/ticket/1289 Create a way to define a default shell for cases when there no shell https://fedorahosted.org/sssd/ticket/1297 Use keytab to select etypes for krb5_get_init_creds_keytab() https://fedorahosted.org/sssd/ticket/1298 Invalid cache file created when canoning principals during krb5_get_init_creds_keytab() https://fedorahosted.org/sssd/ticket/1301 sss_cache does nothing when executed without any options. https://fedorahosted.org/sssd/ticket/1305 sss_cache should return a warning/error while validating unknown user/group https://fedorahosted.org/sssd/ticket/1306 sss_cache should return an error, when executed against inactive domains https://fedorahosted.org/sssd/ticket/1313 exec_child, execv and friends don't return success https://fedorahosted.org/sssd/ticket/1316 kpasswd server status set to working when Kerberos auth succeeds == Detailed Changelog == Ariel Barria (1): * Bad check for id_provider=local and access_provider=permit Jakub Hrozek (105): * Fix SSH compilation on RHEL5 * AUTOFS: IPA provider * Two sssd-ldap manual pages fixes * Fix group enumeration * Only fetch SELinux string if the user is found * Remove setent structure when callback is called * Allocate setent structure on state, not on the client context * Fix memory hierarchy when processing nested group memberships * Fix case insensitive service lookups * Include the fd_limit configuration option * End request if ldap_parse_result fails * remove unused function * Save errno value before calling DEBUG * libnl: fix the path to phy80211 subdirectory * AUTOFS: Invoke implicit setautomntent if needed * AUTOFS: Search all search bases for automounter map entries * AUTOFS: speed up the client by requesting multiple entries at once * Use proper errno code * Only do one cycle when resolving a server * krb5_child: set debugging sooner * Search netgroups by alias, too * Detect cycle in the fail over on subsequent resolve requests only * Autofs: operate on contents of double-pointer, not address * Only free returned values on success * Save original name into the in-memory cache * Handle errors from lookup_netgr_step gracefully * Fix nested groups processing * Fix netgroup error handling * Handle empty elements in proxy netgroups: * Fix uninitialized variable * Free entry found in negative cache * Make the string_equal() function public * Save alias of the primary name, too * NSS: Look for services with correct case when cache is updated * AUTOFS: fix copy-and-paste bug in the autofs client * LDAP services: Keep the protocol around * Silence Coverity warning in the autofs test tool * Return correct resolv_status on resolver timeout * Add sss_get_cased_name_list utility function * LDAP services: Save lowercased protocol names in case-insensitive domains * Proxy services: Save lowercased protocol names and aliases in case-insensitive domains * Fix off-by-one error in principal selection * Catch cases where D-Bus connection is NULL * Use HTML_TIMESTAMP instead of HTML_FOOTER_DESCRIPTION * Fix regression in SSSDConfig.py * netlink integration: ensure that interface name is NULL-terminated * Remove forgotten DEBUG message * autofs: load the correct option * man: document that referral chasing might bring performance penalty * Prevent printing NULL from DEBUG messages * Do not call sdap_auth if not needed * pam_sss: improve error handling in SELinux code * Remove the "command" option from documentation * Add sysdb_set_service_attr and sysdb_set_autofsmap_attr * sss_cache: support invalidating services and autofs maps * autofs: Raise the maximum key length to PATH_MAX * sss_cache: Better error reporting * MAN: timeout can be specified for services, too * MAN: document the hostid and autofs providers * proxy: Canonicalize user and group names * proxy: new option proxy_fast_alias * Free controls in sdap_rebind_proc * Make the monitor SIGKILL time configurable * sdap_check_aliases must not error when detects the same user * sss_atomic_io: Do not fail reads with EPIPE if there is not enough data to read * Move atomic io function to a separate module * Convert read and write operations to sss_atomic_read * Document sss_tools better * Warn on 'make update-po' if there are manpages not listed in po4a.cfg * Test RFC2307bis and RFC2307 option maps * Get the RootDSE after binding if not successfull before * Lowercase group members in case-insensitive domains * NSS: Only return data from initgroups once * SUDO: Return ret, not EOK * SYSDB: return EOK if empty message is passed into get_rm_msg * SYSDB: check return value * SSH: return NULL on error in ssh_host_pubkeys_format_known_host_plain * SERVER: use the correct return code of sss_atomic_write_s * LDAP: check return value of sysdb_attrs_get_el * RESPONDER: check return value from confdb_get_int * PYHBAC: Return NULL on failure * PAM_SSS: report error code if write fails * NSS: Check return code of sss_mmap_cache_gr_store * IPA netgroups: return EOK when there are no netgroups to process * ipa_get_config_send: remove unused assignment * HBAC: Prevent NULL dereference in hbac_evaluate * DP: return correct error message when subdomains back end target is not configured * NSS: fix returning group from cache * SSS_DEBUGLEVEL: silence analyzer warnings * PROXY: return correct return codes * IPA: Check return values * AUTOFS: remove unused assignments * Rename split_service_name_filter * SSH: Add dp_get_host_send to common responder code * Read sysdb attribute name, not LDAP attribute map name * Kerberos locator: Include the correct krb5.h header file * Special-case LDAP_SIZELIMIT_EXCEEDED * krb5 locator: Do not leak addrinfo * Only reset kpasswd server status when performing a chpass operation * Try all KDCs when getting TGT for LDAP * Send the correct enumeration request * subdomains: Fix error handling in Data Provider * Filter out IP addresses inappropriate for DNS forward records * sysdb: return proper error code from sysdb_sudo_purge_all * SYSDB: Handle user and group renames better Jan Cholasta (22): * Add methods for activating and deactivating services to SSSDConfig * Add ssh service to sssd.api.conf * SSH: Verify that names received from client are valid UTF-8 in responder * SSH: Build man pages conditionally * SSH: Save SSH host name aliases * SSH: Refactor responder and client common code * UTIL: Add function for atomic I/O * SSH: Continue connecting to SSH server even when SSSD is not running in sss_ssh_knownhostsproxy * SSH: Manage global known_hosts file in the responder * SSH: Don't abort known_hosts update when host search fails * SSH: Add more debugging messages * SSH: Add missing break statements to sss_ssh_format_pubkey * SSH: Use fchmod instead of chmod on known_hosts file * SSH: Replace blocking getaddrinfo call in the responder with asynchronous resolver code * SSH: Remove unused --file option of sss_ssh_knownhostsproxy * SSH: Update sss_ssh_knownhostsproxy manual page * Include missing source files to the list of source files which contain translatable strings * SSH: Allow clients to explicitly specify host alias * SSH: Canonicalize host name and do reverse DNS lookup in sss_ssh_knownhostsproxy * SSH: Fix infinite loop in sss_ssh_knownhostsproxy * UTIL: Add HMAC-SHA-1 function * SSH: Add support for hashed known_hosts Jan Engelhardt (1): * build: resolve link failure Jan Zeleny (34): * Fixed issue with netgroup update in IPA provider * Don't give memory context in confdb where not needed * IPA hosts refactoring * SELinux related attributes added to config API * Delete missing attributes from netgroups to be stored * Modifications to simplify list_missing_attrs * Fix the script path * Fixed uninitialized pointer in SSH known host proxy * Fixed uninitialized pointer in SSH authorized keys client * Add umask before mkstemp() call in SSH responder * Fixed resource leak in ssh client code * Removed a block of dead code in sdap_async_groups.c * Removed unused block of code is sdap_fill_memberships() * Removed unused function sysdb_attrs_users_from_ldb_vals() * Fixed memory context in sdap_fill_memberships() * Fixed minor memory leak in ldap provider * Sysdb routines for subdomains * Add some utility functions for subdomains * Add conn_name to allow different names for domains and connections * Responder part of the subdomain retrieval work * Modified responder_get_domain() * Retrieve subdomains if there is a request for fully qualified user * Ask for subdomains in responder in the first request after startup * New config option for subdomains * Moved expand_homedir_template() from NSS responder to utility code * Add ID operations in subdomains * Send PAM requests for subdomains to the right provider * Basic support for subdomains in auth provider * Carry sysdb context and domain info in be_req structure * Accept be_req instead if be_ctx in LDAP access provider * Detect subdomain request in IPA access provider * Utilize sysdb context within be_req in HBAC * Two fixes in responder subdomain code * Modify behavior of pam_pwd_expiration_warning Marco Pizzoli (1): * Two manual pages fixes Pavel Březina (16): * Improve debug messages in sysdb_sudo_check_time() * SUDO responder: check if the input is a UTF-8 string * Refactor sss_result into sss_sudo_result * Redesign purging of the sudo cache * Honor case_sensitive option in sudo responder * Move sudo_dom_ctx.user to local variable * Hide --debug option in sss_debuglevel * Two memory leaks in sss_sudo_get_values * Missing debug message if sdap_sudo_refresh_set_timer fails * Use of unininitialized value in sudosrv_cache_set_entry and sudosrv_cache_lookup_internal * Use of unininitialized value in sss_sudo_parse_response * Potential NULL-dereference in sudosrv_cmd_get_sudorules * sudo api: check sss_status instead of errnop in sss_sudo_send_recv_generic() * Install and uninstall all documentation * fix copy and paste error in comment * Fix typo in debug message Simo Sorce (11): * nss_group: Cache the result from sssd when the glibc provided buffer is too small. * pam_sss: keep selinux optional * Use the correct hash table for pending requests * util: Helper headers for shared memory cache * nsssrv: shared memory cache server initialization * nsssrv: Add memory cache record handling utils * nsssrv: add handling of memory cache passwd map * sss_client: Add common shared memory cache utils * sss_client: shared memory cache passwd map support * nsssrv: add handling of memory cache group map * sss_client: shared memory cache group map support Stef Walter (6): * Fix erronous reference to the 'allow' access_provider * execv, excvp and exec_child never return EOK * If canon'ing principals, write ccache with updated default principal * Remove erroneous failure message in find_principal_in_keytab * Limit krb5_get_init_creds_keytab() to etypes in keytab * Clearer documentation for use_fully_qualified_names Stephen Gallagher (96): * Set version to 1.9dev * Updating translatable strings for string freeze * Updating translations * Remove dead code * Fix missing NULL check after malloc * Avoid uninitialized value comparison * Add missing breaks to switch statements * Fix uninitialized in_transaction * Fix bad failure handling in be_sudo_handler() * Check for failure in sss_packet_grow() * Fix uninitialized value error in proxy provider * Ensure NULL-termination in get_uid_from_pid() * Move sss_ssh_* binaries to the main 'sssd' package * Always include all manpage XML files in the distribution tarball * Fix missing %endif in sssd.spec.in * NSS: Always return the same protocol that was requested * LDAP: Ignore group member users that do not have name attributes * RESPONDERS: Allow increasing the file-descriptor limit * RESPONDERS: Make the fd_limit setting configurable * Add tool to convert debug levels * IPA: Add ipa_parse_search_base() * LDAP: Properly assign orig_dn * LDAP: Only use paging control on requests for multiple entries * LDAP: Remove unnecessary filter sanitize * Eliminate build-time requirement for nscd * PAM: Don't send PAM_SYSTEM_INFO message if module unset * Fix typo in autofs option description * Include the debug_level upgrade tool in the tarball * Include new manpages in translations * Fix typo in script name * Handle cases where UID is -1 * IPA: Set the DNS discovery domain to match ipa_domain * IPA: Fix segfault with srchost functionality enabled * DP: Reorganize memory hierarchy of requests * Prune python provides correctly * Make RPM spec more explicit * Build experimental features by default in RPMs * Properly terminate GIT_CHECKOUT * LDAP: Make sdap_access_send/recv public * IPA: Check nsAccountLock during PAM_ACCT_MGMT * PROXY: Create fake user entries for group lookups * SSH: Fix missing semicolon * IPA: Initialize hbac_ctx to NULL * i18n: Remove empty translations * LDAP: Add AD 2008r2 schema * IPA: Allow service lookups * SYSDB: Save only lowercased aliases in case-insensitive domains * LDAP: Errors retrieving the RootDSE should not be fatal * NSS: Fix debug message * Start SSSD earlier and stop it later * LDAP: Add better error logging when ldap_result() fails * LDAP: Fix memory leaks in synchronous_tls_setup * BUILDSYS: Create common libs for LDAP and KRB5 sources * Put dp_option maps in their own file * Add terminator for dp_option * Add better dp_option tests * Add terminator for sdap_attr_map * Add better tests for sdap_attr compability * Remove old compatibility tests * Fix building manpages in parallel build dirs * Clean up log messages about keytab_name * MAN: Improve ldap_disable_paging documentation * MAN: Add ldap_sasl_minssf to the manpage * Fix linker issue with pam_sss * murmurhash: Relax inline requirement * Handle endianness issues on older systems * SYSDB: Handle upgrade script failures better * LDAP: Add objectSID config option * LDAP: Add id-mapping option * SYSDB: Add sysdb routines for ID-mapping * LDAP: Add helper routines for ID-mapping * LDAP: Add ID mapping range settings * LDAP: Initialize ID mapping when configured * LDAP: Enable looking up ID-mapped users by name * LDAP: Add autorid compatibility mode * LDAP: Allow setting a default domain for id-mapping slice 0 * LDAP: Add routine to extract domain SID from an object SID * LDAP: Allow automatically-provisioning a domain and range * LDAP: Enable looking up id-mapped users by UID * LDAP: Allow looking up ID-mapped groups by name * LDAP: Enable looking up id-mapped groups by GID * LDAP: Map the user's primaryGroupID * LDAP: Add helper routine to convert LDAP blob to SID string * LDAP: Do not remove uidNumber and gidNumber attributes when saving id-mapped entries * LDAP: Add helper function to map IDs * LDAP: Treat groups with unmappable SIDs as non-POSIX groups * MAN: Add manpage for ID mapping * LDAP: Add support for enumeration of ID-mapped users and groups * SSSDConfigAPI: Fix missing option in tests * NSS: Add fallback_homedir option * NSS: Add default_shell option * SYSDB: Add better error logging to sysdb_set_entry_attr() * LDAP: Add attr_count return value to build_attrs_from_map() * LDAP: Handle very large Active Directory groups * Updating translations for 1.9.0 beta 1 release * Bumping version to 1.8.91 for 1.9.0 beta 1 release Sumit Bose (13): * Use curly braces in pkgconfig metadata file * Keep sysdb context in domain info struct * Remove sysdb_get_ctx_from_list() * Always initialize the returned data in sss_krb5_princ_realm() * Add idmap library * Check sub-domains in nss_cmd_get{pwuid|grgid}_search() * data provider: added subdomains * IPA: Add get-domains target * Add domain name to get_account_info request * Add s2n extended operation * Allow different SID representations in libidmap * Fix typo in spec file * Fix endian issue in SID conversion Yuri Chornoivan (2): * fix typos in manual * Fix typo: retreiving->retrieving