=== SSSD 1.9.6 ===
The SSSD team is proud to announce the release of version 1.9.6 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
This is mostly a bugfix release with minor feature enhancements -- see
the changelog below for details.
RPM packages will be made available for Fedora 18 shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel or
sssd-users mailing lists:
== Highlights ==
* This release focused primarily on bug fixing and stabilization. Only
minor features were added
* A new ignore_group_members option was added. This option can be used to
suppress downloading group members on group lookups, making the group lookups
much faster for environments that do not need to know the group members.
* A new option ldap_rfc2307_fallback_to_local_users was added. If this
option is set to true, SSSD is be able to resolve local group members of
* A new option ldap_disable_range_retrieval was added. Switching this
option to True skips large Active Directory groups that might otherwise
take a long time to download and process.
* A new option refresh_expired_interval was added. This option allows
to configure a background task that would automatically refresh entries
that are nearing their expiration time. In this release, only refreshing
netgroups is implemented.
* Multiple crasher bugs in the fast in-memory cache were fixed
* Several commits improved portability of SSSD's build system, allowing
for easier builds on non-Linux platforms
== Tickets Fixed ==
Enabling enumeration causes sssd_be process to utilize 100% of the CPU
SSSD doesn't display warning for last grace login.
[RFE] support autoconfiguring SUDO with ipa provider and compat tree
SUDO is not working for users from trusted AD domain
getgrnam / getgrgid for large user groups is too slow due to range
[RFE] Add support for suppressing group members
If previous SRV query failed, the next try might not be retried in
[abrt] sssd-1.10.0-4.fc19.beta1: get_server_status: Process
/usr/libexec/sssd/sssd_be was killed by signal 11 (SIGSEGV)
sssd_be goes to 99% CPU and causes significant login delays when client
is under load
sudoHost mismatch response is incorrect sometimes
sssd fails to resolve hosts/services once the network is up
cyclic group memberships may not work depending on order of operations
sssd fails instead of skipping when a sudo ldap filter returns entries
with multiple CNs
sssd_be crashing with nested ldap groups contain a dangling member
sss_cache -N/-n should invalidate the hash table in sssd_nss
SSSD filter out ldap user/group if uid/gid is zero
SSSD service randomly dies
SYSV init script should use @sbindir@
Enhance sssd init script so that it would source a configuration
SSSD failover doesn't work if the first DNS server in resolv.conf
resolv-tests failing with memory leak
sssd_nss terminated with segmentation fault
unite periodic refresh API
[RFE] Add a task to the SSSD to periodically refresh cached entries
passwd returns "Authentication token manipulation error" when entering
wrong current password
Cannot change expired password of an AD user
Invalid assignment to enum
sss_packet_grow: wrong use of module to pad data
sssd_nss core dumps under load
Data provider endianess bug
AD dyndns update crashed after attempting to update a standalone DNS server
In IPA AD trust setup, the sssd logs throws 'sysdb_search_user_by_name
failed' error when AD user tries to login via ipa client.
sssd_be segfault when authenticating against active directory
== Detailed Changelog ==
Jakub Hrozek (10):
* Bump the version for the 1.9.6 release
* Only try to relink ghost users if we're not enumerating
* Display the last grace warning, too
* IPA: Do not download or store the member attribute of host groups
* LDAP: Fix crash when processing nested groups
* MAN: Clarify the min_id/max_id limits further
* Set default DNS resolution timeout to 6 seconds.
* DP: Use the correct type for DBus boolean
* Make IPA SELinux provider aware of subdomain users
* Updating Transifex URL
* Updating translations for the 1.9.6 release
Lukas Slebodnik (31):
* SUDO: IPA provider
* Removing unused functions.
* Adding option to disable retrieving large AD groups.
* Every time use permissive control in function memberof_mod.
* NSS: allow removing entries from netgroup hash table
* NSS: Clear cached netgroups if a request comes in from the sss_cache
* Do not call sss_cmd_done in function check_cache.
* Handle too many results from getnetgr.
* Removing unused parameter type from sudosrv_get_sudorules_query_cache()
* mmap_cache: Skip records which doesn't have same hash
* mmap_cache: Use stricter check for hash keys.
* UTIL: Create new wraper header file sss_endian.h
* CLIENT: Fix non gnu sss_strnlen implementation
* MONITOR: Move function declaration out of conditional build
* UTIL: Explicitly include header file sys/socket.h
* MEMBEROF: Remove temporary workaround
* IPA_HBAC: Explicitelly include header file time.h
* CONFIGURE: Get rid of bashism
* Include sys/types.h for types id_t and uid_t
* UTIL: Use standard maximum value of type size_t
* mmap_cache: Do not remove record from chain twice
* AUTOTOOLS: Add -LLIBDIR to PYTHON_LIBS
* AUTOTOOLS: Add missing AC_MSG_RESULT
* AUTOMAKE: Use portable way to link with dlopen
* AUTOMAKE: Use portable way to link with gettext
* AUTOTOOLS: Add directories for searching ldap headers and libs
* AUTOTOOLS: Refactor unicode library detection
* AUTOTOOLS: add check for type intptr_t
* AUTOTOOLS: Use pkg-config to detect libraries.
* AUTOTOOLS: More robust detection of inotify.
* AUTOTOOLS: Fix warnings: macro xyz not found in library
Michal Zidek (13):
* Always set port status to neutral when resetting service.
* Lower timeout to contact DNS server
* resolv-tests failing with memory leak
* mmap_cache: Check if slot and name_ptr are not invalid.
* ldap, krb5: More descriptive msg on chpass failure.
* mmap_cache: Check data->name value in client code
* mmap_cache: Remove triple checks in client code.
* mmap_cache: Off by one error.
* mmap_cache: Use better checks for corrupted mc in responder
* mmap_cache: Store corrupted mmap cache before reset
* Rename _SSS_MC_SPECIAL
* man sssd: Add note about SSS_NSS_USE_MEMCACHE
* Check slot validity before MC_SLOT_TO_PTR.
Paul B. Henson (1):
* Add ignore_group_members option.
Pavel Březina (16):
* sudo responder: use fully qualified name for subdomain users
* failover: set state->out when meta server remains in SRV_RESOLVE_ERROR
* collapse_srv_lookup may free the server, make it clear from the API
* failover: if expanded server is marked as neutral, invoke srv collapse
* sudo responder: use different callback for oob refresh
* sudo: skip rule on error instead of failing completely
* sudo: print better debug message when a rule has multiple cn values
* init script: source /etc/sysconfig/sssd
* back end: periodic task API
* back end: periodical refresh of expired records API
* back end: add refresh expired records periodic task
* providers: refresh expired netgroups
* print hint about password complexity when new password is rejected
* sss_packet_grow: correctly pad packet length to 512B
* SIGCHLD handler: do not call callback when pvt data was freed
* is_dn(): free dn
Simo Sorce (1):
* Add a commit template
Stephen Gallagher (1):
* Configure SYSV init scripts properly
Sumit Bose (2):
* sdap_get_generic_ext_send: check if we a re still connected
* be_spy_create: free be_req and not the long living data