Announcing SSSD 1.9.6 - sssd-users - Fedora mailing-lists

6 Nov 2013


      === SSSD 1.9.6 ===
The SSSD team is proud to announce the release of version 1.9.6 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
This is mostly a bugfix release with minor feature enhancements -- see
the changelog below for details.
RPM packages will be made available for Fedora 18 shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel or
sssd-users mailing lists:
    https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
    https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* This release focused primarily on bug fixing and stabilization. Only
  minor features were added
* A new ignore_group_members option was added. This option can be used to
  suppress downloading group members on group lookups, making the group lookups
  much faster for environments that do not need to know the group members.
* A new option ldap_rfc2307_fallback_to_local_users was added. If this
  option is set to true, SSSD is be able to resolve local group members of
  LDAP groups.
* A new option ldap_disable_range_retrieval was added. Switching this
  option to True skips large Active Directory groups that might otherwise
  take a long time to download and process.
* A new option refresh_expired_interval was added. This option allows
  to configure a background task that would automatically refresh entries
  that are nearing their expiration time. In this release, only refreshing
  netgroups is implemented.
* Multiple crasher bugs in the fast in-memory cache were fixed
* Several commits improved portability of SSSD's build system, allowing
  for easier builds on non-Linux platforms
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1893
    Enabling enumeration causes sssd_be process to utilize 100% of the CPU
https://fedorahosted.org/sssd/ticket/1890
    SSSD doesn't display warning for last grace login.
https://fedorahosted.org/sssd/ticket/1733
    [RFE] support autoconfiguring SUDO with ipa provider and compat tree
https://fedorahosted.org/sssd/ticket/1912
    SUDO is not working for users from trusted AD domain
https://fedorahosted.org/sssd/ticket/1823
    getgrnam / getgrgid for large user groups is too slow due to range
    retrieval functionality
https://fedorahosted.org/sssd/ticket/1376
    [RFE] Add support for suppressing group members
https://fedorahosted.org/sssd/ticket/1886
    If previous SRV query failed, the next try might not be retried in
    some cases
https://fedorahosted.org/sssd/ticket/1947
    [abrt] sssd-1.10.0-4.fc19.beta1: get_server_status: Process
    /usr/libexec/sssd/sssd_be was killed by signal 11 (SIGSEGV)
https://fedorahosted.org/sssd/ticket/1806
    sssd_be goes to 99% CPU and causes significant login delays when client
    is under load
https://fedorahosted.org/sssd/ticket/1693
    sudoHost mismatch response is incorrect sometimes
https://fedorahosted.org/sssd/ticket/1933
    sssd fails to resolve hosts/services once the network is up
https://fedorahosted.org/sssd/ticket/1846
    cyclic group memberships may not work depending on order of operations
https://fedorahosted.org/sssd/ticket/2031
    sssd fails instead of skipping when a sudo ldap filter returns entries
    with multiple CNs
https://fedorahosted.org/sssd/ticket/1932
    sssd_be crashing with nested ldap groups contain a dangling member
https://fedorahosted.org/sssd/ticket/1759
    sss_cache -N/-n should invalidate the hash table in sssd_nss
https://fedorahosted.org/sssd/ticket/2005
    SSSD filter out ldap user/group if uid/gid is zero
https://fedorahosted.org/sssd/ticket/1980
    SSSD service randomly dies
https://fedorahosted.org/sssd/ticket/1986
    SYSV init script should use @sbindir@
https://fedorahosted.org/sssd/ticket/1959
    Enhance sssd init script so that it would source a configuration
https://fedorahosted.org/sssd/ticket/1966
    SSSD failover doesn't work if the first DNS server in resolv.conf
    is unavailable
https://fedorahosted.org/sssd/ticket/1899
    resolv-tests failing with memory leak
https://fedorahosted.org/sssd/ticket/2018
    sssd_nss terminated with segmentation fault
https://fedorahosted.org/sssd/ticket/1891
    unite periodic refresh API
https://fedorahosted.org/sssd/ticket/1713
    [RFE] Add a task to the SSSD to periodically refresh cached entries
https://fedorahosted.org/sssd/ticket/2029
    passwd returns "Authentication token manipulation error" when entering
    wrong current password
https://fedorahosted.org/sssd/ticket/1827
    Cannot change expired password of an AD user
https://fedorahosted.org/sssd/ticket/1825
    Invalid assignment to enum
https://fedorahosted.org/sssd/ticket/2059
    sss_packet_grow: wrong use of module to pad data
https://fedorahosted.org/sssd/ticket/2049
    sssd_nss core dumps under load
https://fedorahosted.org/sssd/ticket/2057
    Data provider endianess bug
https://fedorahosted.org/sssd/ticket/1992
    AD dyndns update crashed after attempting to update a standalone DNS server
https://fedorahosted.org/sssd/ticket/1892
    In IPA AD trust setup, the sssd logs throws 'sysdb_search_user_by_name
    failed' error when AD user tries to login via ipa client.
https://fedorahosted.org/sssd/ticket/2126
    sssd_be segfault when authenticating against active directory
== Detailed Changelog ==
Jakub Hrozek (10):
    * Bump the version for the 1.9.6 release
    * Only try to relink ghost users if we're not enumerating
    * Display the last grace warning, too
    * IPA: Do not download or store the member attribute of host groups
    * LDAP: Fix crash when processing nested groups
    * MAN: Clarify the min_id/max_id limits further
    * Set default DNS resolution timeout to 6 seconds.
    * DP: Use the correct type for DBus boolean
    * Make IPA SELinux provider aware of subdomain users
    * Updating Transifex URL
    * Updating translations for the 1.9.6 release
Lukas Slebodnik (31):
    * SUDO: IPA provider
    * Removing unused functions.
    * Adding option to disable retrieving large AD groups.
    * Every time use permissive control in function memberof_mod.
    * NSS: allow removing entries from netgroup hash table
    * NSS: Clear cached netgroups if a request comes in from the sss_cache
    * Do not call sss_cmd_done in function check_cache.
    * Handle too many results from getnetgr.
    * Removing unused parameter type from sudosrv_get_sudorules_query_cache()
    * mmap_cache: Skip records which doesn't have same hash
    * mmap_cache: Use stricter check for hash keys.
    * UTIL: Create new wraper header file sss_endian.h
    * CLIENT: Fix non gnu sss_strnlen implementation
    * MONITOR: Move function declaration out of conditional build
    * UTIL: Explicitly include header file sys/socket.h
    * MEMBEROF: Remove temporary workaround
    * IPA_HBAC: Explicitelly include header file time.h
    * CONFIGURE: Get rid of bashism
    * Include sys/types.h for types id_t and uid_t
    * UTIL: Use standard maximum value of type size_t
    * mmap_cache: Do not remove record from chain twice
    * AUTOTOOLS: Add -LLIBDIR to PYTHON_LIBS
    * AUTOTOOLS: Add missing AC_MSG_RESULT
    * AUTOMAKE: Use portable way to link with dlopen
    * AUTOMAKE: Use portable way to link with gettext
    * AUTOTOOLS: Add directories for searching ldap headers and libs
    * AUTOTOOLS: Refactor unicode library detection
    * AUTOTOOLS: add check for type intptr_t
    * AUTOTOOLS: Use pkg-config to detect libraries.
    * AUTOTOOLS: More robust detection of inotify.
    * AUTOTOOLS: Fix warnings: macro xyz not found in library
Michal Zidek (13):
    * Always set port status to neutral when resetting service.
    * Lower timeout to contact DNS server
    * resolv-tests failing with memory leak
    * mmap_cache: Check if slot and name_ptr are not invalid.
    * ldap, krb5: More descriptive msg on chpass failure.
    * mmap_cache: Check data->name value in client code
    * mmap_cache: Remove triple checks in client code.
    * mmap_cache: Off by one error.
    * mmap_cache: Use better checks for corrupted mc in responder
    * mmap_cache: Store corrupted mmap cache before reset
    * Rename _SSS_MC_SPECIAL
    * man sssd: Add note about SSS_NSS_USE_MEMCACHE
    * Check slot validity before MC_SLOT_TO_PTR.
Paul B. Henson (1):
    * Add ignore_group_members option.
Pavel Březina (16):
    * sudo responder: use fully qualified name for subdomain users
    * failover: set state->out when meta server remains in SRV_RESOLVE_ERROR
    * collapse_srv_lookup may free the server, make it clear from the API
    * failover: if expanded server is marked as neutral, invoke srv collapse
    * sudo responder: use different callback for oob refresh
    * sudo: skip rule on error instead of failing completely
    * sudo: print better debug message when a rule has multiple cn values
    * init script: source /etc/sysconfig/sssd
    * back end: periodic task API
    * back end: periodical refresh of expired records API
    * back end: add refresh expired records periodic task
    * providers: refresh expired netgroups
    * print hint about password complexity when new password is rejected
    * sss_packet_grow: correctly pad packet length to 512B
    * SIGCHLD handler: do not call callback when pvt data was freed
    * is_dn(): free dn
Simo Sorce (1):
    * Add a commit template
Stephen Gallagher (1):
    * Configure SYSV init scripts properly
Sumit Bose (2):
    * sdap_get_generic_ext_send: check if we a re still connected
    * be_spy_create: free be_req and not the long living data