Big win for many: Local files and fallback... I've socialized. Thank you!
Regards,
David Sirrine
Principal Technical Account Manager, Public Sector
Strategic Customer Engagement
804-343-6037 (Office)
804-212-7510 (Cell)
On Mon, Mar 6, 2017 at 2:13 PM, Ellen Newlands <enewland(a)redhat.com> wrote:
Congratulations! Very solid work here.
On Sat, Mar 4, 2017 at 1:50 PM, Jakub Hrozek <jhrozek(a)redhat.com> wrote:
> SSSD 1.15.1
> ===========
>
> The SSSD team is proud to announce the release of version 1.15.1 of the
> System Security Services Daemon.
>
> This is the first release that is available from SSSD's new home
> at
https://pagure.io/SSSD/sssd The tarball can be downloaded from
>
https://releases.pagure.org/SSSD/sssd/
> RPM packages will be made available for Fedora shortly.
>
> Feedback
> --------
> Please provide comments, bugs and other feedback via the sssd-devel or
> sssd-users mailing lists:
>
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>
> Highlights
> ----------
> * Several issues related to starting the SSSD services on-demand via
> socket activation were fixed. In particular, it is no longer possible
> to have a service started both by sssd and socket-activated. Another
> bug which might have caused the responder to start before SSSD started
> and cause issues especially on system startup was fixed.
> * A new 'files' provider was added. This provider mirrors the contents
> of '/etc/passwd' and '/etc/shadow' into the SSSD database. The
purpose
> of this new provider is to make it possible to use SSSD's interfaces,
> such as the D-Bus interface for local users and enable leveraging the
> in-memory fast cache for local users as well, as a replacement for
> `nscd`.
> In future, we intend to extend the D-Bus interface to also provide
> setting
> and retrieving additional custom attributes for the files users.
> * SSSD now autogenerates a fallback configuration that enables the
> files domain if no SSSD configuration exists. This allows distributions
> to enable the 'sssd' service when the SSSD package is installed. Please
> note that SSSD must be build with the configuration option
> '--enable-files-domain' for this functionality to be enabled.
> * Support for public-key authentication with Kerberos (PKINIT) was
> added. This support will enable users who authenticate with a Smart
> Card
> to obtain a Kerberos ticket during authentication.
>
> Packaging Changes
> -----------------
> * The new files provider comes as a new shared library 'libsss_files.so'
> and a new manual page
> * A new helper binary called 'sssd_check_socket_activated_responders'
> was added. This binary is used in the 'ExecStartPre' directive to check
> if the service that corresponds to socket about to be started was also
> started explicitly and abort the socket startup if it was.
>
> Documentation Changes
> ---------------------
> * A new PAM module option 'prompt_always' was added. This option is
> related to fixing
https://pagure.io/SSSD/sssd/issue/2984 which
> changed the behaviour of the PAM module so that 'pam_sss' always
> uses an auth token that was on stack. The new 'prompt_always' option
> makes it possible to restore the previous behaviour.
>
> Tickets Fixed
> -------------
> *
https://pagure.io/SSSD/sssd/issue/3112 - When sssd.conf is missing,
> create one with id_provider=files
> *
https://pagure.io/SSSD/sssd/issue/3220 - Improve successful Dynamic
> DNS update log messages
> *
https://pagure.io/SSSD/sssd/issue/3227 - sssd doesn't update PTR
> records if A/PTR zones are configured as non-secure and secure
> *
https://pagure.io/SSSD/sssd/issue/3230 - Use the same logic for
> matching GC results in initgroups and user lookups
> *
https://pagure.io/SSSD/sssd/issue/3260 - handle default_domain_suffix
> for ssh requests with default_domain_suffix
> *
https://pagure.io/SSSD/sssd/issue/3262 - Implement a files provider
> to mirror the contents of /etc/passwd and /etc/groups
> *
https://pagure.io/SSSD/sssd/issue/3270 - [RFE] Add PKINIT support to
> SSSD Kerberos proivder
> *
https://pagure.io/SSSD/sssd/issue/3298 - Socket activation of SSSD
> doesn't work and leads to chaos
> *
https://pagure.io/SSSD/sssd/issue/3299 - SSSD does not start if using
> only the local provider and services line is empty
> *
https://pagure.io/SSSD/sssd/issue/3300 - Avoid running two instances
> of the same service
> *
https://pagure.io/SSSD/sssd/issue/3309 - Coverity warns about an
> unused value in IPA sudo code
> *
https://pagure.io/SSSD/sssd/issue/3313 - cache_req should use an
> negative cache entry for UPN based lookups
> *
https://pagure.io/SSSD/sssd/issue/2984 - Don't prompt for password if
> there is already one on the stack
> *
https://pagure.io/SSSD/sssd/issue/1126 - Reuse cache_req() in
> responder code
>
> Detailed Changelog
> ------------------
> * Fabiano Fidêncio (11):
>
> * IFP: Update ifp_iface_generated.c
> * MONITOR: Wrap up sending sd_notify "ready" into a new function
> * MONITOR: Don't timeout if using local provider + socket-activated
> responders
> * MONITOR: Don't return an error in case we fail to register a service
> * SYSTEMD: Add "After=sssd.service" to the responders' sockets
units
> * SYSTEMD: Avoid starting a responder socket in case SSSD is not
> started
> * SYSTEMD: Don't mix up responders' socket and monitor activation
> * SYSTEMD: Force responders to refuse manual start
> * CACHE_REQ: Add cache_req_data_set_bypass_cache()
> * PAM: Use cache_req to perform initgroups lookups
> * TESTS: Adapt pam-srv-tests to deal with cache_req related changes
>
> * Jakub Hrozek (42):
>
> * Updating the version to track the 1.15.1 release
> * AD: Use ad_domain to match forest root domain, not the configured
> domain from sssd.conf
> * SUDO: Only store lowercased attribute value once
> * NEGCACHE: Add API to reset all users and groups
> * NSS: Add sbus interface to clear memory cache
> * UTIL: Add a new domain state called DOM_INCONSISTENT
> * RESPONDER: Add a responder sbus interface to set domain state
> * RESPONDER: A sbus interface to reset negatively cached users and
> groups
> * DP: Add internal DP interface to set domain state
> * DP: Add internal interface to reset negative cache from DP
> * DP: Add internal interface to invalidate memory cache from DP
> * RESPONDER: Use the NEED_CHECK_DOMAIN macro
> * RESPONDER: Include the files provider in NEEDS_CHECK_PROVIDER
> * RESPONDER: Contact inconsistent domains
> * UTIL: Add a generic inotify module
> * CONFDB: Re-enable the files provider
> * FILES: Add the files provider
> * CONFDB: Make pwfield configurable per-domain
> * CONFDB: The files domain defaults to "x" as pwfield
> * MAN: Document the pwfield configuration option
> * TESTS: move helper fixtures to back up and restore a file to a
> utility module
> * TESTS: add a helper module with shared NSS constants
> * TESTS: Add a module to call nss_sss's getpw* from tests
> * TESTS: Add a module to call nss_sss's getgr* from tests
> * TESTS: Add files provider integration tests
> * MONITOR: Remove checks for sssd.conf changes
> * MONITOR: Use the common inotify code to watch resolv.conf
> * MAN: Add documentation for the files provider
> * EXAMPLES: Do not point to id_provider=local
> * SBUS: Document how to free the result of sbus_create_message
> * FILES: Fix reallocation logic
> * TESTS: Remove unused import
> * DOC: Deprecate README, add README.md
> * MONITOR: Enable an implicit files domain if one is not configured
> * TESTS: Enable the files domain for all integration tests
> * TESTS: Test the files domain autoconfiguration
> * CONFDB: Refactor reading the config file
> * CONFDB: If no configuration file is provided, create a fallback
> configuration
> * UTIL: Store UPN suffixes when creating a new subdomain
> * SYSDB: When searching for UPNs, search either the whole DB or only
> the given domain
> * CACHE_REQ: Only search the given domain when looking up entries by
> UPN
> * Updating translations for the 1.15.1 release
>
> * Justin Stephenson (5):
>
> * FAILOVER: Improve port status log messages
> * SUDO: Add skip_entry boolean to sudo conversions
> * TESTS: Add to IPA DN test
> * DYNDNS: Update PTR record after non-fatal error
> * DYNDNS: Correct debug log message of realm
>
> * Lukas Slebodnik (13):
>
> * BUILD: Fix linking of test_wbc_calls
> * Suppres implicit-fallthrough from gcc 7
> * pam_sss: Suppress warning format-truncation
> * TOOLS: Fix warning format-truncation
> * sssctl: Fix warning may be used uninitialized
> * ldap_child: Fix use after free
> * SYSTEMD: Update journald drop-in file
> * Partially revert "CONFIG: Use default config when none provided"
> * BUILD: Fix linking of test_sdap_initgr
> * intg: Fix python3 issues
> * FILES: Remove unnecessary check
> * Update link to commit template
> * Use pagure links as a reference to upstream
>
> * Pavel Březina (17):
>
> * SBUS: remove unused symbols
> * SBUS: use sss_ptr_hash for opath table
> * SBUS: use sss_ptr_hash for nodes table
> * SBUS: use sss_ptr_hash for signals table
> * ssh: fix number of output certificates
> * ssh: do not create again fq name
> * sss_parse_inp_send: provide default_domain as parameter
> * cache_req: add ability to not use default domain suffix
> * cache_req: search user by name with attrs
> * cache_req: add api to create ldb_result from message
> * cache_req: move dp request to plugin
> * cache_req: add host by name search
> * ssh: rewrite ssh responder to use cache_req
> * ssh: fix typo
> * cache_req: always go to dp first when looking up host
> * NSS: Rename the interface to invalidate memory cache initgroup
> records for consistency
> * CONFDB: The files provider always enumerates
>
> * Petr Čech (5):
>
> * LDAP: Better logging message
> * SYSDB: Removing of sysdb_try_to_find_expected_dn()
> * TEST: create_multidom_test_ctx() extending
> * TESTS: Tests for sdap_search_initgr_user_in_batch
> * IPA_SUDO: Unused value fix
>
> * Sumit Bose (17):
>
> * sdap_extend_map: make sure memory can be freed
> * check_duplicate: check name member before using it
> * pam_sss: check conversation callback
> * PAM: store user object in the preq context
> * PAM: fix memory leak in pam_sss
> * PAM: use sentinel error code in PAM tests
> * utils: new error codes
> * LDAP/proxy: tell frontend that Smartcard auth is not supported
> * authtok: enhance support for Smartcard auth blobs
> * PAM: forward Smartcard credentials to backends
> * p11: return name of PKCS#11 module and key id to pam_sss
> * pam: enhance Smartcard authentication token
> * KRB5: allow pkinit pre-authentication
> * authtok: fix tests on big-endian
> * pam: use authtok from PAM stack if available
> * cache_req: use own namespace for UPNs
> * PAM: Improve debugging on smartcard creds forward
>
> _______________________________________________
> Freeipa-interest mailing list
> Freeipa-interest(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/freeipa-interest
_______________________________________________
Freeipa-interest mailing list
Freeipa-interest(a)redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-interest