=== SSSD 1.12.2 ===
The SSSD team is proud to announce the release of version 1.12.2 of the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora 21 and rawhide shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* Fixed a regression where the IPA provider didn't fetch User Private Groups correctly * An important bug in the GPO access control which resulted in a wrong principal being used was fixed * Several new options are available for deployments that need to restrict a certain PAM service from connecting to a certain SSSD domain. For more details, see the description of pam_trusted_users and pam_public_domains options in the sssd.conf(5) man page and the domains option in the pam_sss(8) man page. * When SSSD is acting as an IPA client in setup with trusted AD domains, it is able to return group members or full group memberships for users from trusted AD domains. Please note that this feature requires a recent (4.1 Alpha or newer) release of FreeIPA server * Suport for the 'views' feature of IPA. Please note that this feature requires a recent (4.1 Alpha or newer) release of FreeIPA server. Additionally, this feature will be improved in future versions of SSSD.
== Packaging Changes ==
* Some unit tests depend on nss_wrapper and uid_wrapper libraries. These dependencies are optional, if the libraries are not detected during build, the tests are skipped
== Documentation Changes ==
* New PAM responder options pam_trusted_users and pam_public_domains options * New pam_sss module option called domains * A new template expansion %U that expands into the user's User Principal Name * The default value of ldap_user_objectsid and ldap_group_objectsid changed from "Not set" to objectSID in the LDAP provider
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1021 [RFE] Add domains= option to pam_sss https://fedorahosted.org/sssd/ticket/1644 [RFE] Make SSSD capable of downloading GPO policies https://fedorahosted.org/sssd/ticket/1645 [RFE] Leverage GPO policies to define HBAC https://fedorahosted.org/sssd/ticket/2041 [RFE] User's home directories and shells are not taken from AD when there is an IPA trust with AD https://fedorahosted.org/sssd/ticket/2159 [RFE] Support initgroups for unauthenticated AD users https://fedorahosted.org/sssd/ticket/2340 [RFE] User Principal Name as a template expansion for homedir mappings https://fedorahosted.org/sssd/ticket/2375 [RFE] SSSD side of IPA user-views https://fedorahosted.org/sssd/ticket/2412 Error processing universal groups with cross-domain membership in SSSD server mode https://fedorahosted.org/sssd/ticket/2435 SSSD connection terminated after failing anonymous bind to IBM Tivoli Directory Server https://fedorahosted.org/sssd/ticket/2437 conflicting gpo policy settings not being resolved correctly https://fedorahosted.org/sssd/ticket/2442 sssd.conf man page missing subdomains_provider ad support https://fedorahosted.org/sssd/ticket/2443 Password expiration policies are not being enforced by SSSD https://fedorahosted.org/sssd/ticket/2447 AD Provider crashes when looking up the "Domain Users" group https://fedorahosted.org/sssd/ticket/2452 authconfig crashes if case_sensitive=preserving in sssd.conf https://fedorahosted.org/sssd/ticket/2453 group members returned in lowercase with case_sensitive=preserving
== Detailed Changelog ==
Daniel Gollub (2): * sysdb: Write additional attrs in sysdb_add_user * PAM: Add domains= option to pam_sss
Jakub Hrozek (22): * Updating version for the 1.12.2 release * LDAP: Always free talloc_req * LDAP: Do not clobber return value when multiple controls are returned * TESTS: Add a case-insensitive group search sysdb test * MAN: AD is allowed value of subdomains_provider * tests: Add a test for storing custom attrs with automatic ID * TESTS: Add a unit test for matching the secondary objectclass * IPA: Use GC for group lookups in server mode * AD: Add a missing break statement to the GPO code * LDAP: Do not require a dereference control to be retuned in a reply * MAN: Document the domains option of pam_sss * MONITOR: Make internal functions static * SYSDB: move sysdb_get_real_name() from sysdb.c to sysdb_search.c * BUILD: Use $(MKDIR_P) in Makefile.am * MAN: Build the sss_rpcidmapd man page conditionally * UTIL: Do not depend on monitor code * MONITOR: Remove useless memory contexts * UTIL: Move become_user outside krb5 tree * BUILD: Detect nss_wrapper and uid_wrapper during configure * TESTS: Add a test to change user IDs * UTIL: Always write capaths * Updating the translations for the 1.12.2 release
Jan Engelhardt (1): * build: call AC_BUILD_AUX_DIR before anything else
Lukas Slebodnik (14): * CI: Add missing debian dependency * CI: Use default config for mock build * GPO: Use argument ndg_flags instead of constant * GPO: remove unused talloc contexts * DP: Print a type as hexadecimal number in debug message. * SDAP: Suppress warning maybe-uninitialized * TOOLS: Fix warning Value stored to is never read * SDAP: Fix warning Value stored to is never read * SDAP: test return value of sysdb_search_services * PAC: Check return value of function hash_entries * IPA: Fix error handling after talloc_ber_flatten * GPO: fail if there is problem with storing gpo into sysdb * GPO: Fail if we cannot retrieve gpo from cache. * GPO: Do not use output argument if function failed
Michal Zidek (5): * Add alternative objectClass to group attribute maps * Use the alternative objectclass in group maps. * sssd.api.conf: Declare case_sensitive as string * nss: Preserve case of group members * LDAP: Change defaults for ldap_user/group_objectsid
Nikolai Kondrashov (11): * TESTS: Free hbac_info * TESTS: Free compiled regexes in krb5_utils-tests * TESTS: Free link paths in symlink tests * TESTS: Free retrieved sid in test_getsidbyname * CI: Preserve mock config timestamps * CI: Don't run dlopen-tests under Valgrind * CI: Add Valgrind suppression support * CI: Suppress all detected Valgrind issues * CI: Enforce Valgrind check * CI: Remove disabling of Valgrind gdb invocation * CI: Don't say Valgrind is ignored in README.md
Pavel Březina (8): * sysdb_get_user_attr: use fqn for subdomain users * tests: add test for sysdb_get_user_attr with subdomain user * sss_get_domain_name: check for fq name first * tests: add test for sss_get_domain_name * Add sysdb_search_[user|group]_override_attrs_by_name * Add sysdb_get_user_attr_with_views * IFP: support views * sudo: support views
Pavel Reichl (5): * Fix debug messages - trailing '.' * PAM: new options pam_trusted_users & pam_public_domains * SDAP: move deciding of tls usage into new function * SDAP: check that connection is open before bind * NSS: UPN as a template expansion for homedir mappings
Stephen Gallagher (4): * UTIL: Do not change SSSD domains in get_domains_head * krb5: make get_primary() a public call * AD GPO: Fix incorrect sAMAccountName selection * AD GPO: Fix incorrect return of EACCES
Sumit Bose (32): * name2sid: Check negative cache for users and groups * sysdb: sysdb_search_group_by_name should work like sysdb_search_user_by_name * IPA: add support for new extdom plugin version * pam: sub-domain authentication fix * add_v1_group_data: fix for empty members list * nss: add SSS_NSS_GETORIGBYNAME request * sss_nss_idmap: add sss_nss_getorigbyname() * sysdb: add sysdb_update_view_name() * Add sdap_deref_search_with_filter_send() * IPA: make IPA ID context available to extdom client code * IPA: add view support and get view name * views: add ipa_get_ad_override_send() * sysdb: add sysdb_store_override * sysdb: add sysdb_attrs_add_val_safe() and sysdb_attrs_add_string_safe() * sysdb: sysdb_apply_default_override * views: get overrides during user and group lookups * views: search overrides for user and group requests * confdb: add has_views and view_name to sss_domain_info * new_subdomain: copy view data from parent * sysdb: add view data to domains * sysdb: add overide lookup calls * sysdb: add sysdb_getpwnam/uid_with_views() * sysdb: add sss_view_ldb_msg_find_element/attr_as_string/uint64 * nss: add view support for getpwnam/getpwuid requests * sysdb: add sysdb_initgroups_with_views() * nss: add view support to initgroups request * sysdb: add sysdb_getgrnam_with_views and sysdb_getgrgid_with_views * nss: add view support for getgr* requests * sid2name: return name without views applied * pam: make pam responder aware if views * sysdb: add sysdb_enumpw/grent_with_views() * nss: make enumeration requests aware of views
Yassir Elley (1): * AD-GPO resolve conflicting policy settings correctly
On (20/10/14 17:17), Jakub Hrozek wrote:
=== SSSD 1.12.2 ===
The SSSD team is proud to announce the release of version 1.12.2 of the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora 21 and rawhide shortly.
Packages for some older distributions then fedora 21 are available in COPR http://copr-fe.cloud.fedoraproject.org/coprs/lslebodn/sssd-1-12/
LS
On Tue, 21 Oct 2014, Lukas Slebodnik wrote:
Packages for some older distributions then fedora 21 are available in COPR http://copr-fe.cloud.fedoraproject.org/coprs/lslebodn/sssd-1-12/
Thanks for this.
In RHEL7 we have sssd-client.i686 available, which gets used by things like 32bit Adobe Acrobat, else they die a death:
"getpwuid_r(): failed due to unknown user id"
Any chance the COPR could include it as well so we've got a full set to test?
jh
On Tue, 2014-10-21 at 09:39 +0100, John Hodrien wrote:
On Tue, 21 Oct 2014, Lukas Slebodnik wrote:
Packages for some older distributions then fedora 21 are available in COPR http://copr-fe.cloud.fedoraproject.org/coprs/lslebodn/sssd-1-12/
Thanks for this.
In RHEL7 we have sssd-client.i686 available, which gets used by things like 32bit Adobe Acrobat, else they die a death:
"getpwuid_r(): failed due to unknown user id"
Any chance the COPR could include it as well so we've got a full set to test?
There are two problems here.
1) The COPR interface currently only allows building for x86_64 (because there's no i686 release of RHEL to build against. 2) Even if we could build i686 EPEL 7 binaries, COPR doesn't support pulling multilib packages into the same repository. This part could be handled with some clever repo packaging, but currently it doesn't work.
On Tue, 21 Oct 2014 09:39:07 +0100 (BST) John Hodrien J.H.Hodrien@leeds.ac.uk wrote:
On Tue, 21 Oct 2014, Lukas Slebodnik wrote:
Packages for some older distributions then fedora 21 are available in COPR http://copr-fe.cloud.fedoraproject.org/coprs/lslebodn/sssd-1-12/
Thanks for this.
In RHEL7 we have sssd-client.i686 available, which gets used by things like 32bit Adobe Acrobat, else they die a death:
"getpwuid_r(): failed due to unknown user id"
Any chance the COPR could include it as well so we've got a full set to test?
As work around you could force install RHEL's native i686 client. The client protocol hasn't changed (not in incompatible ways anyway) so it should keep working.
Simo.
On Tue, 2014-10-21 at 15:22 -0400, Simo Sorce wrote:
On Tue, 21 Oct 2014 09:39:07 +0100 (BST) John Hodrien J.H.Hodrien@leeds.ac.uk wrote:
On Tue, 21 Oct 2014, Lukas Slebodnik wrote:
Packages for some older distributions then fedora 21 are available in COPR http://copr-fe.cloud.fedoraproject.org/coprs/lslebodn/sssd-1-12/
Thanks for this.
In RHEL7 we have sssd-client.i686 available, which gets used by things like 32bit Adobe Acrobat, else they die a death:
"getpwuid_r(): failed due to unknown user id"
Any chance the COPR could include it as well so we've got a full set to test?
As work around you could force install RHEL's native i686 client. The client protocol hasn't changed (not in incompatible ways anyway) so it should keep working.
That's true of the NSS and PAM clients, but I'm not certain about the PAC client or the Kerberos localauth client.
You might have better luck force-installing the fc20 or fc21 sssd-client.i686 package. Hard to say for sure, though.
On Tue, 21 Oct 2014 15:42:10 -0400 Stephen Gallagher sgallagh@redhat.com wrote:
On Tue, 2014-10-21 at 15:22 -0400, Simo Sorce wrote:
On Tue, 21 Oct 2014 09:39:07 +0100 (BST) John Hodrien J.H.Hodrien@leeds.ac.uk wrote:
On Tue, 21 Oct 2014, Lukas Slebodnik wrote:
Packages for some older distributions then fedora 21 are available in COPR http://copr-fe.cloud.fedoraproject.org/coprs/lslebodn/sssd-1-12/
Thanks for this.
In RHEL7 we have sssd-client.i686 available, which gets used by things like 32bit Adobe Acrobat, else they die a death:
"getpwuid_r(): failed due to unknown user id"
Any chance the COPR could include it as well so we've got a full set to test?
As work around you could force install RHEL's native i686 client. The client protocol hasn't changed (not in incompatible ways anyway) so it should keep working.
That's true of the NSS and PAM clients, but I'm not certain about the PAC client or the Kerberos localauth client.
You might have better luck force-installing the fc20 or fc21 sssd-client.i686 package. Hard to say for sure, though.
True, but for adobe stuff only the nss client matter, I think.
Simo.
On (21/10/14 15:42), Stephen Gallagher wrote:
On Tue, 2014-10-21 at 15:22 -0400, Simo Sorce wrote:
On Tue, 21 Oct 2014 09:39:07 +0100 (BST) John Hodrien J.H.Hodrien@leeds.ac.uk wrote:
On Tue, 21 Oct 2014, Lukas Slebodnik wrote:
Packages for some older distributions then fedora 21 are available in COPR http://copr-fe.cloud.fedoraproject.org/coprs/lslebodn/sssd-1-12/
Thanks for this.
In RHEL7 we have sssd-client.i686 available, which gets used by things like 32bit Adobe Acrobat, else they die a death:
"getpwuid_r(): failed due to unknown user id"
Any chance the COPR could include it as well so we've got a full set to test?
As work around you could force install RHEL's native i686 client. The client protocol hasn't changed (not in incompatible ways anyway) so it should keep working.
That's true of the NSS and PAM clients, but I'm not certain about the PAC client or the Kerberos localauth client.
You might have better luck force-installing the fc20 or fc21 sssd-client.i686 package. Hard to say for sure, though.
The safest(not the easiest :-) way would be to rebuild srpm locally. rpmbuild --buildarch i486 --rebuild sssd.src.rpm
LS
On Tue, 2014-10-21 at 22:02 +0200, Lukas Slebodnik wrote:
On (21/10/14 15:42), Stephen Gallagher wrote:
On Tue, 2014-10-21 at 15:22 -0400, Simo Sorce wrote:
On Tue, 21 Oct 2014 09:39:07 +0100 (BST) John Hodrien J.H.Hodrien@leeds.ac.uk wrote:
On Tue, 21 Oct 2014, Lukas Slebodnik wrote:
Packages for some older distributions then fedora 21 are available in COPR http://copr-fe.cloud.fedoraproject.org/coprs/lslebodn/sssd-1-12/
Thanks for this.
In RHEL7 we have sssd-client.i686 available, which gets used by things like 32bit Adobe Acrobat, else they die a death:
"getpwuid_r(): failed due to unknown user id"
Any chance the COPR could include it as well so we've got a full set to test?
As work around you could force install RHEL's native i686 client. The client protocol hasn't changed (not in incompatible ways anyway) so it should keep working.
That's true of the NSS and PAM clients, but I'm not certain about the PAC client or the Kerberos localauth client.
You might have better luck force-installing the fc20 or fc21 sssd-client.i686 package. Hard to say for sure, though.
The safest(not the easiest :-) way would be to rebuild srpm locally. rpmbuild --buildarch i486 --rebuild sssd.src.rpm
Impossible, because they won't have the build dependencies available on the correct architecture.
On (21/10/14 16:11), Stephen Gallagher wrote:
On Tue, 2014-10-21 at 22:02 +0200, Lukas Slebodnik wrote:
On (21/10/14 15:42), Stephen Gallagher wrote:
On Tue, 2014-10-21 at 15:22 -0400, Simo Sorce wrote:
On Tue, 21 Oct 2014 09:39:07 +0100 (BST) John Hodrien J.H.Hodrien@leeds.ac.uk wrote:
On Tue, 21 Oct 2014, Lukas Slebodnik wrote:
Packages for some older distributions then fedora 21 are available in COPR http://copr-fe.cloud.fedoraproject.org/coprs/lslebodn/sssd-1-12/
Thanks for this.
In RHEL7 we have sssd-client.i686 available, which gets used by things like 32bit Adobe Acrobat, else they die a death:
"getpwuid_r(): failed due to unknown user id"
Any chance the COPR could include it as well so we've got a full set to test?
As work around you could force install RHEL's native i686 client. The client protocol hasn't changed (not in incompatible ways anyway) so it should keep working.
That's true of the NSS and PAM clients, but I'm not certain about the PAC client or the Kerberos localauth client.
You might have better luck force-installing the fc20 or fc21 sssd-client.i686 package. Hard to say for sure, though.
The safest(not the easiest :-) way would be to rebuild srpm locally. rpmbuild --buildarch i486 --rebuild sssd.src.rpm
Impossible, because they won't have the build dependencies available on the correct architecture.
There would be way... (rebuild all dependencies: glibc, krb ... :-) but it does not worth. I wrote: "not the easiest"
LS
On Tue, 21 Oct 2014, Simo Sorce wrote:
As work around you could force install RHEL's native i686 client. The client protocol hasn't changed (not in incompatible ways anyway) so it should keep working.
Ah okay, that's well worth trying, thanks. I just want to have a full setup for testing EL7 with our setup and the version that ships is currently a no-go because of the tokengroups issues I had. A newer 1.12 definitely fixed all my problems, but I was looking for the missing bit as that was breaking some 32bit apps. If I can just force install the old client, that's absolutely fine for now.
jh
sssd-users@lists.fedorahosted.org