=== SSSD 1.9.0 ===
The SSSD team is proud to announce the release of the System Security Services Daemon version 1.9.0.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora shortly, initially for F-18 and rawhide and later also backported to F-17.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
=== New Features === * Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory * The SSSD is able to act as an IPA client in cases where the IPA server has established a trust setup with an Active Directory server - Support for sub-domains for dealing with trust relationships - Add a new PAC responder for dealing with cross-realm Kerberos trusts - The IPA authentication provider now supports subdomains - In scenarios, where the SSSD is acting as an IPA client, it is able to discover and save the DNS domain-Kerberos realm mappings between an IPA server and a trusted Active Directory server. * Add a new fast in-memory cache to speed up lookups of cached data on repeated requests * Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation * Add support for the Kerberos DIR cache for storing multiple TGTs automatically * SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules * The SSSD supports the concept of a Primary Server and a Back Up Server. If the SSSD switches to a back up server because a primary server is not available, it would later try to re-establish a connection to the primary server. * Add native support for autofs to the IPA provider * A new command-line tool sss_seed is available. This tool is able to prime the internal cache with a user record and a cached password to support the scenario when a user needs to log in to the client before the network connection to the centralized identity source is established, such as the first log in to a new machine. * A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value.
=== Important Fixes and Enhancements === * Major performance enhancement when storing large groups in the cache * Major performance enhancement when performing initgroups() against Active Directory * Terminate idle connections to the NSS and PAM responders * The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds * Mutexes in the nss_sss module are now released correctly if one thread in a multithreaded application is cancelled while the mutex is locked * The fail over code works correctly when the IPA provider is not able to establish a GSSAPI-encrypted connection to an IPA server * The SSSD correctly accepts -1 as a valid value of the shadow attributes * When the SSSD is unable to resolve a host name, it tries the next configured server now instead of going offline * The default SELinux login context for IPA users was changed to unconfined_t when there are no rules on the server * A file descriptor leak in cases the SSSD was unable to establish SSL connection to an LDAP server was fixed * Potential crash when one of two parallel requests would expire the list of servers resolved from a SRV query * Fixed a crash that occured when a service was requested by both name and protocol
=== Packaging Changes === * SSSDConfig data file default locations can now be set during configure for easier packaging * Switch from libunistring to glib2 for unicode support * A new Python wrapper around the murmur hash library has been introduced. It is only useful to the FreeIPA server at the moment. * a new binary, called sss_seed is available. The binary is installed to /usr/sbin/sss_seed by default and includes its own manual page. * The SSSD uses a new directory to store the DNS domain - Kerberos realm mappings. The default location is /var/lib/sss/pubconf/krb5.include.d
== Tickets fixes == https://fedorahosted.org/sssd/ticket/1331 Off-by-one error in sss_hmac_sha1 https://fedorahosted.org/sssd/ticket/1364 [abrt] sssd-1.8.3-11.fc16: set_server_common_status: Process /usr/libexec/sssd/sssd_be was killed by signal 11 (SIGSEGV) https://fedorahosted.org/sssd/ticket/1438 SSSD crashes at boot time https://fedorahosted.org/sssd/ticket/1452 Authentication fails if kpasswd cannot be resolved https://fedorahosted.org/sssd/ticket/1454 if allocation fails, sss_mmap_cache_init may dereference NULL pointer https://fedorahosted.org/sssd/ticket/1458 Full sudo refresh is scheduled even if there is no sudo responder https://fedorahosted.org/sssd/ticket/1466 Proxy: Cannot retrieve an user after a group he is a member of was retrieved https://fedorahosted.org/sssd/ticket/1467 enumeration is broken in the proxy provider https://fedorahosted.org/sssd/ticket/1479 Hbac logs show wrong rule name granting access https://fedorahosted.org/sssd/ticket/1486 [abrt] sssd-1.8.4-14.fc17: sss_ldap_init_send: Process /usr/libexec/sssd/sssd_be was killed by signal 11 (SIGSEGV) https://fedorahosted.org/sssd/ticket/1496 [abrt] sssd-1.8.4-14.fc17: ldap_pvt_sasl_getmechs: Process /usr/libexec/sssd/sssd_be was killed by signal 11 (SIGSEGV) https://fedorahosted.org/sssd/ticket/1505 sudo with sss backend should use ipa_hostname https://fedorahosted.org/sssd/ticket/1509 libsss_sudo is not updated when yum update sssd is called https://fedorahosted.org/sssd/ticket/1513 Change the processing of the SELinux default map https://fedorahosted.org/sssd/ticket/1515 pam_sss report System Error on wrong password https://fedorahosted.org/sssd/ticket/1516 krb5_mod_ccname should cancel the transaction at one place only https://fedorahosted.org/sssd/ticket/1519 membership of IPA hostgroups is not evaluated when treating them as netgroups https://fedorahosted.org/sssd/ticket/734 on reconnect we need to detect that a ipa/ds server has been reinitialized https://fedorahosted.org/sssd/ticket/1156 Do not use "goto" to jump backwards in the proxy code https://fedorahosted.org/sssd/ticket/1194 when nesting limit is reached, the LDAP provider tries to establish link to members outside the nesting limit https://fedorahosted.org/sssd/ticket/1345 sssd does not warn into sssd.log for broken configurations https://fedorahosted.org/sssd/ticket/1365 ipv6 address with square brackets doesn't work for krb5_server https://fedorahosted.org/sssd/ticket/1388 domain.remove_provider() does not work https://fedorahosted.org/sssd/ticket/1390 Add support for nested automount maps https://fedorahosted.org/sssd/ticket/1393 shadow attributes should accept -1 https://fedorahosted.org/sssd/ticket/1396 Kerberos validation algorithm is insufficient for cross-realm trusts https://fedorahosted.org/sssd/ticket/1415 Group lookups no longer work when fastcache cannot be initialized https://fedorahosted.org/sssd/ticket/1416 sssd_be crashes on using inappropriate keytab file https://fedorahosted.org/sssd/ticket/1430 Password change prompt doesn't appear when "User must change password on next logon" is set for a AD user. https://fedorahosted.org/sssd/ticket/1436 LOCAL domain lookups don't work https://fedorahosted.org/sssd/ticket/1446 sssd does not try another server when unable to resolve hostname https://fedorahosted.org/sssd/ticket/1447 Fail over does not work correctly when IPA server is establishing a GSSAPI-encrypted LDAP connection https://fedorahosted.org/sssd/ticket/1453 proxy provider: value stored to status is never read in get_pw_name https://fedorahosted.org/sssd/ticket/1455 SELinux code must fall back to default only if there are no rules on the server https://fedorahosted.org/sssd/ticket/1456 Attempt to close the same file stream twice https://fedorahosted.org/sssd/ticket/1457 Insecure temporary file in IPA subdomain provider https://fedorahosted.org/sssd/ticket/1459 SRV servers are always marked as back up https://fedorahosted.org/sssd/ticket/1460 SSSD thread issue can cause the application to not get any identity information https://fedorahosted.org/sssd/ticket/1470 FreeIPA HBAC rules ignored when FreeIPA and SSSD are configured to set SELinux user context https://fedorahosted.org/sssd/ticket/1472 Duplicate detection in fail over does not work https://fedorahosted.org/sssd/ticket/1478 ldap_autofs_* options missing from /usr/share/sssd/sssd.api.d/sssd-ldap.conf https://fedorahosted.org/sssd/ticket/1480 1.9.0b6 does not build with SELinux disabled https://fedorahosted.org/sssd/ticket/1488 Segfault in IPA subdomain provider https://fedorahosted.org/sssd/ticket/1490 SSSD does not close TCP connections when SSL fails https://fedorahosted.org/sssd/ticket/1491 Consolidate functions that make a realm upper-case https://fedorahosted.org/sssd/ticket/1492 There is no /etc/selinux/targeted/logins on RHEL5 https://fedorahosted.org/sssd/ticket/1500 SSSD's default ccache location needs to be updated (again), and the man pages should reflect it https://fedorahosted.org/sssd/ticket/904 Create tool to seed a user for first-boot https://fedorahosted.org/sssd/ticket/1087 RFE: Allow Forcing User Shell https://fedorahosted.org/sssd/ticket/1128 Introduce the concept of a Primary Server in SSSD https://fedorahosted.org/sssd/ticket/1185 [Feature] AD Extensions https://fedorahosted.org/sssd/ticket/1318 RFE: make the NSS memory cache timeout configurable https://fedorahosted.org/sssd/ticket/1368 Missing hostid and subdomains sections in sssd-ipa.conf https://fedorahosted.org/sssd/ticket/1380 domain_realm mappings manipulation by sssd https://fedorahosted.org/sssd/ticket/1418 document how sudo works with sssd https://fedorahosted.org/sssd/ticket/1420 sudo: provide automatic configuration of machine hostnames https://fedorahosted.org/sssd/ticket/1427 Don't refersh HBAC rules when looking up SELinux rules https://fedorahosted.org/sssd/ticket/1429 IPA session code returns error when SELinux mapping rule links to an HBAC rule https://fedorahosted.org/sssd/ticket/1432 Mention AD Provider in manpage of sssd.conf https://fedorahosted.org/sssd/ticket/1433 Suggested additions to manpage of sssd-ad https://fedorahosted.org/sssd/ticket/1435 SELinux specifity does not work with HBAC rules https://fedorahosted.org/sssd/ticket/1439 sss_pam needs to write out SELinux login file during the account phase https://fedorahosted.org/sssd/ticket/1445 The SELinux login file needs to be created by the responder, not PAM module https://fedorahosted.org/sssd/ticket/1448 sss_seed tool review issues https://fedorahosted.org/sssd/ticket/1360 format of file for pam_selinux is incorrect https://fedorahosted.org/sssd/ticket/1379 Possible use of uninitialized values https://fedorahosted.org/sssd/ticket/1395 SELinux rule matching ignores specificity requirement https://fedorahosted.org/sssd/ticket/1417 Several unowned directories https://fedorahosted.org/sssd/ticket/1419 sssd incorrectly sets shadowLastChange in seconds not days https://fedorahosted.org/sssd/ticket/1421 selinux rules are never deleted from sysdb https://fedorahosted.org/sssd/ticket/1422 When ldap_sasl_minssf is assigned large values, appropriate error message should be logged sssd_DOMAIN log https://fedorahosted.org/sssd/ticket/1431 Set "krb5_canonicalize = False" for password change to work https://fedorahosted.org/sssd/ticket/1239 [RFE] sudo: send username and uid while requesting default options https://fedorahosted.org/sssd/ticket/1299 Per domain formats for qualified user names https://fedorahosted.org/sssd/ticket/1352 [RFE] Add the subdomain functionality to IPA auth provider https://fedorahosted.org/sssd/ticket/1377 [RFE] Add AD provider https://fedorahosted.org/sssd/ticket/1382 pac responder interface needs checks https://fedorahosted.org/sssd/ticket/1385 heimdal: compile time diference https://fedorahosted.org/sssd/ticket/1398 Dependency issue while "yum update libsss_sudo" https://fedorahosted.org/sssd/ticket/1403 Combine keytab options for AD provider https://fedorahosted.org/sssd/ticket/1404 AD provider should default to case-insensitive operation https://fedorahosted.org/sssd/ticket/1407 Revert sssd patch for limiting enctypes to keytab https://fedorahosted.org/sssd/ticket/1409 Resource leak in sssdpac_import_authdata https://fedorahosted.org/sssd/ticket/1410 Dead code in ipa_subdomains_handler_done() https://fedorahosted.org/sssd/ticket/1412 Starting SSSD with a domain using the LOCAL provider segfaults the responders https://fedorahosted.org/sssd/ticket/1163 [Feature] SSSD AD Integration Feature (Cross Realm Kerberos Trusts) https://fedorahosted.org/sssd/ticket/1354 Add support for terminating idle connections in sssd_nss https://fedorahosted.org/sssd/ticket/1383 sssd_nss segfaults performing netgroup lookups without a specified domain https://fedorahosted.org/sssd/ticket/974 [RFE] Support DIR: credential caches for multiple TGT support https://fedorahosted.org/sssd/ticket/984 RFE: sssd should support Netscape LDAP password expiration controls https://fedorahosted.org/sssd/ticket/1213 Warn to syslog when dereference requests fail https://fedorahosted.org/sssd/ticket/1240 sudo: contact data provider only once https://fedorahosted.org/sssd/ticket/1255 RFE: change the way we deal with fake users https://fedorahosted.org/sssd/ticket/1256 Document the expectations about ghost users showing in the lookups https://fedorahosted.org/sssd/ticket/1330 Potential NULL dereference in sss_krb5_read_etypes_for_keytab https://fedorahosted.org/sssd/ticket/1336 Please only use named parameters in translatable strings https://fedorahosted.org/sssd/ticket/1337 Minor typos in SSSD messages and man pages https://fedorahosted.org/sssd/ticket/1346 in-memory cache causes nss to segfault if it cannot be initialized properly https://fedorahosted.org/sssd/ticket/1367 Optimize AD memberOf lookups with LDAP_MATCHING_RULE_IN_CHAIN https://fedorahosted.org/sssd/ticket/357 SSSD should provide fast in memory cache to provide similar functionality as NSCD currently provides https://fedorahosted.org/sssd/ticket/783 Support range retrievals https://fedorahosted.org/sssd/ticket/887 Implement mechanism to fetch and store domain info https://fedorahosted.org/sssd/ticket/917 Document sss_tools better https://fedorahosted.org/sssd/ticket/949 Filter out inappropriate IP addresses from IPA dynamic DNS update https://fedorahosted.org/sssd/ticket/996 RFE: Allow Constructing uid from Active Directory objectSid https://fedorahosted.org/sssd/ticket/1031 [RFE] Implement "AD friendly" schema mapping https://fedorahosted.org/sssd/ticket/1064 Sub-Domains: define new get_domains method https://fedorahosted.org/sssd/ticket/1065 Sub-Domains: implement new get_domains method in IPA provider https://fedorahosted.org/sssd/ticket/1067 Sub-Domains: add new get_domains method to responders https://fedorahosted.org/sssd/ticket/1114 get_uid_from_pid() perfoms an improper read https://fedorahosted.org/sssd/ticket/1119 Monitor SIGKILL time should be configurable https://fedorahosted.org/sssd/ticket/1140 RFE Request for including pam_pwd_expiration_warning = 0 in sssd.conf https://fedorahosted.org/sssd/ticket/1170 sss_cache should support invalidating services and autofs maps https://fedorahosted.org/sssd/ticket/1172 Bad check for id_provider=local and access_provider=permit https://fedorahosted.org/sssd/ticket/1174 sssd.conf has wrong defaults for the "command" parameter https://fedorahosted.org/sssd/ticket/1176 SSH: Add dp_get_host_send to common responder code https://fedorahosted.org/sssd/ticket/1181 Typos in sssd manual https://fedorahosted.org/sssd/ticket/1203 Hash the hostname/port information in the known_hosts file. https://fedorahosted.org/sssd/ticket/1209 Convert all read and write loops to use atomic I/O function https://fedorahosted.org/sssd/ticket/1233 Memory leak in sss_sudo_send_recv_generic https://fedorahosted.org/sssd/ticket/1250 Add default home directory mapping https://fedorahosted.org/sssd/ticket/1271 Stop using HTML_FOOTER_DESCRIPTION in doxygen docs https://fedorahosted.org/sssd/ticket/1281 Add unit test for compatibility of ldap options between schemas https://fedorahosted.org/sssd/ticket/1289 Create a way to define a default shell for cases when there no shell https://fedorahosted.org/sssd/ticket/1297 Use keytab to select etypes for krb5_get_init_creds_keytab() https://fedorahosted.org/sssd/ticket/1298 Invalid cache file created when canoning principals during krb5_get_init_creds_keytab() https://fedorahosted.org/sssd/ticket/1301 sss_cache does nothing when executed without any options. https://fedorahosted.org/sssd/ticket/1305 sss_cache should return a warning/error while validating unknown user/group https://fedorahosted.org/sssd/ticket/1306 sss_cache should return an error, when executed against inactive domains https://fedorahosted.org/sssd/ticket/1313 exec_child, execv and friends don't return success https://fedorahosted.org/sssd/ticket/1316 kpasswd server status set to working when Kerberos auth succeeds
== Detailed Changelog == Ariel Barria (6): * Bad check for id_provider=local and access_provider=permit * Potential NULL dereference in proxy provider * Warn to syslog when dereference requests fail * Clarify how comments work in sssd.conf * SIGUSR2 should force SSSD to reread resolv.conf as well * Missing resolv.conf should be non-fatal
George McCollister (1): * libcrypto fully implemented
Jakub Hrozek (205): * Fix SSH compilation on RHEL5 * AUTOFS: IPA provider * Two sssd-ldap manual pages fixes * Fix group enumeration * Only fetch SELinux string if the user is found * Remove setent structure when callback is called * Allocate setent structure on state, not on the client context * Fix memory hierarchy when processing nested group memberships * Fix case insensitive service lookups * Include the fd_limit configuration option * End request if ldap_parse_result fails * remove unused function * Save errno value before calling DEBUG * libnl: fix the path to phy80211 subdirectory * AUTOFS: Invoke implicit setautomntent if needed * AUTOFS: Search all search bases for automounter map entries * AUTOFS: speed up the client by requesting multiple entries at once * Use proper errno code * Only do one cycle when resolving a server * krb5_child: set debugging sooner * Search netgroups by alias, too * Detect cycle in the fail over on subsequent resolve requests only * Autofs: operate on contents of double-pointer, not address * Only free returned values on success * Save original name into the in-memory cache * Handle errors from lookup_netgr_step gracefully * Fix nested groups processing * Fix netgroup error handling * Handle empty elements in proxy netgroups: * Fix uninitialized variable * Free entry found in negative cache * Make the string_equal() function public * Save alias of the primary name, too * NSS: Look for services with correct case when cache is updated * AUTOFS: fix copy-and-paste bug in the autofs client * LDAP services: Keep the protocol around * Silence Coverity warning in the autofs test tool * Return correct resolv_status on resolver timeout * Add sss_get_cased_name_list utility function * LDAP services: Save lowercased protocol names in case-insensitive domains * Proxy services: Save lowercased protocol names and aliases in case-insensitive domains * Fix off-by-one error in principal selection * Catch cases where D-Bus connection is NULL * Use HTML_TIMESTAMP instead of HTML_FOOTER_DESCRIPTION * Fix regression in SSSDConfig.py * netlink integration: ensure that interface name is NULL-terminated * Remove forgotten DEBUG message * autofs: load the correct option * man: document that referral chasing might bring performance penalty * Prevent printing NULL from DEBUG messages * Do not call sdap_auth if not needed * pam_sss: improve error handling in SELinux code * Remove the "command" option from documentation * Add sysdb_set_service_attr and sysdb_set_autofsmap_attr * sss_cache: support invalidating services and autofs maps * autofs: Raise the maximum key length to PATH_MAX * sss_cache: Better error reporting * MAN: timeout can be specified for services, too * MAN: document the hostid and autofs providers * proxy: Canonicalize user and group names * proxy: new option proxy_fast_alias * Free controls in sdap_rebind_proc * Make the monitor SIGKILL time configurable * sdap_check_aliases must not error when detects the same user * sss_atomic_io: Do not fail reads with EPIPE if there is not enough data to read * Move atomic io function to a separate module * Convert read and write operations to sss_atomic_read * Document sss_tools better * Warn on 'make update-po' if there are manpages not listed in po4a.cfg * Test RFC2307bis and RFC2307 option maps * Get the RootDSE after binding if not successfull before * Lowercase group members in case-insensitive domains * NSS: Only return data from initgroups once * SUDO: Return ret, not EOK * SYSDB: return EOK if empty message is passed into get_rm_msg * SYSDB: check return value * SSH: return NULL on error in ssh_host_pubkeys_format_known_host_plain * SERVER: use the correct return code of sss_atomic_write_s * LDAP: check return value of sysdb_attrs_get_el * RESPONDER: check return value from confdb_get_int * PYHBAC: Return NULL on failure * PAM_SSS: report error code if write fails * NSS: Check return code of sss_mmap_cache_gr_store * IPA netgroups: return EOK when there are no netgroups to process * ipa_get_config_send: remove unused assignment * HBAC: Prevent NULL dereference in hbac_evaluate * DP: return correct error message when subdomains back end target is not configured * NSS: fix returning group from cache * SSS_DEBUGLEVEL: silence analyzer warnings * PROXY: return correct return codes * IPA: Check return values * AUTOFS: remove unused assignments * Rename split_service_name_filter * SSH: Add dp_get_host_send to common responder code * Read sysdb attribute name, not LDAP attribute map name * Kerberos locator: Include the correct krb5.h header file * Special-case LDAP_SIZELIMIT_EXCEEDED * krb5 locator: Do not leak addrinfo * Only reset kpasswd server status when performing a chpass operation * Try all KDCs when getting TGT for LDAP * Send the correct enumeration request * subdomains: Fix error handling in Data Provider * Filter out IP addresses inappropriate for DNS forward records * sysdb: return proper error code from sysdb_sudo_purge_all * SYSDB: Handle user and group renames better * NSS: keep a pointer to body after body is reallocated * Use sized_string correctly in FQDN domains * Use the sysdb attribute name, not LDAP attribute name * LDAP nested groups: Do not process callback with _post deep in the nested structure * Send 16bit protocol numbers from the sss_client * Revert the client packet length, too, after reverting the packet protocol * Fix the default sssd.conf path * Fix the 0.11 sysdb upgrade * sss_names_init: Report correct error code if allocation failed * Two small krb5_child fixes * Provide more debugging in krb5_child and ldap_child * Allow redefining the KRB5_CHILD path * Split parse_krb5_child_response so it can be reused * Add a krb5_child test tool * Residual util functions * Handle trailing slash in the ccname template * Add a credential cache back end structure * Add support for storing credential caches in the DIR: back end * Use Kerberos context in KRB5_DEBUG * Make krb5_ccname_template and krb5_ccachedir configurable * Print based on pointer contents not address * Cast uid_t to unsigned long long in DEBUG messages * Update translations for 1.9.0 beta 4 release * Bumping version to 1.9.0 beta 5 * Add newline to DEBUG messages * RPM: Own several directories * Add missing "%" to specfile * IPA: Download defaults even if there are no SELinux mappings * SYSDB: Delete SELinux mappings * IPA: Return and save all SELinux rules in the provider * PAM: Fix off-by-one-error in the SELinux session code * Update translations for 1.9.0 beta 5 release * Bumping version to 1.9.0 beta 6 * Fix sysdb_search_selinux_usermap_by_username return value * Fix SSSDConfigTest * Fix bad check * Create a domain-realm mapping for krb5.conf to be included * Update translations for 1.9.0 beta 6 release * Bumping version for the 1.9.0 release * Don't call fo_set_{server,port}_status for SRV servers * Fix the version number * SYSDB: Check the return value * SYSDB: Use ldb_msg_add_string for simple string additions * Failover: Return last tried server if it's still being tried * Subdomains: Send the DP reply in the correct format * Always mark SRV servers as primary * Allocate on top of a talloc context, not NULL * Abort PAM access phase if HBAC does not return PAM_SUCCESS * Change default for ldap_idmap_range_min to 200000 * Don't use server after SRV data collapsed * Document entry_cache_autofs_timeout * Add autofs-related options to configAPI * sss_client: Group lookups should work even when fastcache cannot be initialized * FO: Don't retry the same server if it's not working * FO: Return EAGAIN if there are more servers to try * KRB5: Only return PAM error for unreachable kpasswd when performing chpass * Build SELinux code in responder conditionally * Do not try to remove the temp login file if already renamed * Only create the SELinux login file if there are mappings on the server * Fix compilation error in Python murmurhash bindings * Process all groups from a single nesting level * Use PTHREAD_MUTEX_ROBUST to avoid deadlock in the client * RPM: Switch the default ccache location * RPM: Always include the patch file * Check if the SELinux login directory exists * SYSDB: Commit transaction in sysdb_store_user * SYSDB: Abort unit test if sysdb_getpwnam fails * Retry the next server if bind during LDAP auth times out * Don't terminate the same connection twice * Update translations for 1.9.0 beta 7 release * Bumping version for the 1.9.0 beta 7 release * libsss_sudo should have a versioned dependency on SSSD * KRB5: cancel the sysdb transaction on one place only * KRB5: Return PAM_AUTH_ERR on incorrect password * RPM: BuildRequire selinux-policy-targeted * SYSDB: NULL-terminate the output of sysdb_get_{ranges,subdomains} * KRB5: Add a missing string argument * NSS: Fix off-by-one error in parse_getservbyname * FO: Check server validity before setting status * DB: Always write the SELinux object to sysdb * SELinux: Always use the default if it exists on the server * Updating the translations for the 1.9.0 RC1 release * Updating the version for the RC1 release * KRB5 child: Don't return System Error on empty password * KRB5 child: handle more error codes gracefully * DB: Cancel transaction in sysdb_store_user if sysdb_add_user fails * Mark the fastcache files in the spec file as %ghost * autofs, sudo, ssh and PAC are not experimental anymore * AUTOFS: Do not fail if search base is not provided * AUTOFS: Add sysdb tests * AUTOFS: Add entry objects below map objects * AUTOFS: Use both key and value in entry RDN * AUTOFS: convert the existing autofs entries during a sysdb upgrade * SYSDB: Remove unnecessary domain parameter from several sysdb calls * DB: Use TALLOC_CTX for talloc context * KRB5: Recover gracefully if the ccache file could not be reused * Detect LDAPDerefRes in configure script * RPM: Create ghost files during install * Set the version number to 1.9.0 for the release * Updating translations for the 1.9.0 release
Jan Cholasta (29): * Add methods for activating and deactivating services to SSSDConfig * Add ssh service to sssd.api.conf * SSH: Verify that names received from client are valid UTF-8 in responder * SSH: Build man pages conditionally * SSH: Save SSH host name aliases * SSH: Refactor responder and client common code * UTIL: Add function for atomic I/O * SSH: Continue connecting to SSH server even when SSSD is not running in sss_ssh_knownhostsproxy * SSH: Manage global known_hosts file in the responder * SSH: Don't abort known_hosts update when host search fails * SSH: Add more debugging messages * SSH: Add missing break statements to sss_ssh_format_pubkey * SSH: Use fchmod instead of chmod on known_hosts file * SSH: Replace blocking getaddrinfo call in the responder with asynchronous resolver code * SSH: Remove unused --file option of sss_ssh_knownhostsproxy * SSH: Update sss_ssh_knownhostsproxy manual page * Include missing source files to the list of source files which contain translatable strings * SSH: Allow clients to explicitly specify host alias * SSH: Canonicalize host name and do reverse DNS lookup in sss_ssh_knownhostsproxy * SSH: Fix infinite loop in sss_ssh_knownhostsproxy * UTIL: Add HMAC-SHA-1 function * SSH: Add support for hashed known_hosts * SSH: Update sss_ssh_knownhostsproxy manual page * SSH: Supress error message output in sss_ssh_knownhostsproxy * SSH: Don't abort connection in sss_ssh_knownhostsproxy when DNS records are missing * SSH: Return error code in SSH utility functions * SSH: Simplify public key formatting function * SSH: Add support for OpenSSH-style public keys * SSH: Fix possible infinite loop when updating known_hosts
Jan Engelhardt (1): * build: resolve link failure
Jan Vcelak (1): * LDAP: Properly cast type for MINSSF value
Jan Zeleny (87): * Fixed issue with netgroup update in IPA provider * Don't give memory context in confdb where not needed * IPA hosts refactoring * SELinux related attributes added to config API * Delete missing attributes from netgroups to be stored * Modifications to simplify list_missing_attrs * Fix the script path * Fixed uninitialized pointer in SSH known host proxy * Fixed uninitialized pointer in SSH authorized keys client * Add umask before mkstemp() call in SSH responder * Fixed resource leak in ssh client code * Removed a block of dead code in sdap_async_groups.c * Removed unused block of code is sdap_fill_memberships() * Removed unused function sysdb_attrs_users_from_ldb_vals() * Fixed memory context in sdap_fill_memberships() * Fixed minor memory leak in ldap provider * Sysdb routines for subdomains * Add some utility functions for subdomains * Add conn_name to allow different names for domains and connections * Responder part of the subdomain retrieval work * Modified responder_get_domain() * Retrieve subdomains if there is a request for fully qualified user * Ask for subdomains in responder in the first request after startup * New config option for subdomains * Moved expand_homedir_template() from NSS responder to utility code * Add ID operations in subdomains * Send PAM requests for subdomains to the right provider * Basic support for subdomains in auth provider * Carry sysdb context and domain info in be_req structure * Accept be_req instead if be_ctx in LDAP access provider * Detect subdomain request in IPA access provider * Utilize sysdb context within be_req in HBAC * Two fixes in responder subdomain code * Modify behavior of pam_pwd_expiration_warning * Fixed two minor memory leaks * Fixed issue in SELinux user maps * Ghost members - add the ghost attribute to sysdb * Ghost members - support in LDAP provider * Ghost members - support in proxy provider * Ghost members - modifications in sysdb * Ghost members - modifications in memberof plugin * Ghost members - sysdb upgrade routine * Ghost members - NSS responder changes * Ghost members - removed sdap_check_aliases() * Ghost members - modified sss_groupshow * Ghost members - various small changes * Add support for filtering atributes * Utilize attribute exclusion in LDAP initgroups * Fixed setting of debug level in test suite * IPA subdomains - ask for information about master domain * Allow fast memcache timeout to be configurable * Fix an issue in ghost users * Provide "service filter" for SELinux context * Fixed debug message in sdap_save_group() * Fix possible segfault in sdap_save_group() * PAC responder: add some utility functions * PAC responder: test suite * Fix re_expression matching with subdomains * SELinux user maps: pick just one map * Fixed wrong number in shadowLastChange * Add function sysdb_attrs_copy_values() * Modify priority evaluation in SELinux user maps * Added some DEBUG statements into SELinux related code * Extend category support in SELinux user maps * Remove ipa_selinux_map_merge() * Fix linking of HBAC rules and SELinux user maps * Provide counter of possible matches in SELinux IPA provider * Always free request in data provider PAM callback * Renamed session provider to selinux provider * Move SELinux processing from session to account PAM stack * Remove unused member of be_req * Write SELinux config files in responder instead of PAM module * Modify hbac_get_cached_rules() so it can be used outside of HBAC code * Support fetching of HBAC rules from sysdb in SELinux code * Support fetching of host from sysdb in SELinux code * Primary server support: introduce concept of reconnection * Primary server support: basic support in failover code * Primary server support: support for "disconnecting" connections in LDAP * Primary server support: IPA adaptation * Primary server support: krb5 adaptation * Primary server support: LDAP adaptation * Primary server support: AD adaptation * Primary server support: man page, failover section * Primary server support: new option in ldap provider * Primary server support: new options in krb5 provider * Primary server support: new option in IPA provider * Primary server support: new option in AD provider
Joshua Roys (1): * Simple implementation of Netscape password warning expiration control
Marco Pizzoli (1): * Two manual pages fixes
Michal Zidek (18): * Fixed: Unchecked return value from dp_opt_set_int. * Fixed: Uninitialized value in krb5_child-test if ccname was specified. * Added unit test for sysdb_ssh.c * Return value of fread in src/tools/sss_debuglevel.c no longer ignored. * Change default value of ldap_sasl_string to host/hostname@REALM in man page. * SRV resolution for backup servers should not be permitted. * When ldap_group_nesting_level was reached, the LDAP provider tried to link group members with groups outside nesting limit. * Duplicate detection in fail over did not work. * Typo in debug message (SSSd -> SSSD). * Unify usage of sysdb transactions * Fix: IPv6 address with square brackets doesn't work. * Adding -std=gnu99 flag. * Unify usage of sysdb transactions (part 2). * LDB_ERR_INVALID_ATTRIBUTE_SYNTAX added to sysdb_error_to_errno. * SSSD fails to store users if any of the requested attribute is empty. * tools_util.h provides signal_sssd function. * sss_cache tool invalidates records in memory cache. * Bad debug message when no dns_discovery_domain specified.
Nick Guay (4): * added DEBUG messages to krb5_child and ldap_child * Fix uninitialized values * First-boot sss_seed tool * remove duplicate sss_obfuscate reference in seealso manpage section
Ondrej Kos (7): * Removed unused variable assignment * Replaced "id_max" & "id_min" * Backward GOTOs rewritten into do-while loops. * AD context was set to null due to type mismatch * Consolidation of functions that make realm upper-case * Out-of-bounds read fix in hmac-sha-1 * Add more debuginfo into ldap_child
Pavel Březina (96): * Improve debug messages in sysdb_sudo_check_time() * SUDO responder: check if the input is a UTF-8 string * Refactor sss_result into sss_sudo_result * Redesign purging of the sudo cache * Honor case_sensitive option in sudo responder * Move sudo_dom_ctx.user to local variable * Hide --debug option in sss_debuglevel * Two memory leaks in sss_sudo_get_values * Missing debug message if sdap_sudo_refresh_set_timer fails * Use of unininitialized value in sudosrv_cache_set_entry and sudosrv_cache_lookup_internal * Use of unininitialized value in sss_sudo_parse_response * Potential NULL-dereference in sudosrv_cmd_get_sudorules * sudo api: check sss_status instead of errnop in sss_sudo_send_recv_generic() * Install and uninstall all documentation * fix copy and paste error in comment * Fix typo in debug message * sudo api: remove EOK * sudo responder: remove code duplication in commands * sudo responder: get rid of dctx where possible * sudo sysdb: make sysdb_get_sudo_user_info more configurable * sudo api: send uid, username and domainname * sudo responder: change protocol version to 1 * libsss_sudo: bump version to 2:0:1 * sudo responder: discard in-memory cache * sudo ldap provider: move async routines to sdap_async_sudo.c * sudo ldap provider: give sdap_sudo_refresh_send() search and purge filters * confdb: add entry_cache_sudo_timeout option * sudo ldap provider: add sysdb ctx in sdap_sudo_refresh_state * sudo ldap provider: add domain info in sdap_sudo_refresh_state * sudo ldap provider: add expiration time to each rule * sysdb: add getter/setter for last sudo full refresh time * sudo ldap provider: provide API for full refresh * sudo ldap provider: add support for on demand full refresh * sudo ldap provider: provide API for refresh of specific rules * sudo ldap provider: add support for on demand refresh of specific rules * sudo backend - support only on demand full refresh * sudo backend - add support for on demand refresh of specific rules * sudo provider: add ldap_sudo_full_refresh_interval * sudo provider: remove old timer * sudo ldap provider: add new timer API * sysdb: remove sudo_set/get_refreshed * sudo ldap provider: support periodical full refresh * ldap provider: add sudo usn value * sudo ldap provider: find highest USN * sudo ldap provider: add sdap_sudo_set_usn() * sudo ldap provider: remember highest usn after full refresh * sudo ldap provider: add smart refresh API * sudo ldap provider: when sysdb filter is NULL remove downloaded rules * sudo provider: add ldap_sudo_smart_refresh_interval * sudo ldap provider: add periodical smart refresh API * sudo ldap provider: support periodical smart refresh * sudo responder: new request enum type * sudo sysdb: add expiration time to the filter * sudo responder: allow fetching only expired rules in sudosrv_get_sudorules_query_cache() * sudo responder: update dp interface * sudo responder: refresh expired rules * sudo ldap provider: return number of downloaded rules in sdap_sudo_refresh_recv() * sudo ldap provider: notify responder when an expired rule has been deleted * sudo responder: schedule OOB full refresh when expired rule is deleted * sudo: clean up * sudo ldap provider: modify highest USN in sdap_sudo_rules_refresh_done() * sdap_sudo.c: move _recv after _done * sudo ldap provider: pass sudo_ctx instead of id_ctx * sudo: add host info options * sudo ldap provider: load host filter configuration on init * sudo ldap provider: mark sdap_sudo_setup_periodical_refresh() as static * sudo ldap provider: do per-host updates * sudo ldap provider: support autoconfiguration of IP addresses * sudo: manpage updated * resolv_gethostbyname_send: strdup hostname to work properly when hostname is allocated on stack * sudo test client: avoid SIGSEGV when run without arguments * sdap_sudo.c: add missing end of line in few debug messages * add hostid and subdomains sections in sssd-ipa.conf * manpage: seealso - include ssh conditionally * tests: allow changing cwd in all tests * manpage: sssd-sudo - documents how sudo works with sssd * sudo ldap provider: support autoconfiguration of hostnames * Unbreak SASL * tests: build sysdb ssh tests conditionally * shadow attributes can contain -1 * Add end of line to debug message * monitor: set debug level when unable to load configuration * Remove redefinition of some SYSDB_* macros * Rename SYSDB_SUDO_CACHE_AT_OC to SYSDB_SUDO_CACHE_OC * Remove SYSDB_SUDO_CACHE_OC from attribute lists * Fix LOCAL domain lookups * Close LDAP connection when unable to install TLS * Unbreak build on RHEL5: replace ldap_destroy() with ldap_unbind_ext() * Remove compilation warning: ret may be uninitialized * Clean up cache on server reinitialization * netgroup: resolve hostgroup membership correctly * be_process_init(): free ctx on error * backend: initialize sudo only when it is enabled in services * Failover: use _srv_ when no primary server is defined * rpm: put localized sssd_krb5_locator_plugin manpages into client * sdap_add_incomplete_groups(): fix ret may be uninitialized warning
Rambaldi (2): * heimdal: fix compile error in krb5-child-test * heimdal: use sss_krb5_princ_realm to access realm
Shantanu Goel (4): * Set return errno to the value prior to calling close(). * Log message if close() fails in destructor. * Do not send SIGPIPE on disconnection * Add support for terminating idle connections
Simo Sorce (31): * nss_group: Cache the result from sssd when the glibc provided buffer is too small. * pam_sss: keep selinux optional * Use the correct hash table for pending requests * util: Helper headers for shared memory cache * nsssrv: shared memory cache server initialization * nsssrv: Add memory cache record handling utils * nsssrv: add handling of memory cache passwd map * sss_client: Add common shared memory cache utils * sss_client: shared memory cache passwd map support * nsssrv: add handling of memory cache group map * sss_client: shared memory cache group map support * Do not leak file descriptors in client libs. * Add close on exec support for old platforms * Fix segfault when sudo is not configured. * Change subdomain_info * tests: Remove useless consts * 80 columns police * Fix double semi-colons * Fix wrong elements used in comparison * Use ldb_msg_add_string with bare strings * Fix return error and debug message * Make structure initializer more readable * 80 col and style fixes * Use a more tractable name for subdomain request * Add realm paramter to subdomain list * Expose an initializer function from subdomain * Change refreshing of subdomains * Limit refreshes keeping track of last refresh time * Add online callback to enumerate subdomains * Add automatic periodic retrieval of subdomains * Remove obsolete comment
Stef Walter (10): * Fix erronous reference to the 'allow' access_provider * execv, excvp and exec_child never return EOK * If canon'ing principals, write ccache with updated default principal * Remove erroneous failure message in find_principal_in_keytab * Limit krb5_get_init_creds_keytab() to etypes in keytab * Clearer documentation for use_fully_qualified_names * Make re_expression and full_name_format per domain options * Move some debug lines to new debug log levels * Fix crash when interface doesn't have an address * Revert commit 4c157ecedd52602f75574605ef48d0c48e9bfbe8
Stephen Gallagher (178): * Set version to 1.9dev * Updating translatable strings for string freeze * Updating translations * Remove dead code * Fix missing NULL check after malloc * Avoid uninitialized value comparison * Add missing breaks to switch statements * Fix uninitialized in_transaction * Fix bad failure handling in be_sudo_handler() * Check for failure in sss_packet_grow() * Fix uninitialized value error in proxy provider * Ensure NULL-termination in get_uid_from_pid() * Move sss_ssh_* binaries to the main 'sssd' package * Always include all manpage XML files in the distribution tarball * Fix missing %endif in sssd.spec.in * NSS: Always return the same protocol that was requested * LDAP: Ignore group member users that do not have name attributes * RESPONDERS: Allow increasing the file-descriptor limit * RESPONDERS: Make the fd_limit setting configurable * Add tool to convert debug levels * IPA: Add ipa_parse_search_base() * LDAP: Properly assign orig_dn * LDAP: Only use paging control on requests for multiple entries * LDAP: Remove unnecessary filter sanitize * Eliminate build-time requirement for nscd * PAM: Don't send PAM_SYSTEM_INFO message if module unset * Fix typo in autofs option description * Include the debug_level upgrade tool in the tarball * Include new manpages in translations * Fix typo in script name * Handle cases where UID is -1 * IPA: Set the DNS discovery domain to match ipa_domain * IPA: Fix segfault with srchost functionality enabled * DP: Reorganize memory hierarchy of requests * Prune python provides correctly * Make RPM spec more explicit * Build experimental features by default in RPMs * Properly terminate GIT_CHECKOUT * LDAP: Make sdap_access_send/recv public * IPA: Check nsAccountLock during PAM_ACCT_MGMT * PROXY: Create fake user entries for group lookups * SSH: Fix missing semicolon * IPA: Initialize hbac_ctx to NULL * i18n: Remove empty translations * LDAP: Add AD 2008r2 schema * IPA: Allow service lookups * SYSDB: Save only lowercased aliases in case-insensitive domains * LDAP: Errors retrieving the RootDSE should not be fatal * NSS: Fix debug message * Start SSSD earlier and stop it later * LDAP: Add better error logging when ldap_result() fails * LDAP: Fix memory leaks in synchronous_tls_setup * BUILDSYS: Create common libs for LDAP and KRB5 sources * Put dp_option maps in their own file * Add terminator for dp_option * Add better dp_option tests * Add terminator for sdap_attr_map * Add better tests for sdap_attr compability * Remove old compatibility tests * Fix building manpages in parallel build dirs * Clean up log messages about keytab_name * MAN: Improve ldap_disable_paging documentation * MAN: Add ldap_sasl_minssf to the manpage * Fix linker issue with pam_sss * murmurhash: Relax inline requirement * Handle endianness issues on older systems * SYSDB: Handle upgrade script failures better * LDAP: Add objectSID config option * LDAP: Add id-mapping option * SYSDB: Add sysdb routines for ID-mapping * LDAP: Add helper routines for ID-mapping * LDAP: Add ID mapping range settings * LDAP: Initialize ID mapping when configured * LDAP: Enable looking up ID-mapped users by name * LDAP: Add autorid compatibility mode * LDAP: Allow setting a default domain for id-mapping slice 0 * LDAP: Add routine to extract domain SID from an object SID * LDAP: Allow automatically-provisioning a domain and range * LDAP: Enable looking up id-mapped users by UID * LDAP: Allow looking up ID-mapped groups by name * LDAP: Enable looking up id-mapped groups by GID * LDAP: Map the user's primaryGroupID * LDAP: Add helper routine to convert LDAP blob to SID string * LDAP: Do not remove uidNumber and gidNumber attributes when saving id-mapped entries * LDAP: Add helper function to map IDs * LDAP: Treat groups with unmappable SIDs as non-POSIX groups * MAN: Add manpage for ID mapping * LDAP: Add support for enumeration of ID-mapped users and groups * SSSDConfigAPI: Fix missing option in tests * NSS: Add fallback_homedir option * NSS: Add default_shell option * SYSDB: Add better error logging to sysdb_set_entry_attr() * LDAP: Add attr_count return value to build_attrs_from_map() * LDAP: Handle very large Active Directory groups * Updating translations for 1.9.0 beta 1 release * Bumping version to 1.8.91 for 1.9.0 beta 1 release * Bumping version ton 1.8.92 for beta 2 development * RPM: Allow running 'make rpms' on RHEL 5 machines * NSS: Expire in-memory netgroup cache before the nowait timeout * Always use positional arguments in translatable strings * KRB5: Avoid NULL-dereference with empty keytab * Update translation sources * NSS: Fix segfault when mmap cache cannot be initialized * NSS: Restore original protocol for getservbyport * SSSDConfig: Make SSSDConfig a package * SSSDConfig: Make default config and schema file locations configurable * PAM: Better pam_reply message * SYSDB: Reduce noise level of debug messages in lookups * LDAP: Remove redundant check * LDAP: Fix incorrect switch statement in sdap_get_initgr_done() * LDAP: Add helper function to get list of a user's groups from sysdb * LDAP: Make sdap_initgr_common_store() non-static * LDAP: Add ldap_*_use_matching_rule_in_chain options * LDAP: Add support for AD chain matching extension in group lookups * LDAP: Add support for AD chain matching extension in initgroups * LDAP: Auto-detect support for the ldap match rule * LDAP: Fix missing variable in debug message * SSS_CLIENT: Fix uninitialized value error * Fix compilation on older little-endian systems * KRB5: Update DEBUG macros for create_ccache_dir and find_ccdir_parent_data * KRB5: Auto-detect DIR cache support in configure * KRB5: Avoid shadowing dirname * Updating translations for 1.9.0 beta 2 release * Bumping version to 1.9.0 beta 3 * Fix typo breaking DIR cache detection * Make the client idle timeout configurable * UTILS: Fix segfault due to sss_parse_name_for_domains * BUILD: Change default unicode library to glib2 * Update translations for 1.9.0 beta 3 release * Bumping version to 1.9.0 beta 4 * TESTS: Print messages when LDAP options do not match * DEBUG: Log to syslog if we are unable to open a debug fd * KRB5: Initialize the credential cache type properly * IPA: Don't hang onto memory longer than necessary * LDAP: Print extended failure message for SASL bind * MAN: Unify "SEE ALSO" sections * KRB5: Some logging enhancements for krb5_child * KRB5_LOCATOR: Print the filename that couldn't be opened * KRB5: Drop memctx parameter of krb5_try_kdcip * KRB5: Create a common init routine for krb5_child options * LDAP: Rename user and group maps for AD * AD: Add AD identity provider * AD: Add AD auth and chpass providers * AD: Add AD access-control provider * AD: Add AD provider to the spec file * AD: use krb5_keytab for validation and GSSAPI * AD: Add manpages and SSSDConfig entries * CONFDB: Add the ability to set a boolean value in the confdb * AD: Force case-insensitive operation in AD provider * Fix use-after-free * Fix uninitialized variable * Fix potential NULL-dereference * Fix potential NULL-dereference * Fix incorrect return value in tests * Fix potential NULL-dereference * Fix uninitialized value return * Fix uninitialized memcpy error * Avoid NULL-dereference in error-handling * Add missing return value check * Check for errors from krb5_unparse_name * Fix incorrect error-check * Fix segfault when using local provider * AD: Add missing DP option terminator * AD: Fix defaults for krb5_canonicalize * MAN: List all available backends for provider options * MAN: Improvements to the AD provider manpage * NSS: Add override_shell option * SYSDB: Add log message for unexpected LDB errors * SSSDConfig: Fix nonfunctional SSSDDomain.remove_provider() * IPA: Do not attempt to close the same file twice * IPA: Securely set umask for mkstemp in subdomain provider * MAN: Fix minor typo in ldap_search_base section * MAN: Improve description of ldap_*_search_base options * SYSDB: Make sysdb_attrs_get_el_int() public * AD: autorid compatibility should recommend the use of default domain * AD: Detect domain controller compatibility version * AD: Optimize initgroups lookups with tokenGroups * AD: Handle sysdb lookup failure during tokenGroups processing
Sumit Bose (40): * Use curly braces in pkgconfig metadata file * Keep sysdb context in domain info struct * Remove sysdb_get_ctx_from_list() * Always initialize the returned data in sss_krb5_princ_realm() * Add idmap library * Check sub-domains in nss_cmd_get{pwuid|grgid}_search() * data provider: added subdomains * IPA: Add get-domains target * Add domain name to get_account_info request * Add s2n extended operation * Allow different SID representations in libidmap * Fix typo in spec file * Fix endian issue in SID conversion * Rename struct dom_sid to struct sss_dom_sid * Fix libsss_hbac library version * sss_idmap: add support for samba struct dom_sid * sss_idmap: fix typo which prevents sub auth larger then 2^31 * PAC responder: add basic infrastructure * PAC responder: add the core functionality * PAC responder: support in spec file * PAC client: add basic support in common client code * PAC client: add krb5 authdata plugin * Add support for ID ranges * Add range support to PAC responder * Try to build PAC responder only if all dependencies are available * Build pac responder tests only if pac responder is build * Add man page section for the PAC responder * Set default for subdomain_homedir * Fix SSSDConfigTest for separate build directories * Set file descriptor limits in pac responder * Remove resource leak in sssdpac_import_authdata * Remove dead code in ipa_subdomains_handler_done() * pac responder: limit access by checking UIDs * Add python bindings for murmurhash3 * accept_fd_handler: add missing return * Fix fallback in validate_tgt() * Use new debug levels in validate_tgt() * Check flat names when searching for sub-domains as well * Add provider specific default regular expressions * Make subdomain discovery less noisy
Ville Skyttä (1): * Require and call ldconfig from subpackages if appropriate
Yuri Chornoivan (5): * fix typos in manual * Fix typo: retreiving->retrieving * Fix typos in message and man pages. * Fix typo: exhasution->exhaustion. * Fix various typos in documentation.
sssd-users@lists.fedorahosted.org