=== SSSD 1.10.0 ===
The SSSD team is proud to announce the final release of version 1.10 of the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd. RPM packages will be made available for Fedora 19 and rawhide shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights == * The main focus of the 1.10 release was improving the Active Directory integration. - The Active Directory provider now includes support for Site-based discovery. This feature allows the Active Directory clients to find the most suitable Domain Controller to connect to. - Support for dynamic DNS updates in the Active Directory provider. This feature enables the clients to automatically update or refresh their DNS records stored in the AD server. - The Active Directory provider now includes support for retrieving identity information and authentication as users from trusted domains in the same forest. The SSSD looks up the information using the Global Catalog. - The group memberships for Active Directory users can optionally be read from the PAC during login. If the PAC is not available (such as when group membership is requested for a user who has never logged in), the SSSD falls back to using tokenGroups. To enable this feature, add "pac" to the list of configured services in the "[sssd]" section of the "sssd.conf" config file. - The Active Directory provider is able to autodiscover the NetBIOS (flat) name of the domain it connects to. The NetBIOS name is discovered automatically on startup. - The support for Enterprise Kerberos principals was added. Currently the enterprise principals are only enabled by default in the Active Directory provider * A new library, called libsss_nss_idmap was introduced. This library allows the user to convert Windows Security Identifiers (SIDs) to names and vice versa. The library also includes Python bindings. * A new option "ipa_dyndns_ttl" was added, allowing the client to set a custom TTL on IPA dynamic DNS updates * A new "ignore_group_members option" was added. This option can be used to suppress downloading group members on group lookups, making the group lookups much faster for environments that do not need to know the group members. * A new option "ldap_rfc2307_fallback_to_local_users" was added. If this option is set to true, SSSD is able to resolve local group members of LDAP groups. * The "subdomain_homedir" configuration option gained a new template expansion "%F" that expands to the flat name (NetBIOS name) of the trusted AD domain * The "full_name_format" option now accepts a new parameter that expands to the NetBIOS name of the domain * The new "krb5_use_kdcinfo" option allows the administrator to disable the Kerberos locator plugin and rely on information read from the krb5.conf file completely. * A new option "ldap_disable_range_retrieval" was added. Switching this option to True skips large Active Directory groups that might otherwise take a long time to download and process. * A new option "refresh_expired_interval" was added. This option allows to configure a background task that would automatically refresh entries that are nearing their expiration time. In this release, only refreshing netgroups is implemented. * Setting the SELinux context on the IPA server now also works for users coming from a trusted Active Directory domain * Many internal interfaces were refactored, making the code more readable and maintainable in the long term. This refactoring includes the subdomains code, the sysdb interface as a whole, internal error code reporting, SELinux login context processing and processing of nested LDAP groups.
== Packaging changes == * The shared components of the SSSD are now built as a shared library to reduce amount of duplicated code being linked into multiple SSSD binaries and lower the disk usage of SSSD installation. * The check that ensured that SSSD is running with the same ldb version it was built against was made optional, defaulting to false. You can enable the strict check again by selecting --enable-ldb-version-check during configure * The SSSD python ConfigAPI was moved to its own noarch subpackage to make the SSSD packaging more compliant with the Fedora packaging guidelines * The libsss_nss_idmap library and its Python bindings are packaged in separate subpackages * The upstream RPM specfile now packages each provider separately. The SSSD deamon and the responders are now included in the sssd-common package, while the sssd package has become a "meta package" that Requires all the existing providers for backwards compatibility. * The libsss_sudo and libsss_autofs libraries are now part of the sssd-common package
== Tickets fixed ==
https://fedorahosted.org/sssd/ticket/1199 [RFE] Prune idle connections from responders https://fedorahosted.org/sssd/ticket/1693 sudoHost mismatch response is incorrect sometimes https://fedorahosted.org/sssd/ticket/1806 sssd_be goes to 99% CPU and causes significant login delays when client is under load https://fedorahosted.org/sssd/ticket/1815 "touch" krb5.conf file after installing new domain-realm mappings https://fedorahosted.org/sssd/ticket/1847 if there is no blank line at the end of /etc/sssd/sssd.conf, sssd wont start and you get an error in /var/log/messages about "sssd: Cannot load configuration database". https://fedorahosted.org/sssd/ticket/1849 improper use of negative value https://fedorahosted.org/sssd/ticket/1863 Dereference after a NULL check in krb5_child.c https://fedorahosted.org/sssd/ticket/1871 krb5 validation code always picks the first matching principal https://fedorahosted.org/sssd/ticket/1873 password migration is not working using sssd https://fedorahosted.org/sssd/ticket/1886 If previous SRV query failed, the next try might not be retried in some cases https://fedorahosted.org/sssd/ticket/1894 sssd_be crashes while processing ASQ dereference request https://fedorahosted.org/sssd/ticket/1931 cannot login to the 1st domain when 2 domains are configured in sssd https://fedorahosted.org/sssd/ticket/1936 GSSAPI working only on first login https://fedorahosted.org/sssd/ticket/1947 [abrt] sssd-1.10.0-4.fc19.beta1: get_server_status: Process /usr/libexec/sssd/sssd_be was killed by signal 11 (SIGSEGV) https://fedorahosted.org/sssd/ticket/1949 SSH host keys are not removed from cache when host is deleted in IPA https://fedorahosted.org/sssd/ticket/1953 System error while trying to auth as an expired user https://fedorahosted.org/sssd/ticket/1959 Enhance sssd init script so that it would source a configuration https://fedorahosted.org/sssd/ticket/1969 dead code in SRV resolution https://fedorahosted.org/sssd/ticket/1973 Improve global catalog DNS SRV lookups https://fedorahosted.org/sssd/ticket/1980 SSSD service randomly dies https://fedorahosted.org/sssd/ticket/1986 SYSV init script should use @sbindir@ https://fedorahosted.org/sssd/ticket/1989 Fix core dump in the PAC responder https://fedorahosted.org/sssd/ticket/1995 The PAC responder is contacted even for local IPA users. https://fedorahosted.org/sssd/ticket/364 [RFE] Recognize trusted domains in AD provider https://fedorahosted.org/sssd/ticket/453 Replace pam status codes with sssd specific codes https://fedorahosted.org/sssd/ticket/812 Support libnl 3.x https://fedorahosted.org/sssd/ticket/902 [RFE] Allow setting krb5_renew_interval with a delimiter https://fedorahosted.org/sssd/ticket/1032 [RFE] sssd should support DNS sites https://fedorahosted.org/sssd/ticket/1033 [RFE] implement a script/tool joining to the Active Directory domain https://fedorahosted.org/sssd/ticket/1287 compilation warnings with -O2 https://fedorahosted.org/sssd/ticket/1327 When multiple values are assigned, sss_debuglevel should display a usage message https://fedorahosted.org/sssd/ticket/1371 Missing resolv.conf should be non-fatal https://fedorahosted.org/sssd/ticket/1376 [RFE] Add support for suppressing group members https://fedorahosted.org/sssd/ticket/1405 [RFE] Kerberos canonicalization should be skipped on password-changes in AD provider https://fedorahosted.org/sssd/ticket/1414 [RFE] Improve syslog message when configuration cannot be loaded https://fedorahosted.org/sssd/ticket/1468 [RFE] AD: Should be able to log in as long or short domains https://fedorahosted.org/sssd/ticket/1476 SSSD has a much longer TTL when updating a DNS record than IPA client install placed in the beginning https://fedorahosted.org/sssd/ticket/1481 Move sss_cache to the main subpackage https://fedorahosted.org/sssd/ticket/1484 failover should protect against empty host names https://fedorahosted.org/sssd/ticket/1495 include talloc log in our debug facility https://fedorahosted.org/sssd/ticket/1504 [RFE] AD dyndns updates https://fedorahosted.org/sssd/ticket/1510 Split providers into their own subpackages https://fedorahosted.org/sssd/ticket/1557 [RFE] Use the Global Catalog in SSSD for the AD provider https://fedorahosted.org/sssd/ticket/1558 [RFE] Use MS-PAC to retrieve user's group list https://fedorahosted.org/sssd/ticket/1559 [RFE] Use the getpwnam()/getgrnam() interface as a gateway to resolve SID to Names https://fedorahosted.org/sssd/ticket/1575 Change responder contexts hierarchy https://fedorahosted.org/sssd/ticket/1586 Make authtoken opaque objects https://fedorahosted.org/sssd/ticket/1603 [RFE] Send user principal together with the PAC to the pac responder https://fedorahosted.org/sssd/ticket/1609 [RFE] Subdomain homedir template should be configurable/use flatname by default https://fedorahosted.org/sssd/ticket/1625 Confusing error messages for invalid sssd.conf https://fedorahosted.org/sssd/ticket/1643 Refactor sysdb interface https://fedorahosted.org/sssd/ticket/1648 Fully qualified account names form should be able to use flatname in the fq format https://fedorahosted.org/sssd/ticket/1660 LDAP_CONTROL_X_DEREF: sssd should fallback if server returns LDAP_UNAVAILABLE_CRITICAL_EXTENSION error https://fedorahosted.org/sssd/ticket/1712 sudoNotBefore/sudoNotAfter not supported by sssd sudoers plugin https://fedorahosted.org/sssd/ticket/1713 [RFE] Add a task to the SSSD to periodically refresh cached entries https://fedorahosted.org/sssd/ticket/1733 [RFE] support autoconfiguring SUDO with ipa provider and compat tree https://fedorahosted.org/sssd/ticket/1738 Decrease the krb5_auth_timeout default value of 15 https://fedorahosted.org/sssd/ticket/1741 sss_cache doesn't support subdomains https://fedorahosted.org/sssd/ticket/1743 selinux: move all logic to responder, provider should only update db https://fedorahosted.org/sssd/ticket/1744 selinux: reuse IPA_HBAC_REFRESH or provide an alternative https://fedorahosted.org/sssd/ticket/1745 Unnecessary output is seen when invalid option is passed to sss_cache https://fedorahosted.org/sssd/ticket/1746 sss_* tools with use_fully_qualified_names should require fqdn https://fedorahosted.org/sssd/ticket/1747 Refactor subdomain interfaces https://fedorahosted.org/sssd/ticket/1756 append new line to error string from poptStrerror() https://fedorahosted.org/sssd/ticket/1763 check the return values of sysdb_transaction_commit in sysdb tests https://fedorahosted.org/sssd/ticket/1765 remove the alt_db_path parameter of sysdb_init https://fedorahosted.org/sssd/ticket/1766 use an explanatory macro for checking if a domain is a subdomain https://fedorahosted.org/sssd/ticket/1767 unify sss_mc_set_recycled https://fedorahosted.org/sssd/ticket/1771 Negative cache messages are displayed at too low of a DEBUG level https://fedorahosted.org/sssd/ticket/1772 Rename or alias the SAFEALIGN macros https://fedorahosted.org/sssd/ticket/1774 move processing of password expiration back to PAM provider only https://fedorahosted.org/sssd/ticket/1784 rewrite nested group processing to follow the tevent_req coding style https://fedorahosted.org/sssd/ticket/1785 NSCD warning is irritating https://fedorahosted.org/sssd/ticket/1786 Use new interface from ding-libs ini interface https://fedorahosted.org/sssd/ticket/1789 ldap_access_order improvements (man page fix) https://fedorahosted.org/sssd/ticket/1790 Possible null derefence in ipa_subdomains.c https://fedorahosted.org/sssd/ticket/1794 reuse open_cloexec elsewhere in the code https://fedorahosted.org/sssd/ticket/1797 Use hardened flags for building RPMs https://fedorahosted.org/sssd/ticket/1802 [abrt] sssd-1.9.3-1.fc18: talloc_abort: Process /usr/libexec/sssd/sssd_be was killed by signal 6 (SIGABRT) https://fedorahosted.org/sssd/ticket/1803 SSSD returns System Error if the ccachedir is not writable https://fedorahosted.org/sssd/ticket/1804 Filter out inappropriate multicast and subnet broadcast addresses from IPA dynamic DNS update https://fedorahosted.org/sssd/ticket/1805 [RFE] Add a new override_homedir expansion for the "original value" https://fedorahosted.org/sssd/ticket/1809 Document that SSSD domains should only be named using ASCII characters https://fedorahosted.org/sssd/ticket/1810 Uninitialized scalar variable in responder_get_domain https://fedorahosted.org/sssd/ticket/1811 Unchecked return value in tests https://fedorahosted.org/sssd/ticket/1812 [RFE] make the get_next_domain() function a little more readable https://fedorahosted.org/sssd/ticket/1813 make the ldb check configurable https://fedorahosted.org/sssd/ticket/1816 Non-fatal errors looking up trusted domains with IPA back end https://fedorahosted.org/sssd/ticket/1819 Refresh doxygen template files https://fedorahosted.org/sssd/ticket/1820 sysdb unit tests uses system memberof https://fedorahosted.org/sssd/ticket/1823 getgrnam / getgrgid for large user groups is too slow due to range retrieval functionality https://fedorahosted.org/sssd/ticket/1825 Invalid assignment to enum https://fedorahosted.org/sssd/ticket/1830 make the authtok structure really opaque https://fedorahosted.org/sssd/ticket/1831 use the -v flag with nsupdate to force TCP transmission for better security https://fedorahosted.org/sssd/ticket/1832 [RFE] Provide a new option to update the reverse DNS zone in IPA domain https://fedorahosted.org/sssd/ticket/1833 segmentation fault in cmocka unit tests with raised optization level https://fedorahosted.org/sssd/ticket/1834 Support for libini 1.0 https://fedorahosted.org/sssd/ticket/1838 nss and pam clients broken in master https://fedorahosted.org/sssd/ticket/1839 Incorrect *.py[co] files placement https://fedorahosted.org/sssd/ticket/1840 Add --with-test-dir=/dev/shm to DISTCHECK_CONFIGURE_FLAGS https://fedorahosted.org/sssd/ticket/1842 Allow usage of enterprise principals https://fedorahosted.org/sssd/ticket/1843 Add exit value section to sss_ssh_* man page pages https://fedorahosted.org/sssd/ticket/1844 add a call to calculated the range for a given domain SID to libsss_idmap https://fedorahosted.org/sssd/ticket/1845 move libsss_sudo and libsss_autofs back into the main sssd package https://fedorahosted.org/sssd/ticket/1848 unused parameter in ipa_selinux handler https://fedorahosted.org/sssd/ticket/1860 pidfile() may leak memory on error https://fedorahosted.org/sssd/ticket/1861 potential out-of-bounds-write in sss_idmap_sid_to_dom_sid https://fedorahosted.org/sssd/ticket/1862 negative return in files.c https://fedorahosted.org/sssd/ticket/1864 Bad comparisons in checks found by new Coverity instance https://fedorahosted.org/sssd/ticket/1865 Logically dead code in tools_util.c https://fedorahosted.org/sssd/ticket/1867 document that AD provider is always case insensitive https://fedorahosted.org/sssd/ticket/1870 wrong failure handler in sdap_get_map https://fedorahosted.org/sssd/ticket/1877 ding-libs.dhash: uninitialized pointer read https://fedorahosted.org/sssd/ticket/1883 Add a new option to disable the Kerberos locator plugin completely https://fedorahosted.org/sssd/ticket/1888 freeipa 3.2 trusted ad user not listed in external group https://fedorahosted.org/sssd/ticket/1889 coverity: dead code in sudo client https://fedorahosted.org/sssd/ticket/1890 SSSD doesn't display warning for last grace login. https://fedorahosted.org/sssd/ticket/1891 unite periodic refresh API https://fedorahosted.org/sssd/ticket/1892 In IPA AD trust setup, the sssd logs throws 'sysdb_search_user_by_name failed' error when AD user tries to login via ipa client. https://fedorahosted.org/sssd/ticket/1897 Autenticity of ipa server can't be established https://fedorahosted.org/sssd/ticket/1900 Uninitialized scalar variable in idmap.c https://fedorahosted.org/sssd/ticket/1901 confdb: possible double free in new ini module https://fedorahosted.org/sssd/ticket/1905 pysss_nss_idmap improvements https://fedorahosted.org/sssd/ticket/1909 Clarify the AD site discovery in sssd-ad man page https://fedorahosted.org/sssd/ticket/1910 Clarify that AD DNS updates are performed using GSS-TSIG https://fedorahosted.org/sssd/ticket/1912 SUDO is not working for users from trusted AD domain https://fedorahosted.org/sssd/ticket/1913 SSSD crashes during nsupdate if the client hostname can't be resolved https://fedorahosted.org/sssd/ticket/1914 pysss_nss_idmap: Support also Unicode strings and return them by default https://fedorahosted.org/sssd/ticket/1915 Turn on dyndns updates by default in the AD provider https://fedorahosted.org/sssd/ticket/1921 Login failure: Enterprise Principal enabled by default for AD Provider https://fedorahosted.org/sssd/ticket/1922 sssd_be crashes when looking up users in the LDAP provider with ID mapping https://fedorahosted.org/sssd/ticket/1924 MAN: Make it clear which address is used to update DNS records https://fedorahosted.org/sssd/ticket/1927 Provide a script to create a SRPM without having to run configure https://fedorahosted.org/sssd/ticket/1928 Libtool fails to find dependent libraries https://fedorahosted.org/sssd/ticket/1929 Junk character in sssd_domain.log for domain string when sssd tries to go online from offline mode https://fedorahosted.org/sssd/ticket/1930 Crash with negative values in ldap_idmap_range_size https://fedorahosted.org/sssd/ticket/1934 sssd crashes if junk is present in sssd.conf https://fedorahosted.org/sssd/ticket/1950 segfault while processing ASQ request https://fedorahosted.org/sssd/ticket/1951 NetBIOS domain name should be read at startup https://fedorahosted.org/sssd/ticket/1971 Dereference before NULL check in nscd.c https://fedorahosted.org/sssd/ticket/1972 Dereference after a NULL check in tests/common_dom.c https://fedorahosted.org/sssd/ticket/1976 Copy-n-paste error in AD provider
== Detailed Changelog == Abhishek Singh (4): * filename in comment is corrected * cmocka unittest for find_uid added * cmocka unittest for io added * Fix segmentation fault in test_io.
Ariel Barria (4): * Improve syslog message when configuration cannot be loaded * Allow setting krb5_renew_interval with a delimiter * Confusing error messages for invalid sssd.conf * Removing BUILD.txt content
Jakub Hrozek (144): * Bump version to 1.10dev * Require ar in configure.ac * TESTS: Fix a couple of debug-level setters * SYSDB: Remove unused macros * LDAP: Remove double break * Indentation fix * Bump the version and reset release back to 0 * tests: add a unit test for sysdb_netgroup_base_dn * tests: unit test for test_sysdb_search_users * tests: adda a unit test for test_sysdb_search_groups * tests: test sysdb_initgroups * tests: add unit test for sysdb_get_new_id * tests: unit test for sysdb_remove_attrs * TOOLS: set domain in check_group_names * Fix code style * Don't use srcdir with tests * krb5: include backwards compatible declaration of krb5_trace_info * LDAP: Check for authtok validity * Filter out multicast addresses from IPA DNS updates * Lower the DEBUG level if an entry cannot be deleted from memcache * Fix the krb5 password expiration warning * Remove enumerate=true from man sssd-ldap * Do not process success case in an else * Revert "Add debug message to autofs client" * Don't treat 0 as default for pam_pwd_expiration warning * Remove unused functions * Use the correct memory context in be_req_create * Check the return value of sysdb_search_services * Detect the presence of libcmocka during configure * Add utility functions for tests that use sysdb or tevent. * Move sss_cmd_execute from client to responder code. * CMocka based test for the NSS responder * Retry the correct service on krb5 child timeout * Remove duplicate remake from bashrc_sssd * Provide a be_get_account_info_send function * Add unit tests for simple access test by groups * Do not compile main() in DP if UNIT_TESTING is defined * Resolve GIDs in the simple access provider * Return error code from ipa_subdom_store * Move signal.m4 from src/util to external * Document what does access_provider=ad do * Include config.h to build io.c on RHEL5 * selinux: Remove unused parameter * Updating the translations for the 1.10 alpha release * Updating the version for the 1.10 beta1 release * krb5 child: Use the correct type when processing OTP * pidfile(): Do not leak fd on error * Fix potential out-of-bounds write in sss_idmap_sid_to_dom_sid * Return errno, not -1 on failure in files.c * Check for correct variable name * Init failover with be_res options * Centralize resolv_init, remove resolv context list * dyndns: Fix initializing sdap_id_ctx * Check for the correct variables * Allocate PAM DP request data on responder context * LDAP: Always fail if a map can't be found * Put the override_homedir into an included xml file * Allow using flatname for subdomain home dir template * Fix simple access group control in case-insensitive domains * Make leak checks usable in tests that do not utilize check * tests: Fix the order of key/values * LDAP: do not invalidate pointer with realloc while processing ghost users * Convert the simple access check to new error codes * tests: Link the simple access tests with -ldl * Do not keep growing event context * Document the naming convention for SSSD domains * Document that the AD provider is case-insensitive * selinux: if no domain matches, make the debug message louder * Only try to relink ghost users if we're not enumerating * Display the last grace warning, too * Refactor dynamic DNS updates * Convert IPA-specific options to be back-end agnostic * dyndns: new option dyndns_refresh_interval * resolver: Return PTR record as string * dyndns: New option dyndns_update_ptr * dyndns: new option dyndns_force_tcp * dyndns: new option dyndns_auth * Split out the common code from timed DNS updates * Active Directory dynamic DNS updates * AD: Always initialize ID mapping * Only check UPN if enterprise principals are not used * Updating the translations for the 1.10 beta1 release * Update the version for the 1.10 beta2 release * Actually use the index parameter in resolv_get_sockaddr_address_index * Fix a typo in sssd-ad man page * tests: Do not set cwd twice * Enable the AD dynamic DNS updates by default * man: Clarify that AD dyndns updates are secured using GSS-TSIG * LDAP: Always initialize idmap object * Re-add a useful DEBUG message * man: Clarify the AD site discovery documentation * man: Note that IPA updates are secured with GSS-TSIG * Remove unneeded parameter of setup_child and namespace it * Fix dyndns timer initialization * IPA: Check for ENOMEM * Remove unneeded comment * FO: Fix setting status of duplicates * AD dyndns: extract the host name from URI * Add utility functions for formatting fully-qualified names * Check the validity of FQname format prior to using it * Allow flat name in the FQname format * Remove branching to improve readability * tests: Link fqnames_tests with libsss_test_common.la * Do not obfuscate calls with booleans * LDAP: sdap_id_ctx might contain several connections * LDAP: Refactor account info handler into a tevent request * LDAP: Pass in a connection to ID functions * LDAP: new SDAP domain structure * LDAP: return sdap search return code to ID * Move domain_to_basedn outside IPA subtree * New utility function sss_get_domain_name * LDAP: split a function to create search bases * LDAP: store FQDNs for trusted users and groups * Split generating primary GID for ID mapped users into a separate function * LDAP: Do not store separate GID for subdomain users * AD: Add additional service to support Global Catalog lookups * AD ID lookups - choose GC or LDAP as appropriate * AD: Store trusted AD domains as subdomains * rpm: Fold libsss_sudo and libsss_autofs back into the main SSSD package * dyndns: Fix NULL check * man: document the need to set ldap_access_order * A new option krb5_use_kdcinfo * Fix allocation check in the AD provider * rpm: Use hardened flags for RPM build * rpm: Split providers into separate subpackages * Update transifex URL to transifex.com * Updating translations for the 1.10 beta2 release * Bumping the version for the 1.10 final release * Use the correct talloc context when creating AD subdomains * AD: Fix segfault in DEBUG message * AD: Remove ad_options->auth options reference * rpm: couple of small fixes * Fix allocation check * Fix dp_copy_options * FO: Check the return value of send_fn * LDAP: Retry SID search based on result of LDAP search, not the return code * IPA: Do not download or store the member attribute of host groups * AD: kinit with the local DC even when talking to a GC * KRB5: guess UPN for subdomain users * AD: Write out domain-realm mappings * Fix compilation warning * Update the translations for the 1.10.0 release * Update the version for the 1.10.0 release * Updating the version for the 1.10.1 release
James Hogarth (1): * Make TTL configurable for dynamic dns updates
Jan Cholasta (8): * LDAP: If deref search fails, try again without deref * Add exit status section to sss_ssh_* man pages * UTIL: Add function sss_names_init_from_args * SSH: Fix parsing of names from client requests * SSH: Use separate field for domain name in client requests * SSH: Do not skip domains with use_fully_qualified_names in host key requests * SSH: When host is removed from LDAP, remove it from the cache as well * SSH: Update known_hosts file after unsuccessful requests as well.
Jan Engelhardt (1): * sysdb: try dealing with binary-content attributes
John Hodrien (1): * Correct sss_ssh_knowhostsproxy typo in man pages
Kamil Dudka (1): * sssd-1.8.0: work around a bug in cov-build from Coverity
Lukas Slebodnik (37): * Improved readability of get_next_domain() * Fixed typo in debug message. * Removing unused parameter type from sudosrv_get_sudorules_query_cache() * Reuse sss_open_cloexec at other places in code. * More generalized function open_debug_file_ex() * Removing unused header file providers.h * Fix sss_client breakage. * Removing unused declaration of functions and variable. * Making the ldb check configurable * Fixing duplicate const * Reusing create_pam_data() on the other places. * Making the authtok structure really opaque. * LDAP: Fix value initialization warnings * Incorrect *.py[co] files placement * Fix krbcc dir creation issue with MIT krb5 1.11 * Default TEST_DIR to cwd, not empty string if not set explicitly * SUDO: IPA provider * Fixes compilation without selinux. * Fix broken build with selinux. * Fix segfault in AD Subdomains Module * Fixing critical format string issues. * Adding script to create a SRPM * Removing unused functions. * Adding option to disable retrieving large AD groups. * Making order in tests. * Remove empty directories after tests run. * Prevent segfault while processing ASQ request * Fix compilation with disabled link_all_deplibs. * Use deep copy for dns_domain and discovery_domain * Fix dereference after a NULL check in tests. * Change order of libraries in linking process. * Fix wrong detection of krb5 ccname * Every time return directory for krb5 cache collection. * Do not switch to credentials everytime. * Add missing argument to DEBUG message * Handle too many results from getnetgr. * Do not call sss_cmd_done in function check_cache.
Michal Zidek (22): * sss_debuglevel: Multiple arguments are treated as error. * Include talloc log in our debug facility * failover: Protect against empty host names * sss_cache: Call DEBUG_INIT sooner * tools: Respect use_fully_qualified_names * Possible null derefence in ipa_subdomains.c. * Unchecked return value in files.c * Use the same dbg level for all ncache hits. * Remove the alt_db_path parameter of sysdb_init * File descriptor leak in nss responder. * Debug message in sss_mc_create_file. * Move SELinux processing to provider. * Reuse cached SELinux mappings. * Make the SELinux refresh time configurable. * tests: Print warning if LDB_MODULES_PATH is not set * Check for waitpid failure at wrong place. * Wrong condition after waitpid. * sss_cache: support for subdomains * sss_cache: Remove annoying messages * Inform about function duplication. * libsss_idmap: function to calculate range * Rename SAFEALIGN macros.
Milan Cejnar (1): * tools: append new line to string from poptStrerror()
Nathaniel McCallum (1): * Add support for krb5 1.11's responder callback.
Ondrej Kos (25): * MAN: quotation fix * Display more information on DB version mismatch * SYSDB: split sysdb_add_user * TESTS: Fix coverity issues 13126, 13127 * TESTS: include error message on fail * Fix uninitialized time_t var in responder * krb5_child: fix value type and initialization * Fix initialization of multiple variables * Fix coverity issue 13136 * Decrease krb5_auth_timeout default * Update README file * LDAP: Fix value initialization * Provide libnl3 support * DB: Switch to new libini_config API * CONFDB: prevent double free * IDMAP: Fix variable initialization * Fix segfault in DYNDNS * DB: Fix segfault when configuration file cannot be parsed * Move nscd.c from tools to util * Check NSCD configuration file * Fail with misconfigured id-mapping ranges * MAN: state default dyndns interface * DB: Don't add invalid ranges * Don't test for NULL in nscd config check * KRB: Handle preauthentication error correctly
Paul B. Henson (1): * Add ignore_group_members option.
Pavel Březina (63): * sudo: do not hardcode protocol version * fix -O3 variable may be uninitialized warnings * sudo: print message if old protocol is used * sudo manpage: clarify that sudoHost may contain wildcards and not regular expression * use talloc_zfree when freeing rhostent in resolver * set ret to EOK after for loop in sdap_sudo_purge_sudoers * Fix LDAP authentication - invalid password length * set struct bet_info->bet_type * krb: recreate ccache if it was deleted * dp: check whether hostid backend is configured before filing be request * get_next_domain() test dom->parent->next for NULL * subdomains: replace invalid characters with underscore in krb5 mapping file name * if selinux is disabled, ignore that selogin dir is missing * sdap_fill_memberships: continue if a member is not foud in sysdb * Add debug message to autofs client * autofs: fix invalid header 'number of entries' in packet * build: require libcmocka on fedora 18+ * fix segfault in nss responder unit test * krb5-utils-tests: remove invalid condition * correct order in error_to_str table * do not leak memory on failure in *_process_init() * change responder contexts hierarchy * coding style fix * refactor nested group processing: add new code * refactor nested group processing: replace old code * resolv: add resolv_get_domain request to resolv utils * resolv: add resolv_discover_srv request to resolv utils * DNS sites support - SRV lookup plugin interface * DNS sites support - SRV DNS lookup plugin * fail over - add function to insert multiple servers to the list * DNS sites support - replace SRV lookup code with a plugin call * DNS sites support - use SRV DNS lookup plugin in all providers * DNS sites support - add IPA SRV plugin * sudo client: remove dead code * add fo_discover_servers request * IPA SRV plugin: use fo_discover_servers request * IPA SRV plugin: improve debugging * sdap: add sdap_connect_host request * add sss_ldap_encode_ndr_uint32 * DNS sites support - add AD SRV plugin * dns srv plugin: compare domain names case insensitive * AD SRV plugin: check if site name is empty * fo_discover_servers_send: don't crash when backup_domain is NULL * sudo responder: search rules for subdomains in parent domain subtree * back end: periodic task API * back end: periodical refresh of expired records API * back end: add refresh expired records periodic task * providers: refresh expired netgroups * be_ptask: send and recv shadow a global declaration * be_refresh: send and recv shadow a global declaration * failover: set state->out when meta server remains in SRV_RESOLVE_ERROR * subdomains: touch krb5.conf when creating new domain-realm mappings * nested groups: allocate more space if deref returns more members * handle ERR_ACCOUNT_EXPIRED properly * nested groups: do not return ENOMEM if num_groups is 0 * nested groups: do not expect any particular number of groups * failover: do not return invalid pointer when server is already present * failover: return error when SRV lookup returned only duplicates * collapse_srv_lookup may free the server, make it clear from the API * failover: if expanded server is marked as neutral, invoke srv collapse * init script: source /etc/sysconfig/sssd * fix dead code in fail_over_srv.c * sudo responder: use different callback for oob refresh
Simo Sorce (132): * Add helpers to set common mc record fields * Save errno before it might be modified. * Revert "Avoid accessing half-deallocated memory when using talloc_zfree macro." * Avoid duplicating macros * Avoid const warnings when deallocating memory * Fix tevent_req style for krb5_auth * Fix ipa_subdomain_id names and tevent_req style * Fix tevent_req style for get_netgroup in ipa_id * Streamline ipa_account_info handler * Use an entry type mask macro to filter entry types * Fix comment on wrong line * Remove redundant definition. * Fix tevent_req style for sdap_async_sudo. * Remove unhelpful vtable from sss_cache * Remove dead netgroup functions * Revert "Add a default section to a switch-statement" * Add sysdb_search_service() helper function * Use sysdb_search_service() for all svc queries * Fix sdap reinit. * Code can only check for cached passwords * Add function to safely wipe memory. * Add authtok utility functions. * Change pam data auth tokens. * Use new sysdb_search_service() in sss_cache * The Big sysdb/domain split-up! * Refactor sysdb initialization * Refactor single domain initialization * Remove the sysdb_ctx_get_domain() function. * Make sysdb_user_dn() require a domain explictly. * Make sysdb_group_dn() require a domain explictly. * Make sysdb_netgroup_dn() require a domain explictly. * Make sysdb_netgroup_base_dn() require a domain. * Make sysdb_domain_dn() require a domain. * Make sysdb_custom_dn() require a domain. * Make sysdb_custom_subtree_dn() require a domain. * Move range objects into their own top-level tree. * Upgrade DB and move ranges into top level object * Pass domain to sysdb_get<pw/gr>nam() functions * Pass domain to sysdb_get<pwu/grg><id() functions * Pass domain to sysdb_enum<pw/gr>ebt() functions * Add domain option to sysdb_get/netgr/attrs() fns * Add domain argument to sysdb_initgroups() * Add domain argument to sysdb_get_user_attr() * Add domain to sysdb_search_user_by_name() * Add domain to sysdb_search_user_by_uid() * Add domain to sysdb_search_group_by_name() * Add domain to sysdb_search_group_by_gid() * Add domain arg to sysdb_search_netgroup_by_name() * Add domain argument to sysdb_set_user_attr() * Add domain argument to sysdb_set_group_attr() * Add domain argument to sysdb_set_netgroup_attr() * Add domain argument to sysdb_get_new_id() * Add domain argument to sysdb_add_basic_user() * Add domain argument to sysdb_add_user() * Add domain arguments to sysdb_add_group functions. * Add domain arguments to sysdb_add_inetgroup fns. * Add domain argument to sysdb_store_user() * Add domain argument to sysdb_store_group() * Add domain arg to sysdb group member functions * Add domain argument to sysdb_cache_password() * Add domain argument to sysdb_cache_auth() * Add domain argument to sysdb_store_custom() * Add domain argument to sysdb_search_custom() * Add domain to sysdb_delete_custom * Add domain arg to sysdb_search_users() * Add domain argument to sysdb_delete_user() * Add domain argument to sysdb_search_groups() * Add domain argument to sysdb_delete_group() * Add domain arg to sysdb_search/delete_netgroup() * Add domain argument to sysdb_has/set_enumerated() * Add domain argument to sysdb_remove_attrs() * Add domain argument to sysdb_idmap_ funcitons * Add domain arguemnt to sysdb_get_real_name() * Add domain argument to sysdb autofs functions * Add domain argument to sysdb selinux functions * Add domain arguments to sysdb services functions * Add domain arguments to sysdb ssh functions * Add domain arguments to sysdb sudo functions * Add domain to some subdomain functions * Pass the domain to upgrade functions * Move mpg flag to the domain where it belongs * Kill sysdb->domain * Stop creating fake sysdb contexts * Tidy up BASE dn macros * Remove outdated code. * Move ldap provider access functions * Remove sysdb as a be context structure member * Remove sysdb as a be request structure member * Remove sysdb argument from ipa_host_info_send() * Remove unused structure * Remove sysdb argument from hbac_user_attrs_to_rule() * Remove sysdb arg from hbac_service_attrs_to_rule() * Remove sysdb arg from hbac_*host_attrs_to_rule() * Remove sysdb arg from ipa_hbac_service_info_send() * Remove sysdb arg from [ipa_]hbac_sysdb_save() * Remove sysdb argument from hbac_get_cached_rules() * Remove hbac_ctx_sysdb() * Remove hbac_ctx_be() * Remove hbac_ctx_ev() * Remove hbac_ctx_sdap_id_[ctx|op]() * Move hbac_ctx_is_offline() * Do not pass NULL to ipa_subdomain_retrieve() * Split simple_access_check function out * Pass domain not be_req to access check functions * Remove domain from be_req structure * Introduce be_req_terminate() helper * Add be_req_create() helper * Add be_req_get_be_ctx() helper. * Add be_req_get_data() helper funciton. * Make struct be_req opaque * Add realm info to sss_domain_info * Avoid sysdb_subdom in sysdb_get_subdomains() * Update main domain info in place * Refactor sysdb_master_domain_add_info() * Add sysdb_subdomain_store() function * Remove sysdb_subdom completely * Add function get_next_domain() * Add ability to disable domains * Change the way domains are linked. * Parent and subdomains use the same sysdb * Introduce IS_SUBDOMAIN() macro * krb5_child style fix * Refactor krb5 child * Add SSSD specific error codes and definitions * Use SSSD specific errors for offline auth * Return ERR_INTERNAL instead of EIO * Cleanup error message handling for krb5 child * Improve IS_SSSD_ERROR() macro * Use common error facility instead of sdap_result * Convert sdap_access to new error codes * ldap: Fallback option for rfc2307 schema * Further restrict become_user drop of privileges.
Stef Walter (1): * Add a domain config attribute for realmd
Stephen Gallagher (13): * LDAP: Better debug logging when saving groups * Correct format security for talloc_named of auth tokens * Fix minor grammar error in log * NSS: Add original homedir to home directory template options * BUILD: Build shared components as an internal shared library * BUILD: Add contributed macros and aliases to simplify building * BUILD: Include build aliases in the tarball * BUILD: Fix cmocka detection * BUILD: Fix up whitespace in Makefile.am * BUILD: Always run distcheck and RPM tests in /dev/shm * Remove old hash support from example spec * Add 'description' attribute to SSSDConfig API * Configure SYSV init scripts properly
Sumit Bose (54): * Add a default section to a switch-statement * Fix and rename get_my_domain_data() * Refactoring: remove duplicated code in nss responder * Allow usage of enterprise principals * Make IPA SELinux provider aware of subdomain users * Add override_homedir.xml to po4a.cfg * Remove unused TALLOC_CTX from responder_get_domain() * responder_get_domain: do not return disabled domains * responder_get_domain(): remove timeout calculation * LDAP: always store SID if available * Add secid filter to responder-dp protocol * Add two new request types to the data-provider interface * Add idmap context to nss context * Add responder_get_domain_by_id() * sysdb: add sysdb_search_object_by_sid() * Add sss_ncache_set_sid() and sss_ncache_check_sid() * Remove unused attribute list * Use struct to hold different types of request parameters * Add SID related lookups to IPA subdomains * Add SID related calls to the NSS responder * Add client library for SID related lookups * Add python interface to libsss_nss_idmap * AD: read flat name and SID of the AD domain * Add missing \n to debug string * Fix missing initialization in Python bindings for libsss_nss_idmap * Add support for tuples and unicode pysss_nss_idmap.so * Always update cached upn if enterprise principals are used * Fix return code for AD subdomain request * pysss_nss_idmap: do not treat strings as sequences * IPA: Always initialize ID mapping * Handle SID strings in sdap_attrs_get_sid_str() as well * IPA: read user and group SID * Add SID related requests to the LDAP provider * Set canonicalize flag if enterprise principals are used * Lookup domains at startup * Add be request queue * Use queue for get_subdomains * Read SIDs of groups with sysdb_initgroups() as well * Enhance PAC responder for AD users * Intermittent fix for get_user_and_group_users_done * Always send the PAC to the PAC responder * Implicitly activate the PAC responder for AD provider * Fix some doxygen warnings * Use principal from the ticket to find validation entry * Set default realm for enterprise principals * PAC: do not expect that sysdb_search_object_by_sid() return ENOENT * PAC: do not delete originalDN or cached password if present * KRB5: use the right authtok type for renewals * Fix typo in pack_authtok() * Revert "Always send the PAC to the PAC responder" * krb5: do not send pac for IPA users from the local domain * krb5: do not use enterprise principals for renewals * Revert "Implicitly activate the PAC responder for AD provider" * Use forest for GC SRV lookups
Thorsten Scherf (1): * Updated Doxygen configuration to 1.8.1
Yuri Chornoivan (3): * Fix typos in man pages * Fix minor typos * Fix minor typos
sssd-users@lists.fedorahosted.org
-
Jakub Hrozek