== SSSD 2.2.2 ===
The SSSD team is proud to announce the release of version 2.2.2 of the System Security Services Daemon. The tarball can be downloaded from: https://releases.pagure.org/SSSD/sssd/
RPM packages will be made available for Fedora shortly.
Feedback -------- Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users
SSSD 2.2.2 (I have included SSSD 2.2.1 at the end as well) ==========
Highlights ----------
New features ^^^^^^^^^^^^ None
Notable bug fixes ^^^^^^^^^^^^^^^^^ * Removing domain from ad_enabled_domain was not reflected in SSSD's cache. This has been fixed. * Because of a race condition SSSD could crash during shutdown. The race condition was fixed. * Fixed a bug that limited number of external groups fetched by SSSD to 2000. * pam_sss now properly creates gnome keyring during login. * SSSD with KCM could wrongly pick older ccache instead of the latest one after login. This was fixed.
Packaging Changes ----------------- None
Documentation Changes --------------------- None
Tickets Fixed ------------- * `3932 https://pagure.io/SSSD/sssd/issue/3932`_ - MAN: Document that PAM stack contains the systemd-user service in the account phase in recent distributions * `4009 https://pagure.io/SSSD/sssd/issue/4009`_ - Removing domain from ad_enabled_domains is not reflected in cache * `4058 https://pagure.io/SSSD/sssd/issue/4058`_ - Paging not enabled when fetching external groups, limits the number of external groups to 2000 * `4063 https://pagure.io/SSSD/sssd/issue/4063`_ - sssd-kcm: type confusion on KDC offset * `4067 https://pagure.io/SSSD/sssd/issue/4067`_ - pam_sss with smartcard auth does not create gnome keyring * `4068 https://pagure.io/SSSD/sssd/issue/4068`_ - pam_sss: empty smart card pin registers as authentication attempt * `4069 https://pagure.io/SSSD/sssd/issue/4069`_ - pam_sss should reset PAM_USER based on use_fully_qualified_names option in sssd.conf * `3996 https://pagure.io/SSSD/sssd/issue/3996`_ - sudo: do not update last usn when updating expired rules * `4065 https://pagure.io/SSSD/sssd/issue/4065`_ - IFP: GetUserAttr does not search by UPN * `4074 https://pagure.io/SSSD/sssd/issue/4074`_ - Integration tests use python2 unconditionally
Detailed changelog ------------------ Jakub Hrozek (6): MAN: Document that PAM stack contains the systemd-user service in the account phase in RHEL-8 IPA: Allow paging when fetching external groups MAN: Document that PAM stack contains the systemd-user service in the account phase in RHEL-8 IPA: Allow paging when fetching external groups KCM: Use int32_t type conversion in DEBUG message for int32_t variable KCM: Add a forgotten return KCM: Allow modifications of ccache's principal KCM: Fill empty cache, do not initialize a new one
Lukas Slebodnik (18): BUILD: Add macro for checking python3 modules BUILD: Fix typo of detecting python module for intgcheck BUILD: Move checking of python2 modules for intgcheck BUILD: Add macro for checking pytest for intgcheck BUILD: Change value of variable HAVE_PYTHON2/3_BINDINGS BUILD: Move python checks for intgcheck to macro INTG: Do hot hardcode version of python/pytest in intgcheck BUILD: Prefer python3 for intgcheck intg: Install python3 dependencies for intgcheck on new distros pyhbac: Fix warning Wdiscarded-qualifiers test_pam_responder: Fix unicore error SSSDConfig: Add minimal test for parse method SSSDConfig: Fix SyntaxWarning "is not" with a literal TESTS: Add minimal test for pysss encrypt pysss: Fix DeprecationWarning PY_SSIZE_T_CLEAN pysss_murmur: Fix DeprecationWarning PY_SSIZE_T_CLEAN test_pam_responder: Fix DeprecationWarning invalid escape sequence testlib: Fix SyntaxWarning "is" with a literal
Michal Židek (2): Bumping the version to track the 2.2.2 development Update the translations for the 2.2.2 release
Pavel Březina (12): ad: remove subdomain that has been disabled through ad_enabled_domains from sysdb sysdb: add sysdb_domain_set_enabled() ad: set enabled=false attribute for subdomains that no longer exists sysdb: read and interpret domain's enabled attribute sysdb: add sysdb_list_subdomains() ad: remove all subdomains if only master domain is enabled ad: make ad_enabled_domains case insensitive ci: use python2 version of pytest ci: pep8 was renamed to pycodestyle in Fedora 31 ci: remove left overs from previous rebase sudo: do not update last usn value on rules refresh ifp: let cache_req parse input name so it can fallback to upn search
Sumit Bose (5): pam: keep pin on the PAM stack for forward_pass pam: do not accept empty PIN pam: user PAM return codes where expected pam: set PAM_USER properly with allow_missing_name Revert "SERVER: Receving SIGSEGV process on shutdown"
Tomas Halman (3): SERVER: Receving SIGSEGV process on shutdown BE: Invalid oprator used in condition SERVER: Receving SIGSEGV process on shutdown
SSSD 2.2.1 ==========
Highlights ----------
New features ^^^^^^^^^^^^ * New options were added which allow sssd-kcm to handle bigger data. See manual pages for ``max_ccaches``, ``max_uid_caches`` and ``max_ccache_size``. * SSSD can now automatically refresh cached user data from subdomains in IPA/AD trust.
Notable bug fixes ^^^^^^^^^^^^^^^^^ * Fixed issue with SSSD hanging when connecting to non-responsive server with ldaps:// * SSSD is now restarted by systemd after crashes. * Fixed refression when dyndns_update was set to True and dyndns_refresh_interval was not set or set to 0 then DNS records were not updated at all. * Fixed issue when ``default_domain_suffix`` was used with ``id_provider = files`` and caused all results from files domain to be fully qualified. * Fixed issue with sudo rules not being visible on OpenLDAP servers * Fixed crash with ``auth_provider = proxy`` that prevented logins
Packaging Changes ----------------- None
Documentation Changes --------------------- A new option ``dns_resolver_server_timeout`` was added A new option ``max_ccaches`` was added A new option ``max_uid_ccaches`` was added A new option ``max_ccache_size`` was added A new option ``ocsp_dgst`` was added
Tickets Fixed ------------- * `2878 https://pagure.io/SSSD/sssd/issue/2878`_ - sssd failover does not work on connecting to non-responsive ldaps:// server * `3217 https://pagure.io/SSSD/sssd/issue/3217`_ - Conflicting default timeout values * `3386 https://pagure.io/SSSD/sssd/issue/3386`_ - sssd-kcm cannot handle big tickets * `3489 https://pagure.io/SSSD/sssd/issue/3489`_ - p11_child should work wit openssl1.0+ * `3685 https://pagure.io/SSSD/sssd/issue/3685`_ - KCM: Default to a new back end that would write to the secrets database directly * `3833 https://pagure.io/SSSD/sssd/issue/3833`_ - port to pcre2 * `3894 https://pagure.io/SSSD/sssd/issue/3894`_ - multihost tests: ldb-tools is needed for multihost tests * `3905 https://pagure.io/SSSD/sssd/issue/3905`_ - SSSD doesn't clear cache entries for IDs below min_id. * `4012 https://pagure.io/SSSD/sssd/issue/4012`_ - SSSD is not refreshing cached user data for the ipa sub-domain in a IPA/AD trust * `4026 https://pagure.io/SSSD/sssd/issue/4026`_ - EVP_PKEY_new_raw_private_key() was only added in OpenSSL 1.1.1 * `4028 https://pagure.io/SSSD/sssd/issue/4028`_ - sssd-kcm calls sssd-genconf which triggers nscd warning * `4037 https://pagure.io/SSSD/sssd/issue/4037`_ - Logins fail after upgrade to 2.2.0 * `4040 https://pagure.io/SSSD/sssd/issue/4040`_ - Reasonable to Restart sssd on crashes? * `4046 https://pagure.io/SSSD/sssd/issue/4046`_ - sudo: incorrect usn value for openldap * `4047 https://pagure.io/SSSD/sssd/issue/4047`_ - dyndns_update = True is no longer not enough to get the IP address of the machine updated in IPA upon sssd.service startup * `4050 https://pagure.io/SSSD/sssd/issue/4050`_ - nss_cmd_endservent resets the wrong index * `4052 https://pagure.io/SSSD/sssd/issue/4052`_ - sssd config option "default_domain_suffix" should not cause the files domain entries to be qualified * `3931 https://pagure.io/SSSD/sssd/issue/3931`_ - proxy provider is not working with enumerate=true when trying to fetch all groups * `4043 https://pagure.io/SSSD/sssd/issue/4043`_ - Typo in systemd.m4 prevents detection of systemd.pc * `3978 https://pagure.io/SSSD/sssd/issue/3978`_ - UPN negative cache does not use values from 'filter_users' config option * `4032 https://pagure.io/SSSD/sssd/issue/4032`_ - p11_child::do_ocsp() function implementation is not FIPS140 compliant * `4039 https://pagure.io/SSSD/sssd/issue/4039`_ - p11_child::sign_data() function implementation is not FIPS140 compliant * `4056 https://pagure.io/SSSD/sssd/issue/4056`_ - permission denied on logs when running sssd as non-root user * `4024 https://pagure.io/SSSD/sssd/issue/4024`_ - Non FIPS140 compliant usage of PRNG * `2854 https://pagure.io/SSSD/sssd/issue/2854`_ - FAIL test-find-uid * `3962 https://pagure.io/SSSD/sssd/issue/3962`_ - Problem with tests/cmocka/test_dyndns.c * `4022 https://pagure.io/SSSD/sssd/issue/4022`_ - utils: sss_hmac_sha1() function implementation is not FIPS140 compliant * `4024 https://pagure.io/SSSD/sssd/issue/4024`_ - Non FIPS140 compliant usage of PRNG * `4026 https://pagure.io/SSSD/sssd/issue/4026`_ - EVP_PKEY_new_raw_private_key() was only added in OpenSSL 1.1.1
Detailed changelog ------------------ Alex Rodin (1): tests/cmocka/test_dyndns.c: Switching from tevent_loop_once() to tevent_loop_wait()
Alexey Tikhonov (14): util/crypto/libcrypto: changed sss_hmac_sha1() util/crypto/libcrypto: changed sss_hmac_sha1() util/secrets: memory leaks are fixed util/crypto/nss/nss_nite: params sanitization crypto/libcrypto/crypto_nite: HMAC calculation changed util/find_uid.c: fixed debug message util/find_uid.c: fixed race condition bug util/crypto: removed erroneous declaration util/crypto/sss_crypto.c: cleanup of includes util/crypto: generate_csprng_buffer() changed util/crypto: added sss_rand() crypto/libcrypto/crypto_nite.c: memory leak fixed FIPS140 compliant usage of PRNG crypto/nss: some nss_ctx_init() params made const
Jakub Hrozek (34): Updating the version for the 2.2.1 release TESTS: Install expect to drive password-change modifications TESTS: Also add LDAP password when creating users TESTS: Test changing LDAP password with extended operation and modification TEST: Add a multihost test for not returning / for an empty home dir MONITOR: Don't check for the nscd socket while regenerating configuration SYSDB: Add sysdb_search_with_ts_attr BE: search with sysdb_search_with_ts_attr BE: Enable refresh for multiple domains BE: Make be_refresh_ctx_init set up the periodical task, too BE/LDAP: Call be_refresh_ctx_init() in the provider libraries, not in back end BE: Pass in attribute to look up with instead of hardcoding SYSDB_NAME BE: Change be_refresh_ctx_init to return errno and set be_ctx->refresh_ctx BE/LDAP: Split out a helper function from sdap_refresh for later reuse BE: Pass in filter_type when creating the refresh account request BE: Send refresh requests in batches BE: Extend be_ptask_create() with control when to schedule next run after success BE: Schedule the refresh interval from the finish time of the last run AD: Implement background refresh for AD domains IPA: Implement background refresh for IPA domains BE/IPA/AD/LDAP: Add inigroups refresh support BE/IPA/AD/LDAP: Initialize the refresh callback from a list to reduce logic duplication IPA/AD/SDAP/BE: Generate refresh callbacks with a macro MAN: Amend the documentation for the background refresh DP/SYSDB: Move the code to set initgrExpireTimestamp to a reusable function IPA/AD/LDAP: Increase the initgrExpireTimestamp after finishing refresh request MAN: Get rid of sssd-secrets reference MAN: Document that it is enough to systemctl restart sssd-kcm.service lately SECRETS: Use different option names from secrets and KCM for quota options SECRETS: Don't limit the global number of ccaches KCM: Pass confdb context to the ccache db initialization KCM: Configurable quotas for the secdb ccache back end TESTS: Add tests for the configurable quotas Don't qualify users from files domain when default_domain_suffix is set
Jakub Jelen (1): pam_sss: Add missing colon to the PIN prompt
Lukas Slebodnik (1): PROXY: Return data in output parameter if everything is OK
Michal Židek (2): TESTS: ldb-tools and sssd-tools are required for multihost tests Update the translations for the 2.2.1 release
Niranjan M.R (1): TESTS: Test kvno correctly displays vesion numbers of principals
Pavel Březina (11): ci: disable timeout ci: switch to new tooling and remove 'Read trusted files' stage ci: rebase pull request on the target branch ci: print node on which the test is being run sudo: use proper datetime for default modifyTimestamp value systemd: add Restart=on-failure to sssd.service man: fix description of dns_resolver_op_timeout man: fix description of dns_resolver_timeout failover: add dns_resolver_server_timeout option failover: change default timeouts config: add dns_resolver_op_timeout to option list
Sam Morris (1): build: fix detection of systemd.pc
Samuel Cabrero (1): nss: Fix command 'endservent' resetting wrong struct member
Sumit Bose (10): negcache: add fq-usernames of know domains to all UPN neg-caches p11_child: prefer better digest function if card supports it p11_child: fix a memory leak and other memory mangement issues pam: make sure p11_child.log has the right permissions ssh: make sure p11_child.log has the right permissions BE: make sure child log files have the right permissions utils: remove unused prototype (cert_to_ssh_key) utils: move parse_cert_verify_opts() into separate file p11_child: make OCSP digest configurable pam: fix loop in Smartcard authentication
Tomas Halman (9): MAN: ldap_user_home_directory default missing pcre: port to pcre2 CACHE: SSSD doesn't clear cache entries LDAP: failover does not work on non-responsive ldaps CONFDB: Files domain if activated without .conf TESTS: adapt tests to enabled default files domain BE: Introduce flag for be_ptask_create BE: Convert be_ptask params to flags DYNDNS: dyndns_update is not enough
Yuri Chornoivan (1): Fix minor typos in docs
sssd-users@lists.fedorahosted.org