=== SSSD 1.12.4 ===
The SSSD team is proud to announce the release of version 1.12.4 of the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora 21, 22 and rawhide shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* This is mostly a bug fixing release with only minor enhancements visible to the end user * Contains many fixes and enhancements related to the ID views functionality of FreeIPA servers * Several fixes related to retrieving AD group membership in an IPA-AD trust scenario * Fixes a bug where the GPO access control previously didn't work at all if debugging was enabled in smb.conf. * SSSD can now be pinned to a particular AD site instead of autodiscovering the site * A regression that caused setting the SELinux context for IPA users to fail, was fixed * Fixed a potential crash caused by a double-free error when an SSSD service was killed by the monitor process
== Packaging Changes ==
* Several patches that allow building the Python code in SSSD with python3 were merged
== Documentation Changes ==
* A new option ad_site was added. When this option is set, SSSD will attempt to connect to DCs from this particular AD site instead of looking up the site via DNS * The ad_gpo_map_permit option now also includes the systemd-user service to avoid errors in processing of the PAM session stack
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1991 Make return codes of basic sysdb operations consistent https://fedorahosted.org/sssd/ticket/2203 Write message to syslog about users with duplicated UID https://fedorahosted.org/sssd/ticket/2376 Investigate Kerberized NFS4 setup with the new NFS plugin https://fedorahosted.org/sssd/ticket/2486 [RFE] ad provider dns_discovery_domain option: kerberos discovery is not using this option https://fedorahosted.org/sssd/ticket/2515 sssd-ad: The man page description to enable GPO HBAC Policies are unclear https://fedorahosted.org/sssd/ticket/2525 Monitor SIGKILL timer issue and service restart failure https://fedorahosted.org/sssd/ticket/2527 sssd.conf(5) man page gives bad advice about domains parameter https://fedorahosted.org/sssd/ticket/2531 sssd_be crashes in nested LDAP code with a use-after-free error https://fedorahosted.org/sssd/ticket/2542 GPO offline processing rejects access if no applicable GPOs are find in the cache https://fedorahosted.org/sssd/ticket/2543 GPO code fails if no LDAP URI can be resolved https://fedorahosted.org/sssd/ticket/2544 GPO: libsmbclient logs to stdout by default, cluttering gpo_child output https://fedorahosted.org/sssd/ticket/2547 gzip: stdin: file size changed while zipping when rotating logfile https://fedorahosted.org/sssd/ticket/2548 Document that dyndns_iface only supports a single interface https://fedorahosted.org/sssd/ticket/2550 libsss_simpleifp should pull sssd-dbus https://fedorahosted.org/sssd/ticket/2556 add systemd-user to default gpo list https://fedorahosted.org/sssd/ticket/2557 pam_sss(sshd:auth): authentication failure with user from AD https://fedorahosted.org/sssd/ticket/2559 PAC responder is called after krb5_child switches to the user logging in https://fedorahosted.org/sssd/ticket/2560 Users saved throug extop don't have the originalMemberOf attribute https://fedorahosted.org/sssd/ticket/2563 Need to set different umask in selinux_child https://fedorahosted.org/sssd/ticket/2564 selinux_child needs to setuid(0) to make libselinux work as non-root https://fedorahosted.org/sssd/ticket/2566 Uncached SIDs cannot be resolved https://fedorahosted.org/sssd/ticket/2567 Same member saved as ghost and as member in IPA server mode https://fedorahosted.org/sssd/ticket/2571 IPA initgroups don't work correctly in non-default view https://fedorahosted.org/sssd/ticket/2572 [abrt] sssd-common: talloc_abort(): sssd killed by SIGABRT https://fedorahosted.org/sssd/ticket/2586 user_attributes missing from ifp schema
== Detailed Changelog ==
Bohuslav Kabrda (1): * Python3 support in SSSD
Jakub Hrozek (23): * Updating the version to the 1.12.4 release * GPO: Ignore ENOENT result from sysdb_gpo_get_gpo_result_setting() * TESTS: Cover sysdb_gpo.c with unit tests * GPO: Set libsmb debugging to stderr * UTIL: Allow dup-ing child pipe to a different FD * GPO: Don't use stdout for output in gpo_child * GPO: Extract server hostname after connecting * krb5_child: Return ERR_NETWORK_IO on KRB5_KDCREP_SKEW * Open the PAC socket from krb5_child before dropping root * IPA: Use attr's dom for users, too * SELINUX: Call setuid(0)/setgid(0) to also set the real IDs to root * SELINUX: Set and reset umask when caling set_seuser from deamon code * LDAP: Add UUID when saving incomplete groups * IPA: Resolve IPA user groups' overrideDN in non-default view * LDAP: Rename the _res output parameter to avoid clashing with libresolv in tests * RESOLV: Add an internal function to read TTL from a DNS packet * resolv: Fix a typo * SELINUX: Check the return value of setuid and setgid * BUILD: Include python-test.py in the tarball * GPO: Better debugging for gpo_child's mkdir * LDAP: Add better DEBUG messages to the cleanup task * LDAP: Handle ENOENT better in the cleanup task * Updating translations for the 1.12.4 release
Lukas Slebodnik (11): * logrotate: Fix warning file size changed while zipping * PROXY: Fix use after free * pysss: Fix double free * MONITOR: Fix double free * SSSDConfig: Remove unused exception name * SSSDConfig: Port missing parts to python3 * Remove strict requirements of python2 * sbus_codegen: Port to python3 * Add missing new lines to debug messages * CONFIGURE: Do not use macro AC_PROG_MKDIR_P twice * RESPONDERS: Warn to syslog about colliding objects
Pavel Březina (1): * spec: sifp requires sssd-dbus
Pavel Reichl (6): * GPO: add systemd-user to gpo default permit list * MAN: dyndns_iface supports only one interface * MAN: add dots as valid character in domain names * AD: add new option ad_site * AD: support for AD site override * MAN: amend sss_ssh_authorizedkeys
Rob Crittenden (1): * Add user_attributes to ifp section of API schema
Sumit Bose (24): * IPA: add get_be_acct_req_for_user_name() * IPA: resolve ghost members if a non-default view is applied * sysdb: fix group members with overridden names * IPA: ipa_resolve_user_list_send() take care of overrides * IPA: do not look up overrides on client with default view * IPA: make version check more precise * IPA: add missing break * IPA: process_members() optionally return missing members list * IPA: rename ipa_s2n_get_groups_send() to ipa_s2n_get_fqlist_send() * IPA: resolve missing members * IPA: set SYSDB_INITGR_EXPIRE for RESP_USER_GROUPLIST * krb5: fix entry order in MEMORY keytab * nss: make fill_orig() multi-value aware * nss: refactor fill_orig() * nss: Add original DN and memberOf to origbyname request * views: fix GID overrride for mpg domains * IPA: properly handle mixed-case trusted domains * nss: fix SID lookups * sysdb: remove ghosts in all sub-domains as well * IPA: resolve IPA group-memberships for AD users * IPA: process_members() add ghosts only once * ipa_s2n_save_objects: properly handle fully-qualified group names * AD: use GC for SID requests as well * fill_id() fix LE/BE issue with wrong data type
On Wed, Feb 18, 2015 at 07:52:50PM +0100, Jakub Hrozek wrote:
== Packaging Changes ==
- Several patches that allow building the Python code in SSSD with python3 were merged
The note above was ambiguous and confusing. Let me clarify:
With the patches merged to 1.12.4, the SSSD python bindings can be built and used with either python2 or python3, but not both at the same time.
Patches to implement support for both python2 and python3 are pending review on the sssd-devel mailing list and are expected to land in 1.12.5.
On (18/02/15 19:52), Jakub Hrozek wrote:
=== SSSD 1.12.4 ===
The SSSD team is proud to announce the release of version 1.12.4 of the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora 21, 22 and rawhide shortly.
Packages for some older distributions then fedora 21 are available in COPR http://copr-fe.cloud.fedoraproject.org/coprs/lslebodn/sssd-1-12/
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users
LS
sssd-users@lists.fedorahosted.org