== SSSD 2.2.1 ===
The SSSD team is proud to announce the release of version 2.2.1 of the System Security Services Daemon. The tarball can be downloaded from: https://releases.pagure.org/SSSD/sssd/
RPM packages will be made available for Fedora shortly.
Feedback -------- Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Highlights ----------
New features ^^^^^^^^^^^^ * New options were added which allow sssd-kcm to handle bigger data. See manual pages for ``max_ccaches``, ``max_uid_caches`` and ``max_ccache_size``. * SSSD can now automatically refresh cached user data from subdomains in IPA/AD trust.
Notable bug fixes ^^^^^^^^^^^^^^^^^ * Fixed issue with SSSD hanging when connecting to non-responsive server with ldaps:// * SSSD is now restarted by systemd after crashes. * Fixed refression when dyndns_update was set to True and dyndns_refresh_interval was not set or set to 0 then DNS records were not updated at all. * Fixed issue when ``default_domain_suffix`` was used with ``id_provider = files`` and caused all results from files domain to be fully qualified. * Fixed issue with sudo rules not being visible on OpenLDAP servers * Fixed crash with ``auth_provider = proxy`` that prevented logins
Packaging Changes ----------------- None
Documentation Changes --------------------- A new option ``dns_resolver_server_timeout`` was added A new option ``max_ccaches`` was added A new option ``max_uid_ccaches`` was added A new option ``max_ccache_size`` was added A new option ``ocsp_dgst`` was added
Tickets Fixed ------------- * `2878 https://pagure.io/SSSD/sssd/issue/2878`_ - sssd failover does not work on connecting to non-responsive ldaps:// server * `3217 https://pagure.io/SSSD/sssd/issue/3217`_ - Conflicting default timeout values * `3386 https://pagure.io/SSSD/sssd/issue/3386`_ - sssd-kcm cannot handle big tickets * `3489 https://pagure.io/SSSD/sssd/issue/3489`_ - p11_child should work wit openssl1.0+ * `3685 https://pagure.io/SSSD/sssd/issue/3685`_ - KCM: Default to a new back end that would write to the secrets database directly * `3833 https://pagure.io/SSSD/sssd/issue/3833`_ - port to pcre2 * `3894 https://pagure.io/SSSD/sssd/issue/3894`_ - multihost tests: ldb-tools is needed for multihost tests * `3905 https://pagure.io/SSSD/sssd/issue/3905`_ - SSSD doesn't clear cache entries for IDs below min_id. * `4012 https://pagure.io/SSSD/sssd/issue/4012`_ - SSSD is not refreshing cached user data for the ipa sub-domain in a IPA/AD trust * `4026 https://pagure.io/SSSD/sssd/issue/4026`_ - EVP_PKEY_new_raw_private_key() was only added in OpenSSL 1.1.1 * `4028 https://pagure.io/SSSD/sssd/issue/4028`_ - sssd-kcm calls sssd-genconf which triggers nscd warning * `4037 https://pagure.io/SSSD/sssd/issue/4037`_ - Logins fail after upgrade to 2.2.0 * `4040 https://pagure.io/SSSD/sssd/issue/4040`_ - Reasonable to Restart sssd on crashes? * `4046 https://pagure.io/SSSD/sssd/issue/4046`_ - sudo: incorrect usn value for openldap * `4047 https://pagure.io/SSSD/sssd/issue/4047`_ - dyndns_update = True is no longer not enough to get the IP address of the machine updated in IPA upon sssd.service startup * `4050 https://pagure.io/SSSD/sssd/issue/4050`_ - nss_cmd_endservent resets the wrong index * `4052 https://pagure.io/SSSD/sssd/issue/4052`_ - sssd config option "default_domain_suffix" should not cause the files domain entries to be qualified * `3931 https://pagure.io/SSSD/sssd/issue/3931`_ - proxy provider is not working with enumerate=true when trying to fetch all groups * `4043 https://pagure.io/SSSD/sssd/issue/4043`_ - Typo in systemd.m4 prevents detection of systemd.pc * `3978 https://pagure.io/SSSD/sssd/issue/3978`_ - UPN negative cache does not use values from 'filter_users' config option * `4032 https://pagure.io/SSSD/sssd/issue/4032`_ - p11_child::do_ocsp() function implementation is not FIPS140 compliant * `4039 https://pagure.io/SSSD/sssd/issue/4039`_ - p11_child::sign_data() function implementation is not FIPS140 compliant * `4056 https://pagure.io/SSSD/sssd/issue/4056`_ - permission denied on logs when running sssd as non-root user * `4024 https://pagure.io/SSSD/sssd/issue/4024`_ - Non FIPS140 compliant usage of PRNG * `2854 https://pagure.io/SSSD/sssd/issue/2854`_ - FAIL test-find-uid * `3962 https://pagure.io/SSSD/sssd/issue/3962`_ - Problem with tests/cmocka/test_dyndns.c * `4022 https://pagure.io/SSSD/sssd/issue/4022`_ - utils: sss_hmac_sha1() function implementation is not FIPS140 compliant * `4024 https://pagure.io/SSSD/sssd/issue/4024`_ - Non FIPS140 compliant usage of PRNG * `4026 https://pagure.io/SSSD/sssd/issue/4026`_ - EVP_PKEY_new_raw_private_key() was only added in OpenSSL 1.1.1
Detailed changelog ------------------ Alex Rodin (1): tests/cmocka/test_dyndns.c: Switching from tevent_loop_once() to tevent_loop_wait()
Alexey Tikhonov (14): util/crypto/libcrypto: changed sss_hmac_sha1() util/crypto/libcrypto: changed sss_hmac_sha1() util/secrets: memory leaks are fixed util/crypto/nss/nss_nite: params sanitization crypto/libcrypto/crypto_nite: HMAC calculation changed util/find_uid.c: fixed debug message util/find_uid.c: fixed race condition bug util/crypto: removed erroneous declaration util/crypto/sss_crypto.c: cleanup of includes util/crypto: generate_csprng_buffer() changed util/crypto: added sss_rand() crypto/libcrypto/crypto_nite.c: memory leak fixed FIPS140 compliant usage of PRNG crypto/nss: some nss_ctx_init() params made const
Jakub Hrozek (34): Updating the version for the 2.2.1 release TESTS: Install expect to drive password-change modifications TESTS: Also add LDAP password when creating users TESTS: Test changing LDAP password with extended operation and modification TEST: Add a multihost test for not returning / for an empty home dir MONITOR: Don't check for the nscd socket while regenerating configuration SYSDB: Add sysdb_search_with_ts_attr BE: search with sysdb_search_with_ts_attr BE: Enable refresh for multiple domains BE: Make be_refresh_ctx_init set up the periodical task, too BE/LDAP: Call be_refresh_ctx_init() in the provider libraries, not in back end BE: Pass in attribute to look up with instead of hardcoding SYSDB_NAME BE: Change be_refresh_ctx_init to return errno and set be_ctx->refresh_ctx BE/LDAP: Split out a helper function from sdap_refresh for later reuse BE: Pass in filter_type when creating the refresh account request BE: Send refresh requests in batches BE: Extend be_ptask_create() with control when to schedule next run after success BE: Schedule the refresh interval from the finish time of the last run AD: Implement background refresh for AD domains IPA: Implement background refresh for IPA domains BE/IPA/AD/LDAP: Add inigroups refresh support BE/IPA/AD/LDAP: Initialize the refresh callback from a list to reduce logic duplication IPA/AD/SDAP/BE: Generate refresh callbacks with a macro MAN: Amend the documentation for the background refresh DP/SYSDB: Move the code to set initgrExpireTimestamp to a reusable function IPA/AD/LDAP: Increase the initgrExpireTimestamp after finishing refresh request MAN: Get rid of sssd-secrets reference MAN: Document that it is enough to systemctl restart sssd-kcm.service lately SECRETS: Use different option names from secrets and KCM for quota options SECRETS: Don't limit the global number of ccaches KCM: Pass confdb context to the ccache db initialization KCM: Configurable quotas for the secdb ccache back end TESTS: Add tests for the configurable quotas Don't qualify users from files domain when default_domain_suffix is set
Jakub Jelen (1): pam_sss: Add missing colon to the PIN prompt
Lukas Slebodnik (1): PROXY: Return data in output parameter if everything is OK
Michal Židek (2): TESTS: ldb-tools and sssd-tools are required for multihost tests Update the translations for the 2.2.1 release
Niranjan M.R (1): TESTS: Test kvno correctly displays vesion numbers of principals
Pavel Březina (11): ci: disable timeout ci: switch to new tooling and remove 'Read trusted files' stage ci: rebase pull request on the target branch ci: print node on which the test is being run sudo: use proper datetime for default modifyTimestamp value systemd: add Restart=on-failure to sssd.service man: fix description of dns_resolver_op_timeout man: fix description of dns_resolver_timeout failover: add dns_resolver_server_timeout option failover: change default timeouts config: add dns_resolver_op_timeout to option list
Sam Morris (1): build: fix detection of systemd.pc
Samuel Cabrero (1): nss: Fix command 'endservent' resetting wrong struct member
Sumit Bose (10): negcache: add fq-usernames of know domains to all UPN neg-caches p11_child: prefer better digest function if card supports it p11_child: fix a memory leak and other memory mangement issues pam: make sure p11_child.log has the right permissions ssh: make sure p11_child.log has the right permissions BE: make sure child log files have the right permissions utils: remove unused prototype (cert_to_ssh_key) utils: move parse_cert_verify_opts() into separate file p11_child: make OCSP digest configurable pam: fix loop in Smartcard authentication
Tomas Halman (9): MAN: ldap_user_home_directory default missing pcre: port to pcre2 CACHE: SSSD doesn't clear cache entries LDAP: failover does not work on non-responsive ldaps CONFDB: Files domain if activated without .conf TESTS: adapt tests to enabled default files domain BE: Introduce flag for be_ptask_create BE: Convert be_ptask params to flags DYNDNS: dyndns_update is not enough
Yuri Chornoivan (1): Fix minor typos in docs
I am sorry I did not include all translation files into the tarball for this release. I will do another minor release that will update the translation as well.
Please disregard the 2.2.1 version. Sorry for the inconvenience.
Michal
On 8/28/19 10:07 AM, Michal Židek wrote:
== SSSD 2.2.1 ===
The SSSD team is proud to announce the release of version 2.2.1 of the System Security Services Daemon. The tarball can be downloaded from: https://releases.pagure.org/SSSD/sssd/
RPM packages will be made available for Fedora shortly.
Feedback
Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Highlights
New features ^^^^^^^^^^^^
- New options were added which allow sssd-kcm to handle bigger data.
See manual pages for ``max_ccaches``, ``max_uid_caches`` and ``max_ccache_size``.
- SSSD can now automatically refresh cached user data from subdomains
in IPA/AD trust.
Notable bug fixes ^^^^^^^^^^^^^^^^^
- Fixed issue with SSSD hanging when connecting to non-responsive
server with ldaps://
- SSSD is now restarted by systemd after crashes.
- Fixed refression when dyndns_update was set to True and
dyndns_refresh_interval was not set or set to 0 then DNS records were not updated at all.
- Fixed issue when ``default_domain_suffix`` was used with
``id_provider = files`` and caused all results from files domain to be fully qualified.
- Fixed issue with sudo rules not being visible on OpenLDAP servers
- Fixed crash with ``auth_provider = proxy`` that prevented logins
Packaging Changes
None
Documentation Changes
A new option ``dns_resolver_server_timeout`` was added A new option ``max_ccaches`` was added A new option ``max_uid_ccaches`` was added A new option ``max_ccache_size`` was added A new option ``ocsp_dgst`` was added
Tickets Fixed
* `2878 https://pagure.io/SSSD/sssd/issue/2878`_ - sssd failover does not work on connecting to non-responsive ldaps:// server * `3217 https://pagure.io/SSSD/sssd/issue/3217`_ - Conflicting default timeout values * `3386 https://pagure.io/SSSD/sssd/issue/3386`_ - sssd-kcm cannot handle big tickets * `3489 https://pagure.io/SSSD/sssd/issue/3489`_ - p11_child should work wit openssl1.0+ * `3685 https://pagure.io/SSSD/sssd/issue/3685`_ - KCM: Default to a new back end that would write to the secrets database directly * `3833 https://pagure.io/SSSD/sssd/issue/3833`_ - port to pcre2 * `3894 https://pagure.io/SSSD/sssd/issue/3894`_ - multihost tests: ldb-tools is needed for multihost tests * `3905 https://pagure.io/SSSD/sssd/issue/3905`_ - SSSD doesn't clear cache entries for IDs below min_id. * `4012 https://pagure.io/SSSD/sssd/issue/4012`_ - SSSD is not refreshing cached user data for the ipa sub-domain in a IPA/AD trust * `4026 https://pagure.io/SSSD/sssd/issue/4026`_ - EVP_PKEY_new_raw_private_key() was only added in OpenSSL 1.1.1 * `4028 https://pagure.io/SSSD/sssd/issue/4028`_ - sssd-kcm calls sssd-genconf which triggers nscd warning * `4037 https://pagure.io/SSSD/sssd/issue/4037`_ - Logins fail after upgrade to 2.2.0 * `4040 https://pagure.io/SSSD/sssd/issue/4040`_ - Reasonable to Restart sssd on crashes? * `4046 https://pagure.io/SSSD/sssd/issue/4046`_ - sudo: incorrect usn value for openldap * `4047 https://pagure.io/SSSD/sssd/issue/4047`_ - dyndns_update = True is no longer not enough to get the IP address of the machine updated in IPA upon sssd.service startup * `4050 https://pagure.io/SSSD/sssd/issue/4050`_ - nss_cmd_endservent resets the wrong index * `4052 https://pagure.io/SSSD/sssd/issue/4052`_ - sssd config option "default_domain_suffix" should not cause the files domain entries to be qualified * `3931 https://pagure.io/SSSD/sssd/issue/3931`_ - proxy provider is not working with enumerate=true when trying to fetch all groups * `4043 https://pagure.io/SSSD/sssd/issue/4043`_ - Typo in systemd.m4 prevents detection of systemd.pc * `3978 https://pagure.io/SSSD/sssd/issue/3978`_ - UPN negative cache does not use values from 'filter_users' config option * `4032 https://pagure.io/SSSD/sssd/issue/4032`_ - p11_child::do_ocsp() function implementation is not FIPS140 compliant * `4039 https://pagure.io/SSSD/sssd/issue/4039`_ - p11_child::sign_data() function implementation is not FIPS140 compliant * `4056 https://pagure.io/SSSD/sssd/issue/4056`_ - permission denied on logs when running sssd as non-root user * `4024 https://pagure.io/SSSD/sssd/issue/4024`_ - Non FIPS140 compliant usage of PRNG * `2854 https://pagure.io/SSSD/sssd/issue/2854`_ - FAIL test-find-uid * `3962 https://pagure.io/SSSD/sssd/issue/3962`_ - Problem with tests/cmocka/test_dyndns.c * `4022 https://pagure.io/SSSD/sssd/issue/4022`_ - utils: sss_hmac_sha1() function implementation is not FIPS140 compliant * `4024 https://pagure.io/SSSD/sssd/issue/4024`_ - Non FIPS140 compliant usage of PRNG * `4026 https://pagure.io/SSSD/sssd/issue/4026`_ - EVP_PKEY_new_raw_private_key() was only added in OpenSSL 1.1.1
Detailed changelog
Alex Rodin (1): tests/cmocka/test_dyndns.c: Switching from tevent_loop_once() to tevent_loop_wait()
Alexey Tikhonov (14): util/crypto/libcrypto: changed sss_hmac_sha1() util/crypto/libcrypto: changed sss_hmac_sha1() util/secrets: memory leaks are fixed util/crypto/nss/nss_nite: params sanitization crypto/libcrypto/crypto_nite: HMAC calculation changed util/find_uid.c: fixed debug message util/find_uid.c: fixed race condition bug util/crypto: removed erroneous declaration util/crypto/sss_crypto.c: cleanup of includes util/crypto: generate_csprng_buffer() changed util/crypto: added sss_rand() crypto/libcrypto/crypto_nite.c: memory leak fixed FIPS140 compliant usage of PRNG crypto/nss: some nss_ctx_init() params made const
Jakub Hrozek (34): Updating the version for the 2.2.1 release TESTS: Install expect to drive password-change modifications TESTS: Also add LDAP password when creating users TESTS: Test changing LDAP password with extended operation and modification TEST: Add a multihost test for not returning / for an empty home dir MONITOR: Don't check for the nscd socket while regenerating configuration SYSDB: Add sysdb_search_with_ts_attr BE: search with sysdb_search_with_ts_attr BE: Enable refresh for multiple domains BE: Make be_refresh_ctx_init set up the periodical task, too BE/LDAP: Call be_refresh_ctx_init() in the provider libraries, not in back end BE: Pass in attribute to look up with instead of hardcoding SYSDB_NAME BE: Change be_refresh_ctx_init to return errno and set be_ctx->refresh_ctx BE/LDAP: Split out a helper function from sdap_refresh for later reuse BE: Pass in filter_type when creating the refresh account request BE: Send refresh requests in batches BE: Extend be_ptask_create() with control when to schedule next run after success BE: Schedule the refresh interval from the finish time of the last run AD: Implement background refresh for AD domains IPA: Implement background refresh for IPA domains BE/IPA/AD/LDAP: Add inigroups refresh support BE/IPA/AD/LDAP: Initialize the refresh callback from a list to reduce logic duplication IPA/AD/SDAP/BE: Generate refresh callbacks with a macro MAN: Amend the documentation for the background refresh DP/SYSDB: Move the code to set initgrExpireTimestamp to a reusable function IPA/AD/LDAP: Increase the initgrExpireTimestamp after finishing refresh request MAN: Get rid of sssd-secrets reference MAN: Document that it is enough to systemctl restart sssd-kcm.service lately SECRETS: Use different option names from secrets and KCM for quota options SECRETS: Don't limit the global number of ccaches KCM: Pass confdb context to the ccache db initialization KCM: Configurable quotas for the secdb ccache back end TESTS: Add tests for the configurable quotas Don't qualify users from files domain when default_domain_suffix is set
Jakub Jelen (1): pam_sss: Add missing colon to the PIN prompt
Lukas Slebodnik (1): PROXY: Return data in output parameter if everything is OK
Michal Židek (2): TESTS: ldb-tools and sssd-tools are required for multihost tests Update the translations for the 2.2.1 release
Niranjan M.R (1): TESTS: Test kvno correctly displays vesion numbers of principals
Pavel Březina (11): ci: disable timeout ci: switch to new tooling and remove 'Read trusted files' stage ci: rebase pull request on the target branch ci: print node on which the test is being run sudo: use proper datetime for default modifyTimestamp value systemd: add Restart=on-failure to sssd.service man: fix description of dns_resolver_op_timeout man: fix description of dns_resolver_timeout failover: add dns_resolver_server_timeout option failover: change default timeouts config: add dns_resolver_op_timeout to option list
Sam Morris (1): build: fix detection of systemd.pc
Samuel Cabrero (1): nss: Fix command 'endservent' resetting wrong struct member
Sumit Bose (10): negcache: add fq-usernames of know domains to all UPN neg-caches p11_child: prefer better digest function if card supports it p11_child: fix a memory leak and other memory mangement issues pam: make sure p11_child.log has the right permissions ssh: make sure p11_child.log has the right permissions BE: make sure child log files have the right permissions utils: remove unused prototype (cert_to_ssh_key) utils: move parse_cert_verify_opts() into separate file p11_child: make OCSP digest configurable pam: fix loop in Smartcard authentication
Tomas Halman (9): MAN: ldap_user_home_directory default missing pcre: port to pcre2 CACHE: SSSD doesn't clear cache entries LDAP: failover does not work on non-responsive ldaps CONFDB: Files domain if activated without .conf TESTS: adapt tests to enabled default files domain BE: Introduce flag for be_ptask_create BE: Convert be_ptask params to flags DYNDNS: dyndns_update is not enough
Yuri Chornoivan (1): Fix minor typos in docs _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On (29/08/19 14:38), Michal Židek wrote:
I am sorry I did not include all translation files into the tarball for this release. I will do another minor release that will update the translation as well.
Please disregard the 2.2.1 version. Sorry for the inconvenience.
And the release notes are missing as well https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_2_2_1.html and they are not listed in https://docs.pagure.org/SSSD.sssd/users/relnotes/ either.
LS
On 29.8.2019 15.38, Michal Židek wrote:
I am sorry I did not include all translation files into the tarball for this release. I will do another minor release that will update the translation as well.
Please disregard the 2.2.1 version. Sorry for the inconvenience.
2.2.1 is still the latest, should there be a 2.2.2 by now?
On 9/12/19 2:59 PM, Timo Aaltonen wrote:
On 29.8.2019 15.38, Michal Židek wrote:
I am sorry I did not include all translation files into the tarball for this release. I will do another minor release that will update the translation as well.
Please disregard the 2.2.1 version. Sorry for the inconvenience.
2.2.1 is still the latest, should there be a 2.2.2 by now?
Just uploaded the tarball for 2.2.2 to the releases folder https://releases.pagure.org/SSSD/sssd/
will send the announcement soon with release notes.
Michal
sssd-users@lists.fedorahosted.org