== SSSD 1.15.0 ===
The SSSD team is proud to announce the release of version 1.15.0 of the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora shortly.
== Feedback == Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights == * SSSD now allows the responders to be activated by the systemd service manager and exit when idle. This means the services line in sssd.conf is optional and the responders can be started on-demand, simplifying the sssd configuration. Please note that this change is backwards-compatible and the responders listed explicitly in sssd.conf's services line are managed by sssd in the same manner as in previous releases. Please refer to man sssd.conf(5) for more information * The sudo provider is no longer disabled for configurations that do not explicitly include the sudo responder in the services list. In order to disable the sudo-related back end code that executes the periodic LDAP queries, set the sudo_provider to none explicitly * The watchdog signal handler no longer uses signal-unsafe functions. This bug was causing a deadlock in case the watchdog was about to kill a stuck process * A bug that prevented TLS to be set up correctly on systems where libldap links with GnuTLS was fixed * The functionality to alter SSSD configuration through the D-Bus interface provided by the IFP responder was removed. This functionality was not used to the best of our knowledge, had no tests and prevented the InfoPipe responder from running as a non-privileged user. * A bug that prevented statically-linked applications from using libnss_sss was fixed by removing dependency on -lpthreads from the libnss_sss library (please see https://sourceware.org/bugzilla/show_bug.cgi?id=20500 for an example on why linking with -lpthread from an NSS modules is problematic) * Previously, SSSD did not ignore GPOs that were missing the gPCFunctionalityVersion attribute and failed the whole GPO processing. Starting with this version, the GPOs without the gPCFunctionalityVersion are skipped.
== Packaging Changes == * The Augeas development libraries are no longer required since the configuration manipulation interface was dropped from the InfoPipe responder * The libsss_config.so internal library was removed as well due to removal of the InfoPipe config management * In order to manage socket-activated or bus activated responders, each responder is now represented by a systemd service file (e.g. sssd-nss.service). All responders except InfoPipe, which is bus-activated, are also managed by a socket unit file (e.g. sssd-nss.socket)
== Documentation Changes == * The sssd-secrets responder gained a new option max_payload_size that allows the administrator to limit the maximum size of a secret * A new option responder_idle_timeout was added to support idle termination of socket-activated responders * The sssd-ad and sssd-ipa man pages now summarize differences between the generic Kerberos/LDAP back end and the specialized IPA/AD back ends
== Tickets Fixed == https://fedorahosted.org/sssd/ticket/697 Use command line arguments instead env vars for krb5_child https://fedorahosted.org/sssd/ticket/2201 Man pages do not specify that sssd dyndns_refresh_interval < 60 is pulled to 60 seconds https://fedorahosted.org/sssd/ticket/2243 [RFE] Socket-activate responders https://fedorahosted.org/sssd/ticket/2517 krb5_child: Remove getenv() ran as root https://fedorahosted.org/sssd/ticket/3060 better debugging of timestamp cache modifications https://fedorahosted.org/sssd/ticket/3129 [RFE] socket-activate the IFP responder https://fedorahosted.org/sssd/ticket/3151 cache_req: complete the needs of NSS responders https://fedorahosted.org/sssd/ticket/3156 nss_sss might leak memory when calling thread goes away https://fedorahosted.org/sssd/ticket/3214 Update man pages for any AD provider config options that differ from ldap/krb5 providers defaults https://fedorahosted.org/sssd/ticket/3215 Review and update SSSD's wiki pages for 1.15 Alpha release https://fedorahosted.org/sssd/ticket/3235 SSSCTL should not be case sensitive when searching for usernames or groups in a case-insensitive domain https://fedorahosted.org/sssd/ticket/3245 [RFE] Shutdown timeout for {socket,bus}-activated responders https://fedorahosted.org/sssd/ticket/3275 Unchecked return value of sss_cmd_empty_packet(pctx->creq->out); https://fedorahosted.org/sssd/ticket/3283 getsidbyid can fail in some cases due to cache_req refactoring https://fedorahosted.org/sssd/ticket/3284 getsidbyname does not work properly with case insensitive domains
== Detailed Changelog ==
Amith Kumar (1): * MAN: Updation of sssd-ad man page for case when dyndns_refresh_interval < 60 seconds
Carl Henrik Lunde (1): * Prevent use after free in fd_input_available
David Michael (1): * BUILD: Find a host-prefixed krb5-config when cross-compiling
Fabiano Fidêncio (34): * SECRETS: Fix secrets rule in the allowed sections * SECRETS: Add allowed_sec_users_options * SECRETS: Delete all secrets stored during "max_secrets" test * SECRETS: Add configurable payload size limit of a secret * BUILD: Drop libsss_config * IFP: Remove "ChangeDebugTemporarily?" method * AUTOFS: Check return of sss_cmd_empty_packet() * SUDO: Drop logic to disable the backend in case the provider is not set * MONITOR: Expose the monitor's services type * MONITOR: Pass the service type to the RegisterService? method * UTIL: Introduce --socket-activated cmdline option for responders * UTIL: Introduce --dbus-activated cmd option for responders * RESPONDER: Make responders' common code ready for socket activation * AUTOFS: Make AutoFS responder socket-activatable * NSS: Make NSS responder socket-activatable * PAC: Make PAC responder socket-activatable * PAM: Make PAM responder socket-activatable * SSH: Make SSH responder socket-activatable * SUDO: Make Sudo responder socket-activatable * IFP: Make IFP responder dbus-activatable * MONITOR: Split up check_services() * MONITOR: Deal with no services set up * MONITOR: Deal with socket-activated responders * MAN: Mention that the services' list is optional * MAN: "user" doesn't work with socket-activated services * MONITOR: Don't expose monitor_common_send_id() * SBUS: Add a time_t pointer to the sbus_connection * SBUS: Add destructor data to sbus_connection * RESPONDER: Make clear {reset_,}idle_timer() are related to client * RESPONDER: Don't expose client_idle_handler() * RESPONDER: Shutdown {dbus,socket}-activated responders in case they're idle * RESPONDER: Change how client timeout is calculated * SERVER: Set the process group during server_setup() * WATCHDOG: Avoid non async-signal-safe from the signal_handler
Howard Guo (1): * sss_client: Defer thread cancellation until completion of nss/pam operations
Jakub Hrozek (16): * Updating the version for the 1.14.3 development * Updating the version to track sssd-1-15 development * SYSDB: Split sysdb_try_to_find_expected_dn() into smaller functions * SYSDB: Augment sysdb_try_to_find_expected_dn to match search base as well * MONITOR: Do not set up watchdog for monitor * MONITOR: Remove deprecated pong sbus method * MONITOR: Remove unused shutDown sbus method * Qualify ghost user attribute in case ldap_group_nesting_level is set to 0 * tests: Add a test for group resolution with ldap_group_nesting_level=0 * BUILD: Fix a typo in inotify.m4 * SSH: Use default_domain_suffix for users' authorized keys * SYSDB: Suppress sysdb_delete_ts_entry failed: 0 * STAP: Only print transaction statistics if the script caught some transactions * test_sssctl: Add an integration test for sssctl netgroup-show * KRB5: Advise the user to inspect the krb5_child.log if the child fails with a System Error * IFP: Fix GetUserAttr?
Justin Stephenson (2): * MAN: Document different defaults for AD provider * MAN: Document different defaults for IPA provider
Lukas Slebodnik (45): * crypto: Port libcrypto code to openssl-1.1 * BUILD: Fix build without samba * libcrypto: Check right value of CRYPTO_memcmp * crypto-tests: Add unit test for sss_encrypt + sss_decrypt * crypto-tests: Rename encrypt decrypt test case * BUILD: Accept krb5 1.15 for building the PAC plugin * dlopen-test: Use portable macro for location of .libs * dlopen-test: Add missing libraries to the check list * dlopen-test: Move libraries to the right "sections" * dlopen-test: Add check for untested libraries * BUILD: Fix linking with librt * KRB5: Remove spurious warning in logs * TESTS: Check new line at end of file * UTIL: Fix implicit declaration of function 'htobe32' * SYSDB: Remove unused prototype from header file * sssctl: Fix missing declaration * UTIL: Fix compilation of sss_utf8 with libunistring * CONFDB: Supress clang false passitive warnings * SIFP: Fix warning format-security * RESPONDER: Remove dead assignment to the variable ret * Fix compilation with python3.6 * intg: Generate tmp dir with lowercase * LDAP: Fix debug messages after errors in *_get_send * LDAP: Removed unused attr_type from users_get_send * LDAP: Remove unused parameter attr_type from groups_get_send * DP: Remove unused constants BE_ATTR_* * DP: Remove unused attr_type from struct dp_id_data * LDAP: Remove attrs_type related TODO comments * sssd_ldb.py: Remove a leftover debug message * intg: Fix python2,3 urllib * intg: Avoid using xrange in tests * intg: Avoid using iteritems for dictionary * intg: Use bytes with hash function * intg: Fix creating of slapd configuration * intg: Use bytes for value of attributes in ldif * intg: Use bytes as input in ctypes * intg: Return strings from ctypes wrappers * intg: Convert output of executed commands to strings * intg: Return list for enumeration functions * SYSDB: Update filter for get object by id * sysdb-tests: Add test for sysdb_search_object_by_id * sysdb: Search also aliases in sysdb_search_object_by_name * sysdb-tests: Add test for sysdb_search_object_by_name * MONITOR: Fix warning with undefined macro HAVE_SYSTEMD * UTIL: Unset O_NONBLOCK for ldap connection
Michal Židek (7): * sssctl: Flags for command initialization * ipa: Nested netgroups do not work * common: Fix domain case sensitivity init * sssctl: Search by alias * sssctl: Case insensitive filters * tests: sssctl user/group-show basic tests * MAN: sssctl debug level
Mike Ely (1): * ad_access_filter search for nested groups
Pavel Březina (40): * cache_req: move from switch to plugins; add logic * cache_req: move from switch to plugins, add plugins * cache_req: switch to new code * cache_req: delete old code * sudo: do not store usn if no rules are found * nss: move nss_ctx->global_names to rctx * ifp: remove unused fields from state * setent_notify: remove unused private context * sss_crypto.h: include required headers * sss_output_name: do not require fq name * cache_req: fix initgroups by name * cache_req: skip first search on bypass cache * cache_req: encapsulate output data into structure * cache_req: add ability to gather result from all domains * cache_req: add ability to filter domains by enumeration * cache_req: add user enumeration * cache_req: add group enumeration * cache_req: add support for service by name * cache_req: add support for service by port * cache_req: add support for services enumeration * cache_req: add support for netgroups * cache_req: allow shallow copy of result * cache_req: allow to return well known object as result * cache_req: return well known objects in object by sid * cache_req: make sure that we always fetch default attrs * cache_req: allow upn search with attrs * cache_req: add object by name * cache_req: add object by id * cache_req: make plug-ins definition const * cache_req: improve debugging * cache_req: fix plugin function description * cache_req: allow to search subdomains without fqn * cache_req: do not set ncache if dp request fails * responders: unify usage of sss_cmd_send_empty and _error * responders: remove checks that are handled inside cache_req * responders: do not try to contact DP with LOCAL provider * utils: add sss_ptr_hash module * nss: rewrite nss responder so it uses cache_req * nss: make nss responder tests work with new code * nss: remove the old code
Petr Cech (2): * SYSDB: Adding message to inform which cache is used * SYSDB: Adding message about reason why cache changed
Petr Čech (5): * SYSDB: Adding lowercase sudoUser form * TESTS: Extending sysdb sudo store tests * RESPONDER: Adding of return value checking * UTIL: Removing of never read value * SYSDB: Fixing of sudorule without a sudoUser
Sorah Fukumori (1): * BUILD: Fix installation without samba
Sumit Bose (11): * sysdb: add parent_dom to sysdb_get_direct_parents() * sdap: make some nested group related calls public * LDAP/AD: resolve domain local groups for remote users * PAM: add a test for filter_responses() * PAM: add pam_response_filter option * IPA/AD: check auth ctx before using it * krb5: Use command line arguments instead env vars for krb5_child * krb5: fix two memory leaks * krb5: add tests for common functions * sss_ptr_hash_delete_all: use unsigned long int * libwbclient-sssd: wbcLookupSid() allow NULL arguments
Victor Tapia (1): * MONITOR: Create pidfile after responders started
FWIW: You can find repos containing packages of sssd 1.15.0 for various openSUSE versions from here:
https://build.opensuse.org/package/show/network:ldap/sssd
Ciao, Michael.
On Mon, Jan 30, 2017 at 08:33:48AM +0100, Michael Ströder wrote:
FWIW: You can find repos containing packages of sssd 1.15.0 for various openSUSE versions from here:
Thank you very much. Is that a one-off build or do you plan on building these packages for upcoming versions as well?
Perhaps we should have a page on the fedorahosted wiki (soon to be pagure wiki, I guess..) that lists the various 'unofficial' repos with SSSD binaries?
Jakub Hrozek wrote:
On Mon, Jan 30, 2017 at 08:33:48AM +0100, Michael Ströder wrote:
FWIW: You can find repos containing packages of sssd 1.15.0 for various openSUSE versions from here:
Thank you very much. Is that a one-off build or do you plan on building these packages for upcoming versions as well?
See sssd.changes. [1]
Perhaps we should have a page on the fedorahosted wiki (soon to be pagure wiki, I guess..) that lists the various 'unofficial' repos with SSSD binaries?
The link above points to the openSUSE devel project for LDAP-related packages, with sssd being one of them. From there it find its way to openSUSE:Factory (follow the links). The 1.15.0 update is currently in Factory staging receiving QA tests. Therefore sssd 1.15.0 will appear in openSUSE Tumbleweed during the next days.
Ciao, Michael.
[1] https://build.opensuse.org/package/view_file/network:ldap/sssd/sssd.changes?...
On (30/01/17 08:33), Michael Ströder wrote:
FWIW: You can find repos containing packages of sssd 1.15.0 for various openSUSE versions from here:
It failed on some of them. :-(
SLE_12_SP2: SLE_12_SP2_Backports nothing provides libcmocka-devel, nothing provides nss_wrapper, nothing provides uid_wrapper, nothing provides libndr-nbt0 = 4.2.4 needed by libndr-nbt-devel, nothing provides libndr-krb5pac0 = 4.2.4 needed by libndr-krb5pac-devel, nothing provides libndr0 = 4.2.4 needed by libndr-devel, nothing provides libndr-standard0 = 4.2.4 needed by libndr-standard-devel, nothing provides libsamba-util0 = 4.2.4 needed by libsamba-util-devel
openSUSE_13.2: nothing provides nss_wrapper, nothing provides uid_wrapper
libcmocka-devel, nss_wrapper, uid_wrapper are just optional packages for unit testing.
And for for 12 you can build sssd without IPA and AD provider. e.g. ./configure --without-samba
HTH
LS
Lukas Slebodnik wrote:
On (30/01/17 08:33), Michael Ströder wrote:
FWIW: You can find repos containing packages of sssd 1.15.0 for various openSUSE versions from here:
It failed on some of them. :-(
Yes I know.
SLE_12_SP2: SLE_12_SP2_Backports
That's why I wrote "openSUSE" above.
nothing provides
I guess this is because the very new Samba 4.5.x packages are not available in SLES and the network:samba:STABLE is not used for building sssd package.
If you're eager to test sssd 1.15.0 on SLES you could branch sssd [1] and samba [2] in OBS into your own home project and adjust your home project for building.
Ciao, Michael.
[1] https://build.opensuse.org/package/show/network:ldap/sssd
[2] https://build.opensuse.org/package/show/network:samba:STABLE/samba
On (30/01/17 11:15), Michael Ströder wrote:
Lukas Slebodnik wrote:
On (30/01/17 08:33), Michael Ströder wrote:
FWIW: You can find repos containing packages of sssd 1.15.0 for various openSUSE versions from here:
It failed on some of them. :-(
Yes I know.
SLE_12_SP2: SLE_12_SP2_Backports
That's why I wrote "openSUSE" above.
Then maybe it would be better to remove SLES from the build distros?
And do you plan to fix a build on openSUSE_13.2?
LS
Lukas Slebodnik wrote:
On (30/01/17 11:15), Michael Ströder wrote:
Lukas Slebodnik wrote:
On (30/01/17 08:33), Michael Ströder wrote:
FWIW: You can find repos containing packages of sssd 1.15.0 for various openSUSE versions from here:
It failed on some of them. :-(
Yes I know.
SLE_12_SP2: SLE_12_SP2_Backports
That's why I wrote "openSUSE" above.
Then maybe it would be better to remove SLES from the build distros?
I'm not the one to decide on that.
Please note that network:ldap is mainly the bleeding edge development stream for openSUSE:Factory (not SLES) and therefore should only be used by people who are 100% sure they know what they're doing.
If you're on some SLES version and you need official SUSE support stick with sssd packages provided by SLES.
And do you plan to fix a build on openSUSE_13.2?
No. 13.2 is definitely EOL. If you run openSUSE 13.2 systems your next action should be to upgrade.
Ciao, Michael.
On (30/01/17 15:00), Michael Ströder wrote:
Lukas Slebodnik wrote:
On (30/01/17 11:15), Michael Ströder wrote:
Lukas Slebodnik wrote:
On (30/01/17 08:33), Michael Ströder wrote:
FWIW: You can find repos containing packages of sssd 1.15.0 for various openSUSE versions from here:
It failed on some of them. :-(
Yes I know.
SLE_12_SP2: SLE_12_SP2_Backports
That's why I wrote "openSUSE" above.
Then maybe it would be better to remove SLES from the build distros?
I'm not the one to decide on that.
Please note that network:ldap is mainly the bleeding edge development stream for openSUSE:Factory (not SLES) and therefore should only be used by people who are 100% sure they know what they're doing.
If you're on some SLES version and you need official SUSE support stick with sssd packages provided by SLES.
I see; But could you at least disable building of latest sssd on SLE_12_SP2? I mean the same as it is done for SLE_12_SP1.
It looks better if build is disabled rathe r then failed.
And do you plan to fix a build on openSUSE_13.2?
No. 13.2 is definitely EOL. If you run openSUSE 13.2 systems your next action should be to upgrade.
And thank you very much for removing "openSUSE 13.2" from the list.
LS
Congrats and thanks to all involved.
Will there be a COPR build made available for Centos users, as per previous releases?
cheers L.
------ The most dangerous phrase in the language is, "We've always done it this way."
- Grace Hopper
On 26 January 2017 at 03:39, Jakub Hrozek jhrozek@redhat.com wrote:
== SSSD 1.15.0 ===
The SSSD team is proud to announce the release of version 1.15.0 of the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora shortly.
== Feedback == Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
- SSSD now allows the responders to be activated by the systemd service manager and exit when idle. This means the services line in sssd.conf is optional and the responders can be started on-demand, simplifying the
sssd configuration. Please note that this change is backwards-compatible and the responders listed explicitly in sssd.conf's services line are managed by sssd in the same manner as in previous releases. Please refer to man sssd.conf(5) for more information
- The sudo provider is no longer disabled for configurations that do not explicitly include the sudo responder in the services list. In order to disable the sudo-related back end code that executes the periodic LDAP queries, set the sudo_provider to none explicitly
- The watchdog signal handler no longer uses signal-unsafe functions. This bug was causing a deadlock in case the watchdog was about to kill a stuck process
- A bug that prevented TLS to be set up correctly on systems where libldap links with GnuTLS was fixed
- The functionality to alter SSSD configuration through the D-Bus interface provided by the IFP responder was removed. This functionality was not
used to the best of our knowledge, had no tests and prevented the InfoPipe responder from running as a non-privileged user.
- A bug that prevented statically-linked applications from using libnss_sss was fixed by removing dependency on -lpthreads from the libnss_sss
library (please see https://sourceware.org/bugzilla/show_bug.cgi?id=20500 for an example on why linking with -lpthread from an NSS modules is problematic)
- Previously, SSSD did not ignore GPOs that were missing the gPCFunctionalityVersion attribute and failed the whole GPO processing. Starting with this version, the GPOs without the gPCFunctionalityVersion are skipped.
== Packaging Changes ==
- The Augeas development libraries are no longer required since the configuration manipulation interface was dropped from the InfoPipe
responder
- The libsss_config.so internal library was removed as well due to removal of the InfoPipe config management
- In order to manage socket-activated or bus activated responders, each responder is now represented by a systemd service file (e.g. sssd-nss.service). All responders except InfoPipe, which is bus-activated, are also managed by a socket unit file (e.g.
sssd-nss.socket)
== Documentation Changes ==
- The sssd-secrets responder gained a new option max_payload_size that allows the administrator to limit the maximum size of a secret
- A new option responder_idle_timeout was added to support idle termination of socket-activated responders
- The sssd-ad and sssd-ipa man pages now summarize differences between the generic Kerberos/LDAP back end and the specialized IPA/AD back ends
== Tickets Fixed == https://fedorahosted.org/sssd/ticket/697 Use command line arguments instead env vars for krb5_child https://fedorahosted.org/sssd/ticket/2201 Man pages do not specify that sssd dyndns_refresh_interval < 60 is pulled to 60 seconds https://fedorahosted.org/sssd/ticket/2243 [RFE] Socket-activate responders https://fedorahosted.org/sssd/ticket/2517 krb5_child: Remove getenv() ran as root https://fedorahosted.org/sssd/ticket/3060 better debugging of timestamp cache modifications https://fedorahosted.org/sssd/ticket/3129 [RFE] socket-activate the IFP responder https://fedorahosted.org/sssd/ticket/3151 cache_req: complete the needs of NSS responders https://fedorahosted.org/sssd/ticket/3156 nss_sss might leak memory when calling thread goes away https://fedorahosted.org/sssd/ticket/3214 Update man pages for any AD provider config options that differ from ldap/krb5 providers defaults https://fedorahosted.org/sssd/ticket/3215 Review and update SSSD's wiki pages for 1.15 Alpha release https://fedorahosted.org/sssd/ticket/3235 SSSCTL should not be case sensitive when searching for usernames or groups in a case-insensitive domain https://fedorahosted.org/sssd/ticket/3245 [RFE] Shutdown timeout for {socket,bus}-activated responders https://fedorahosted.org/sssd/ticket/3275 Unchecked return value of sss_cmd_empty_packet(pctx->creq->out); https://fedorahosted.org/sssd/ticket/3283 getsidbyid can fail in some cases due to cache_req refactoring https://fedorahosted.org/sssd/ticket/3284 getsidbyname does not work properly with case insensitive domains
== Detailed Changelog ==
Amith Kumar (1):
- MAN: Updation of sssd-ad man page for case when dyndns_refresh_interval
< 60 seconds
Carl Henrik Lunde (1):
- Prevent use after free in fd_input_available
David Michael (1):
- BUILD: Find a host-prefixed krb5-config when cross-compiling
Fabiano Fidêncio (34):
- SECRETS: Fix secrets rule in the allowed sections
- SECRETS: Add allowed_sec_users_options
- SECRETS: Delete all secrets stored during "max_secrets" test
- SECRETS: Add configurable payload size limit of a secret
- BUILD: Drop libsss_config
- IFP: Remove "ChangeDebugTemporarily?" method
- AUTOFS: Check return of sss_cmd_empty_packet()
- SUDO: Drop logic to disable the backend in case the provider is not set
- MONITOR: Expose the monitor's services type
- MONITOR: Pass the service type to the RegisterService? method
- UTIL: Introduce --socket-activated cmdline option for responders
- UTIL: Introduce --dbus-activated cmd option for responders
- RESPONDER: Make responders' common code ready for socket activation
- AUTOFS: Make AutoFS responder socket-activatable
- NSS: Make NSS responder socket-activatable
- PAC: Make PAC responder socket-activatable
- PAM: Make PAM responder socket-activatable
- SSH: Make SSH responder socket-activatable
- SUDO: Make Sudo responder socket-activatable
- IFP: Make IFP responder dbus-activatable
- MONITOR: Split up check_services()
- MONITOR: Deal with no services set up
- MONITOR: Deal with socket-activated responders
- MAN: Mention that the services' list is optional
- MAN: "user" doesn't work with socket-activated services
- MONITOR: Don't expose monitor_common_send_id()
- SBUS: Add a time_t pointer to the sbus_connection
- SBUS: Add destructor data to sbus_connection
- RESPONDER: Make clear {reset_,}idle_timer() are related to client
- RESPONDER: Don't expose client_idle_handler()
- RESPONDER: Shutdown {dbus,socket}-activated responders in case they're
idle
- RESPONDER: Change how client timeout is calculated
- SERVER: Set the process group during server_setup()
- WATCHDOG: Avoid non async-signal-safe from the signal_handler
Howard Guo (1):
- sss_client: Defer thread cancellation until completion of nss/pam
operations
Jakub Hrozek (16):
- Updating the version for the 1.14.3 development
- Updating the version to track sssd-1-15 development
- SYSDB: Split sysdb_try_to_find_expected_dn() into smaller functions
- SYSDB: Augment sysdb_try_to_find_expected_dn to match search base as
well
- MONITOR: Do not set up watchdog for monitor
- MONITOR: Remove deprecated pong sbus method
- MONITOR: Remove unused shutDown sbus method
- Qualify ghost user attribute in case ldap_group_nesting_level is set
to 0
- tests: Add a test for group resolution with ldap_group_nesting_level=0
- BUILD: Fix a typo in inotify.m4
- SSH: Use default_domain_suffix for users' authorized keys
- SYSDB: Suppress sysdb_delete_ts_entry failed: 0
- STAP: Only print transaction statistics if the script caught some
transactions
- test_sssctl: Add an integration test for sssctl netgroup-show
- KRB5: Advise the user to inspect the krb5_child.log if the child fails
with a System Error
- IFP: Fix GetUserAttr?
Justin Stephenson (2):
- MAN: Document different defaults for AD provider
- MAN: Document different defaults for IPA provider
Lukas Slebodnik (45):
- crypto: Port libcrypto code to openssl-1.1
- BUILD: Fix build without samba
- libcrypto: Check right value of CRYPTO_memcmp
- crypto-tests: Add unit test for sss_encrypt + sss_decrypt
- crypto-tests: Rename encrypt decrypt test case
- BUILD: Accept krb5 1.15 for building the PAC plugin
- dlopen-test: Use portable macro for location of .libs
- dlopen-test: Add missing libraries to the check list
- dlopen-test: Move libraries to the right "sections"
- dlopen-test: Add check for untested libraries
- BUILD: Fix linking with librt
- KRB5: Remove spurious warning in logs
- TESTS: Check new line at end of file
- UTIL: Fix implicit declaration of function 'htobe32'
- SYSDB: Remove unused prototype from header file
- sssctl: Fix missing declaration
- UTIL: Fix compilation of sss_utf8 with libunistring
- CONFDB: Supress clang false passitive warnings
- SIFP: Fix warning format-security
- RESPONDER: Remove dead assignment to the variable ret
- Fix compilation with python3.6
- intg: Generate tmp dir with lowercase
- LDAP: Fix debug messages after errors in *_get_send
- LDAP: Removed unused attr_type from users_get_send
- LDAP: Remove unused parameter attr_type from groups_get_send
- DP: Remove unused constants BE_ATTR_*
- DP: Remove unused attr_type from struct dp_id_data
- LDAP: Remove attrs_type related TODO comments
- sssd_ldb.py: Remove a leftover debug message
- intg: Fix python2,3 urllib
- intg: Avoid using xrange in tests
- intg: Avoid using iteritems for dictionary
- intg: Use bytes with hash function
- intg: Fix creating of slapd configuration
- intg: Use bytes for value of attributes in ldif
- intg: Use bytes as input in ctypes
- intg: Return strings from ctypes wrappers
- intg: Convert output of executed commands to strings
- intg: Return list for enumeration functions
- SYSDB: Update filter for get object by id
- sysdb-tests: Add test for sysdb_search_object_by_id
- sysdb: Search also aliases in sysdb_search_object_by_name
- sysdb-tests: Add test for sysdb_search_object_by_name
- MONITOR: Fix warning with undefined macro HAVE_SYSTEMD
- UTIL: Unset O_NONBLOCK for ldap connection
Michal Židek (7):
- sssctl: Flags for command initialization
- ipa: Nested netgroups do not work
- common: Fix domain case sensitivity init
- sssctl: Search by alias
- sssctl: Case insensitive filters
- tests: sssctl user/group-show basic tests
- MAN: sssctl debug level
Mike Ely (1):
- ad_access_filter search for nested groups
Pavel Březina (40):
- cache_req: move from switch to plugins; add logic
- cache_req: move from switch to plugins, add plugins
- cache_req: switch to new code
- cache_req: delete old code
- sudo: do not store usn if no rules are found
- nss: move nss_ctx->global_names to rctx
- ifp: remove unused fields from state
- setent_notify: remove unused private context
- sss_crypto.h: include required headers
- sss_output_name: do not require fq name
- cache_req: fix initgroups by name
- cache_req: skip first search on bypass cache
- cache_req: encapsulate output data into structure
- cache_req: add ability to gather result from all domains
- cache_req: add ability to filter domains by enumeration
- cache_req: add user enumeration
- cache_req: add group enumeration
- cache_req: add support for service by name
- cache_req: add support for service by port
- cache_req: add support for services enumeration
- cache_req: add support for netgroups
- cache_req: allow shallow copy of result
- cache_req: allow to return well known object as result
- cache_req: return well known objects in object by sid
- cache_req: make sure that we always fetch default attrs
- cache_req: allow upn search with attrs
- cache_req: add object by name
- cache_req: add object by id
- cache_req: make plug-ins definition const
- cache_req: improve debugging
- cache_req: fix plugin function description
- cache_req: allow to search subdomains without fqn
- cache_req: do not set ncache if dp request fails
- responders: unify usage of sss_cmd_send_empty and _error
- responders: remove checks that are handled inside cache_req
- responders: do not try to contact DP with LOCAL provider
- utils: add sss_ptr_hash module
- nss: rewrite nss responder so it uses cache_req
- nss: make nss responder tests work with new code
- nss: remove the old code
Petr Cech (2):
- SYSDB: Adding message to inform which cache is used
- SYSDB: Adding message about reason why cache changed
Petr Čech (5):
- SYSDB: Adding lowercase sudoUser form
- TESTS: Extending sysdb sudo store tests
- RESPONDER: Adding of return value checking
- UTIL: Removing of never read value
- SYSDB: Fixing of sudorule without a sudoUser
Sorah Fukumori (1):
- BUILD: Fix installation without samba
Sumit Bose (11):
- sysdb: add parent_dom to sysdb_get_direct_parents()
- sdap: make some nested group related calls public
- LDAP/AD: resolve domain local groups for remote users
- PAM: add a test for filter_responses()
- PAM: add pam_response_filter option
- IPA/AD: check auth ctx before using it
- krb5: Use command line arguments instead env vars for krb5_child
- krb5: fix two memory leaks
- krb5: add tests for common functions
- sss_ptr_hash_delete_all: use unsigned long int
- libwbclient-sssd: wbcLookupSid() allow NULL arguments
Victor Tapia (1):
- MONITOR: Create pidfile after responders started
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
NP, thanks again, hope devconf was fun :)
------ The most dangerous phrase in the language is, "We've always done it this way."
- Grace Hopper
On 1 February 2017 at 00:41, Lukas Slebodnik lslebodn@redhat.com wrote:
On (31/01/17 16:03), Lachlan Musicman wrote:
Congrats and thanks to all involved.
Will there be a COPR build made available for Centos users, as per
previous
releases?
Sure. I just forgot to create it due to devconf.cz
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Hey, I tried using the 1.15 COPR repo, but apparently it's empty? I'm using the Centos 7 repo https://copr.fedorainfracloud.org/coprs/g/sssd/sssd-1-15/repo/epel-7/group_s...
Cheers L.
------ The most dangerous phrase in the language is, "We've always done it this way."
- Grace Hopper
On 1 February 2017 at 00:41, Lukas Slebodnik lslebodn@redhat.com wrote:
On (31/01/17 16:03), Lachlan Musicman wrote:
Congrats and thanks to all involved.
Will there be a COPR build made available for Centos users, as per
previous
releases?
Sure. I just forgot to create it due to devconf.cz
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On (01/02/17 10:27), Lachlan Musicman wrote:
Hey, I tried using the 1.15 COPR repo, but apparently it's empty? I'm using the Centos 7 repo https://copr.fedorainfracloud.org/coprs/g/sssd/sssd-1-15/repo/epel-7/group_s...
Works for me without any problem
[root@8224104396c2 yum.repos.d]# yum install --setopt=debuglevel=1 sssd Ignored option -q, -v, -d or -e (probably due to merging: -yq != -y -q)
Installing: sssd x86_64 1.15.0-1.el7.centos group_sssd-sssd-1-15 66 k Installing for dependencies: GeoIP x86_64 1.5.0-11.el7 base 1.1 M avahi-libs x86_64 0.6.31-17.el7 base 61 k bind-libs x86_64 32:9.9.4-38.el7_3.1 updates 1.0 M bind-utils x86_64 32:9.9.4-38.el7_3.1 updates 202 k c-ares x86_64 1.10.0-3.el7 base 78 k cups-libs x86_64 1:1.6.3-26.el7 base 356 k cyrus-sasl-gssapi x86_64 2.1.26-20.el7_2 base 40 k libbasicobjects x86_64 0.1.1-27.el7 base 25 k libcollection x86_64 0.6.2-27.el7 base 41 k libdhash x86_64 0.4.3-27.el7 base 28 k libini_config x86_64 1.3.0-27.el7 base 63 k libipa_hbac x86_64 1.15.0-1.el7.centos group_sssd-sssd-1-15 74 k libldb x86_64 1.1.26-1.el7 base 125 k libnl3 x86_64 3.2.28-3.el7_3 updates 278 k libpath_utils x86_64 0.2.1-27.el7 base 27 k libref_array x86_64 0.1.5-27.el7 base 26 k libsmbclient x86_64 4.4.4-12.el7_3 updates 126 k libsss_autofs x86_64 1.15.0-1.el7.centos group_sssd-sssd-1-15 76 k libsss_idmap x86_64 1.15.0-1.el7.centos group_sssd-sssd-1-15 79 k libsss_nss_idmap x86_64 1.15.0-1.el7.centos group_sssd-sssd-1-15 76 k libsss_sudo x86_64 1.15.0-1.el7.centos group_sssd-sssd-1-15 74 k libtalloc x86_64 2.1.6-1.el7 base 34 k libtdb x86_64 1.3.8-1.el7_2 base 45 k libtevent x86_64 0.9.28-1.el7 base 34 k libwbclient x86_64 4.4.4-12.el7_3 updates 100 k python2-sssdconfig noarch 1.15.0-1.el7.centos group_sssd-sssd-1-15 100 k samba-client-libs x86_64 4.4.4-12.el7_3 updates 4.6 M samba-common noarch 4.4.4-12.el7_3 updates 191 k sssd-ad x86_64 1.15.0-1.el7.centos group_sssd-sssd-1-15 186 k sssd-client x86_64 1.15.0-1.el7.centos group_sssd-sssd-1-15 130 k sssd-common x86_64 1.15.0-1.el7.centos group_sssd-sssd-1-15 1.1 M sssd-common-pac x86_64 1.15.0-1.el7.centos group_sssd-sssd-1-15 118 k sssd-ipa x86_64 1.15.0-1.el7.centos group_sssd-sssd-1-15 256 k sssd-krb5 x86_64 1.15.0-1.el7.centos group_sssd-sssd-1-15 105 k sssd-krb5-common x86_64 1.15.0-1.el7.centos group_sssd-sssd-1-15 132 k sssd-ldap x86_64 1.15.0-1.el7.centos group_sssd-sssd-1-15 173 k sssd-proxy x86_64 1.15.0-1.el7.centos group_sssd-sssd-1-15 100 k systemd-sysv x86_64 219-30.el7_3.6 updates 63 k Updating for dependencies: bind-license noarch 32:9.9.4-38.el7_3.1 updates 83 k
LS
Yep, is working now for me too. Cheers L.
------ The most dangerous phrase in the language is, "We've always done it this way."
- Grace Hopper
On 1 February 2017 at 22:33, Lukas Slebodnik lslebodn@redhat.com wrote:
On (01/02/17 10:27), Lachlan Musicman wrote:
Hey, I tried using the 1.15 COPR repo, but apparently it's empty? I'm
using
the Centos 7 repo https://copr.fedorainfracloud.org/coprs/g/sssd/sssd-1-15/repo/epel-7/
group_sssd-sssd-1-15-epel-7.repo
Works for me without any problem
[root@8224104396c2 yum.repos.d]# yum install --setopt=debuglevel=1 sssd Ignored option -q, -v, -d or -e (probably due to merging: -yq != -y -q)
Installing: sssd x86_64 1.15.0-1.el7.centos group_sssd-sssd-1-15 66 k Installing for dependencies: GeoIP x86_64 1.5.0-11.el7 base 1.1 M avahi-libs x86_64 0.6.31-17.el7 base 61 k bind-libs x86_64 32:9.9.4-38.el7_3.1 updates 1.0 M bind-utils x86_64 32:9.9.4-38.el7_3.1 updates 202 k c-ares x86_64 1.10.0-3.el7 base 78 k cups-libs x86_64 1:1.6.3-26.el7 base 356 k cyrus-sasl-gssapi x86_64 2.1.26-20.el7_2 base 40 k libbasicobjects x86_64 0.1.1-27.el7 base 25 k libcollection x86_64 0.6.2-27.el7 base 41 k libdhash x86_64 0.4.3-27.el7 base 28 k libini_config x86_64 1.3.0-27.el7 base 63 k libipa_hbac x86_64 1.15.0-1.el7.centos group_sssd-sssd-1-15 74 k libldb x86_64 1.1.26-1.el7 base 125 k libnl3 x86_64 3.2.28-3.el7_3 updates 278 k libpath_utils x86_64 0.2.1-27.el7 base 27 k libref_array x86_64 0.1.5-27.el7 base 26 k libsmbclient x86_64 4.4.4-12.el7_3 updates 126 k libsss_autofs x86_64 1.15.0-1.el7.centos group_sssd-sssd-1-15 76 k libsss_idmap x86_64 1.15.0-1.el7.centos group_sssd-sssd-1-15 79 k libsss_nss_idmap x86_64 1.15.0-1.el7.centos group_sssd-sssd-1-15 76 k libsss_sudo x86_64 1.15.0-1.el7.centos group_sssd-sssd-1-15 74 k libtalloc x86_64 2.1.6-1.el7 base 34 k libtdb x86_64 1.3.8-1.el7_2 base 45 k libtevent x86_64 0.9.28-1.el7 base 34 k libwbclient x86_64 4.4.4-12.el7_3 updates 100 k python2-sssdconfig noarch 1.15.0-1.el7.centos group_sssd-sssd-1-15 100 k samba-client-libs x86_64 4.4.4-12.el7_3 updates 4.6 M samba-common noarch 4.4.4-12.el7_3 updates 191 k sssd-ad x86_64 1.15.0-1.el7.centos group_sssd-sssd-1-15 186 k sssd-client x86_64 1.15.0-1.el7.centos group_sssd-sssd-1-15 130 k sssd-common x86_64 1.15.0-1.el7.centos group_sssd-sssd-1-15 1.1 M sssd-common-pac x86_64 1.15.0-1.el7.centos group_sssd-sssd-1-15 118 k sssd-ipa x86_64 1.15.0-1.el7.centos group_sssd-sssd-1-15 256 k sssd-krb5 x86_64 1.15.0-1.el7.centos group_sssd-sssd-1-15 105 k sssd-krb5-common x86_64 1.15.0-1.el7.centos group_sssd-sssd-1-15 132 k sssd-ldap x86_64 1.15.0-1.el7.centos group_sssd-sssd-1-15 173 k sssd-proxy x86_64 1.15.0-1.el7.centos group_sssd-sssd-1-15 100 k systemd-sysv x86_64 219-30.el7_3.6 updates 63 k Updating for dependencies: bind-license noarch 32:9.9.4-38.el7_3.1 updates 83 k
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org