Yes, I tried this option in sssd.conf, it didn't help. Please see Bug 1588596 that I opened with more information.
Thanks, On Thu, Jun 7, 2018 at 5:50 PM Sumit Bose via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > On Thu, Jun 07, 2018 at 04:39:09PM +0300, AvigdorFin via FreeIPA-users > wrote: > > How do I report a suspected Bug against sssd? > > I have a problem with sssd 1.14 1.15 1.16 but not 1.13. > > > > The problem is with small tree of files that is created on > > /tmp/adcli-krb5-XXXXX every 5 minutes. > > The problem might be connected to adcli 0.8.1 and not 0.7.5 > > SSSD uses adcli to renew the most password on the AD DC. If the > temporary files are not remove after adcli is run adcli most probably > run into an error which prevented to check when the password was last > changed on AD. > > If you want to disable the whole feature please set > 'ad_maximum_machine_account_password_age = 0' in sssd.conf (see man > sssd-ad for details). > > If you are interested why adcli fails please set debug_level=9 in the > [domain/...] section of sssd.conf, restart SSSD and check the SSSD logs > for the adcli debug output. See the troubleshooting page Rob sent for > details. > > HTH > > bye, > Sumit > > > > > Thanks in advance, > > Avigdor Finkelstein > > > > > > On Fri, Mar 9, 2018 at 2:29 PM Jakub Hrozek via FreeIPA-users < > > freeipa-users@lists.fedorahosted.org> wrote: > > > > > SSSD 1.16.1 > > > =========== > > > > > > The SSSD team is proud to announce the release of version 1.16.1 of the > > > System Security Services Daemon. > > > > > > The tarball can be downloaded from > https://releases.pagure.org/SSSD/sssd/ > > > > > > RPM packages will be made available for Fedora shortly. > > > > > > Feedback > > > -------- > > > Please provide comments, bugs and other feedback > > > via the sssd-devel or sssd-users mailing lists: > > > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel > > > https://lists.fedorahosted.org/mailman/listinfo/sssd-users > > > > > > Highlights > > > ————— > > > > > > New Features > > > ^^^^^^^^^^^^ > > > * A new option ``auto_private_groups`` was added. If this option is > > > enabled, SSSD will automatically create user private groups based > on > > > user's UID number. The GID number is ignored in this case. Please > > > see > > > > https://docs.pagure.org/SSSD.sssd/design_pages/auto_private_groups.html > > > for more details on the feature. > > > > > > * The SSSD smart card integration now supports a special type of PAM > > > conversation implemented by GDM which allows the user to select the > > > appropriate smrt card certificate in GDM. Please refer to > > > > > > > https://docs.pagure.org/SSSD.sssd/design_pages/smartcard_multiple_certificates.html > > > for more details about this feature. > > > > > > * A new API for accessing user and group information was added. This > API > > > is similar to the tradiional Name Service Switch API, but allows > > > the consumer to talk to SSSD directly as well as to fine-tune > > > the query with e.g. how cache should be evaluated. Please see > > > > https://docs.pagure.org/SSSD.sssd/design_pages/enhanced_nss_api.html > > > for more information on the new API. > > > > > > * The ``sssctl`` command line tool gained a new command > > > ``access-report``, > > > which can generate who can access the client machine. Currently > only > > > generating > > > the report on an IPA client based on HBAC rules is supported. > Please > > > see > > > > https://docs.pagure.org/SSSD.sssd/design_pages/attestation_report.html > > > for more information about this new feature. > > > > > > * The ``hostid`` provider was moved from the IPA specific code to the > > > generic > > > LDAP code. This allows SSH host keys to be access by the generic > LDAP > > > provider > > > as well. See the ``ldap_host_*`` options in the ``sssd-ldap`` > manual > > > page > > > for more details. > > > > > > * Setting the ``memcache_timeout`` option to 0 disabled creating the > > > memory cache files altogether. This can be useful in cases there > is a > > > bug in the memory cache that needs working around. > > > > > > Performance enhancements > > > ^^^^^^^^^^^^^^^^^^^^^^^^ > > > * Several internal changes to how objects are stored in the cache > improve > > > SSSD performance in environments with large number of objects of > the > > > same > > > type (e.g. many users, many groups). In particular, several useless > > > indexes > > > were removed and the most common object types no longer use the > indexed > > > ``objectClass`` attribute, but use unindexed ``objectCategory`` > instead > > > (#3503) > > > > > > * In setups with ``id_provider=ad`` that use POSIX attributes which > > > are replicated to the Global Catalog, SSSD uses the Global Catalog > to > > > determine which domain should be contacted for a by-ID lookup > instead > > > of iterating over all domains. More details about this feature can > > > be found at > > > > > > > https://docs.pagure.org/SSSD.sssd/design_pages/uid_negative_global_catalog.html > > > > > > Notable bug fixes > > > ^^^^^^^^^^^^^^^^^ > > > * A crash in ``sssd_nss`` that might have happened if a list of > domains > > > was refreshed while a NSS lookup using this request was fixed > (#3551) > > > > > > * A potential crash in ``sssd_nss`` during netgroup lookup in case > the > > > netgroup object kept in memory was already freed (#3523) > > > > > > * Fixed a potential crash of ``sssd_be`` with two concurrent sudo > > > refreshes > > > in case one of them failed (#3562) > > > > > > * A memory growth issue in ``sssd_nss`` that occured when an entry was > > > removed from the memory cache was fixed (#3588) > > > > > > * Two potential memory growth issues in the ``sssd_be`` process that > could > > > have hit configurations with ``id_provider=ad`` were fixed (#3639) > > > > > > * The ``selinux_child`` process no longer crashes on a system where > SSSD > > > is compiled with SELinux support, but at the same time, the SELinux > > > policy > > > is not even installed on the machine (#3618) > > > > > > * The memory cache consistency detection logic was fixed. This would > > > prevent > > > printing false positive memory cache corruption messages (#3571) > > > > > > * SSSD now remembers the last successfuly discovered AD site and use > this > > > for DNS search to lookup a site and forest during the next lookup. > This > > > prevents time outs in case SSSD was discovering the site using the > > > global > > > list of DCs where some of the global DCs might be unreachable. > (#3265) > > > > > > * SSSD no longer starts the implicit file domain when configured with > > > ``id_provider=proxy`` and ``proxy_lib_name=files``. This bug > prevented > > > SSSD from being used in setups that combine identities from UNIX > files > > > together with authentication against a remote source unless a files > > > domain was explicitly configured (#3590) > > > > > > * The IPA provider can handle switching between different ID views > better > > > (#3579) > > > > > > * Previously, the IPA provider kept SSH public keys and certificates > from > > > an ID view in its cache and returned them even if the public key or > > > certificate was then removed from the override (#3602, #3603) > > > > > > * FleetCommander profiles coming from IPA are applied even if they are > > > assigned globally (to ``category: ALL``), previously, only profiles > > > assigned to a host or a hostgroup were applied (#3449) > > > > > > * It is now possible to reset an expired password for users with 2FA > > > authentication enabled (#3585) > > > > > > * A bug in the AD provider which could have resulted in built-in AD > groups > > > being incorrectly cached was fixed (#3610) > > > > > > * The SSSD watchdog can now cope better with time drifts (#3285) > > > > > > * The ``nss_sss`` NSS module's return codes for invalid cases were > fixed > > > > > > * A bug in the LDAP provider that prevented setups with > id_provider=proxy > > > and auth_provider=ldap with LDAP servers that do not allow anonymous > > > binds from working was fixed (#3451) > > > > > > Packaging Changes > > > ----------------- > > > * The FleetCommander desktop profile path now uses stricter > permissions, > > > 751 instead of 755 (#3621) > > > > > > * A new option ``--logger`` was added to the ``sssd(8)`` binary. This > > > option > > > obsoletes old options such as ``--debug-to-files``, although the old > > > options > > > are kept for backwards compatibility. > > > > > > * The file ``/etc/systemd/system/sssd.service.d/journal.conf`` is not > > > installed anymore In order to change logging to journald, please > use the > > > ``--logger`` option. The logger is set using the > > > ``Environment=DEBUG_LOGGER`` directive in the systemd unit files. > The > > > default value is ``Environment=DEBUG_LOGGER=--logger=files`` > > > > > > Documentation Changes > > > --------------------- > > > There are no notable documentation changes such as options changing > default > > > values etc in this release. > > > > > > Tickets Fixed > > > ------------- > > > * `3648 <https://pagure.io/SSSD/sssd/issue/3648>`_ - Mention in the > > > manpages that Fleet Commander does *not* work when SSSD is running as > the > > > unprivileged user > > > * `3639 <https://pagure.io/SSSD/sssd/issue/3639>`_ - sssd_be consumes > > > more memory on RHEL 7.4 systems. > > > * `3627 <https://pagure.io/SSSD/sssd/issue/3627>`_ - MAN: Explain how > > > does auto_private_groups affect subdomains > > > * `3621 <https://pagure.io/SSSD/sssd/issue/3621>`_ - FleetCommander > > > integration must not require capability DAC_OVERRIDE > > > * `3618 <https://pagure.io/SSSD/sssd/issue/3618>`_ - selinux_child > > > segfaults in a docker container > > > * `3615 <https://pagure.io/SSSD/sssd/issue/3615>`_ - Requesting an AD > > > user's private group and then the user itself returns an emty homedir > > > * `3613 <https://pagure.io/SSSD/sssd/issue/3613>`_ - > auto_private_groups > > > does not work with trusted domains with direct AD integration > > > * `3610 <https://pagure.io/SSSD/sssd/issue/3610>`_ - AD provider - AD > > > BUILTIN groups are cached with gidNumber = 0 > > > * `3608 <https://pagure.io/SSSD/sssd/issue/3608>`_ - dbus-send > unable to > > > find user by CAC cert > > > * `3603 <https://pagure.io/SSSD/sssd/issue/3603>`_ - Certificate is > not > > > removed from cache when it's removed from the override > > > * `3602 <https://pagure.io/SSSD/sssd/issue/3602>`_ - SSH public key > > > authentication keeps working after keys are removed from ID view > > > * `3601 <https://pagure.io/SSSD/sssd/issue/3601>`_ - race condition: > > > sssd_be in a one-way trust accepts request before ipa-getkeytab > finishes, > > > marking the sssd offline > > > * `3599 <https://pagure.io/SSSD/sssd/issue/3599>`_ - getent output is > > > not showing home directory for IPA AD trusted user > > > * `3594 <https://pagure.io/SSSD/sssd/issue/3594>`_ - sssd used wrong > > > search base with wrong AD server > > > * `3592 <https://pagure.io/SSSD/sssd/issue/3592>`_ - Write a > regression > > > test for false possitive "corrupted" memory cache > > > * `3590 <https://pagure.io/SSSD/sssd/issue/3590>`_ - proxy to files > does > > > not work with implicit_files_domain > > > * `3588 <https://pagure.io/SSSD/sssd/issue/3588>`_ - sssd_nss > consumes > > > more memory until restarted or machine swaps > > > * `3586 <https://pagure.io/SSSD/sssd/issue/3586>`_ - Give a more > > > detailed debug and system-log message if krb5_init_context() failed > > > * `3585 <https://pagure.io/SSSD/sssd/issue/3585>`_ - Reset password > with > > > two factor authentication fails > > > * `3579 <https://pagure.io/SSSD/sssd/issue/3579>`_ - SSSD fails to > fetch > > > group information after switching IPA client to a non-default view > > > * `3571 <https://pagure.io/SSSD/sssd/issue/3571>`_ - mmap cache: > > > consistency check might fail if there are hash collisions > > > * `3570 <https://pagure.io/SSSD/sssd/issue/3570>`_ - The cache-req > debug > > > string representation uses a wrong format specifier for by-ID requests > > > * `3569 <https://pagure.io/SSSD/sssd/issue/3569>`_ - The cache_req > code > > > doesn't check the min_id/max_id boundaries for requests by ID > > > * `3564 <https://pagure.io/SSSD/sssd/issue/3564>`_ - Smartcard > > > authentication fails if SSSD is offline and > 'krb5_store_password_if_offline > > > = True' > > > * `3563 <https://pagure.io/SSSD/sssd/issue/3563>`_ - Some sysdb tests > > > fail because they expect a certain order of entries returned from ldb > > > * `3562 <https://pagure.io/SSSD/sssd/issue/3562>`_ - Use-after free > if > > > more sudo requests run and one of them fails, causing a fail-over to a > next > > > server > > > * `3560 <https://pagure.io/SSSD/sssd/issue/3560>`_ - Improve > Smartcard > > > integration if multiple certificates or multiple mapped identities are > > > available > > > * `3551 <https://pagure.io/SSSD/sssd/issue/3551>`_ - Race condition > > > between refreshing the cr_domain list and a request that is using the > list > > > can cause a segfault is sssd_nss > > > * `3547 <https://pagure.io/SSSD/sssd/issue/3547>`_ - data from ipa > > > returned with id_provider=file > > > * `3545 <https://pagure.io/SSSD/sssd/issue/3545>`_ - SSSD creates bad > > > override search filter due to AD Trust object with parenthesis > > > * `3539 <https://pagure.io/SSSD/sssd/issue/3539>`_ - Do not autostart > > > the implicit files domain if sssd configures id_provider=proxy and > > > proxy_target_files > > > * `3529 <https://pagure.io/SSSD/sssd/issue/3529>`_ - SSSD-kcm/secrets > > > failed to restart during/after upgrade > > > * `3528 <https://pagure.io/SSSD/sssd/issue/3528>`_ - sssd refuses to > > > start when pidfile is present, but the process is gone > > > * `3523 <https://pagure.io/SSSD/sssd/issue/3523>`_ - ABRT crash - > > > /usr/libexec/sssd/sssd_nss in setnetgrent_result_timeout > > > * `3503 <https://pagure.io/SSSD/sssd/issue/3503>`_ - Do not index > > > objectclass, add and index objectcategory instead > > > * `3496 <https://pagure.io/SSSD/sssd/issue/3496>`_ - [RFE] Add a > > > configuration option to SSSD to disable the memory cache > > > * `3486 <https://pagure.io/SSSD/sssd/issue/3486>`_ - Improve > `enumerate` > > > documentation/troubleshooting guide > > > * `3484 <https://pagure.io/SSSD/sssd/issue/3484>`_ - MAN: Describe > the > > > constrains of ipa_server_mode better in the man page > > > * `3468 <https://pagure.io/SSSD/sssd/issue/3468>`_ - SSSD doesn't > use AD > > > global catalog for gidnumber lookup, resulting in unacceptable delay > for > > > large forests > > > * `3454 <https://pagure.io/SSSD/sssd/issue/3454>`_ - sssd-kcm crashes > > > with multiple parallel requests > > > * `3451 <https://pagure.io/SSSD/sssd/issue/3451>`_ - When sssd is > > > configured with id_provider proxy and auth_provider ldap, login fails > if > > > the LDAP server is not allowing anonymous binds. > > > * `3444 <https://pagure.io/SSSD/sssd/issue/3444>`_ - document > > > information on why SSSD does not use host-based security filtering when > > > processing AD GPOs > > > * `3433 <https://pagure.io/SSSD/sssd/issue/3433>`_ - > SYSLOG_IDENTIFIER > > > is different > > > * `3293 <https://pagure.io/SSSD/sssd/issue/3293>`_ - Log when SSSD > > > authentication fails because when two IPA accounts share an email > address > > > * `3285 <https://pagure.io/SSSD/sssd/issue/3285>`_ - SSSD needs > restart > > > after incorrect clock is corrected with AD > > > * `3265 <https://pagure.io/SSSD/sssd/issue/3265>`_ - [RFE] sssd > should > > > remember DNS sites from first search > > > * `3198 <https://pagure.io/SSSD/sssd/issue/3198>`_ - Incorrect error > > > code returned from krb5_child for expired/locked user with id_provider > AD > > > * `2976 <https://pagure.io/SSSD/sssd/issue/2976>`_ - sdap code can > mark > > > the whole sssd_be offline > > > * `2840 <https://pagure.io/SSSD/sssd/issue/2840>`_ - [RFE] Produce > > > access control attestation report for IPA domains > > > * `2823 <https://pagure.io/SSSD/sssd/issue/2823>`_ - Integration > tests: > > > Use dbus-daemon in cwrap enviroment for test > > > * `2478 <https://pagure.io/SSSD/sssd/issue/2478>`_ - Provide > sss_nss_* > > > API to directly query SSSD instead of nsswitch.conf route > > > * `1872 <https://pagure.io/SSSD/sssd/issue/1872>`_ - [RFE] Support > User > > > Private Groups for main domains, too > > > * `1729 <https://pagure.io/SSSD/sssd/issue/1729>`_ - Enumerating > large > > > number of users makes sssd_be hog the cpu for a long time. > > > > > > Detailed Changelog > > > ------------------ > > > > > > * Andreas Schneider (1): > > > > > > * Avoid double semicolon warnings on older compilers > > > > > > * Carlos O'Donell (1): > > > > > > * nss: Fix invalid enum nss_status return values. > > > > > > * Fabiano Fidêncio (21): > > > > > > * CACHE_REQ: Copy the cr_domain list for each request > > > * LDAP: Bind to the LDAP server also in the auth > > > * TOOLS: Double quote array expansions in sss_debuglevel > > > * TOOLS: Call "exec" for sss_debuglevel > > > * LDAP: Improve error treatment from sdap_cli_connect() in > ldap_auth > > > * SYSDB: Remove code causing a covscan warning > > > * NSS: Fix covscan warning > > > * CACHE_REQ: Fix typo: cache_reg -> cache_req > > > * TOOLS: Fix typo: exist -> exists > > > * SYSDB: Return EOK in case a non-fatal issue happened > > > * SYSDB_VIEWS: Remove sshPublicKey attribute when it's not set > > > * IPA: Remove sshPublicKey attribute when it's not set > > > * DESKPROFILE: Add checks for user and host category > > > * DESKPROFILE: Harden the permission of deskprofilepath > > > * DESKPROFILE: Soften umask for the domain's dir > > > * DESKPROFILE: Fix the permissions and soften the umask for > user's > > > dir > > > * DESKPROFILE: Use seteuid()/setegid() to create the profile > > > * DESKPROFILE: Use seteuid()/setegid() to delete the > profile/user's > > > dir > > > * DESKPROFILE: Set the profile permissions to read-only > > > * PYSSS_MURMUR: Fix [-Wsign-compare] found by gcc > > > * DESKPROFILE: Document it doesn't work when run as unprivileged > user > > > > > > * Hristo Venev (1): > > > > > > * providers: Move hostid from ipa to sdap, v2 > > > > > > * Jakub Hrozek (35): > > > > > > * Update the version number to track 1.16.1 development > > > * CONFIG: Add a new option auto_private_groups > > > * CONFDB: Remove the obsolete option magic_private_groups > > > * SDAP: Allow the mpg flag for the main domain > > > * LDAP: Turn group request into user request for MPG domains if > > > needed > > > * SYSDB: Prevent users and groups ID collision in MPG domains > except > > > for id_provider=local > > > * TESTS: Add integration tests for the auto_private_groups option > > > * RESP: Add some missing NULL checks > > > * TOOLS: Add a new sssctl command access-report > > > * SDAP: Split out utility function sdap_get_object_domain() from > > > sdap_object_in_domain() > > > * LDAP: Extract the check whether to run a POSIX check to a > function > > > * LDAP: Only run the POSIX check with a GC connection > > > * SDAP: Search with a NULL search base when looking up an ID in > the > > > Global Catalog > > > * SDAP: Rename sdap_posix_check to sdap_gc_posix_check > > > * DP: Create a new handler function getAccountDomain() > > > * AD: Implement a real getAccountDomain handler for the AD > provider > > > * RESP: Expose DP method getAccountDomain() to responders > > > * NEGCACHE: Add API for setting and checking > locate-account-domain > > > requests > > > * TESTS: Add tests for the object-by-id cache_req interface > > > * CACHE_REQ: Export cache_req_search_ncache_add() as cache_req > > > private interface > > > * CACHE_REQ: Add plugin methods required for the domain-locator > > > request > > > * CACHE_REQ: Add a private request cache_req_locate_domain() > > > * CACHE_REQ: Implement the plugin methods that utilize the domain > > > locator API > > > * CACHE_REQ: Use the domain-locator request to only search > domains > > > where the entry was found > > > * MAN: Document how the Global Catalog is used currently > > > * IPA: Include SYSDB_OBJECTCATEGORY, not OBJECTCLASS in cache > search > > > results > > > * MAN: Document that auth and access IPA and AD providers rely on > > > id_provider being set to the same type > > > * MAN: Improve enumeration documentation > > > * MAN: Describe the constrains of ipa_server_mode better in the > man > > > page > > > * IPA: Delay the first periodic refresh of trusted domains > > > * AD: Inherit the MPG setting from the main domain > > > * SYSDB: Fix sysdb_search_by_name() for looking up groups in MPG > > > domains > > > * SYSDB: Use sysdb_domain_dn instead of raw ldb_dn_new_fmt > > > * SYSDB: Read the ldb_message from loop's index counter when > reading > > > subdomain UPNs > > > * AD: Use the right sdap_domain for the forest root > > > > > > * Lukas Slebodnik (51): > > > > > > * KCM: Fix typo in comments > > > * CI: Ignore source file generated by systemtap > > > * UTIL: Add wrapper function to configure logger > > > * Add parameter --logger to daemons > > > * SYSTEMD: Replace parameter --debug-to-files with > ${DEBUG_LOGGER} > > > * SYSTEMD: Add environment file to responder service files > > > * UTIL: Hide and deprecate parameter --debug-to-files > > > * KCM: Fix restart during/after upgrade > > > * BUILD: Properly expand variables in sssd-ifp.service > > > * SYSTEMD: Clean pid file in corner cases > > > * CHILD: Pass information about logger to children > > > * BUILD: Disable tests with know failures > > > * SPEC: Reduce build time dependencies > > > * sysdb-test: Fix warning may be used uninitialized > > > * responder: Fix talloc hierarchy in sized_output_name > > > * test_responder: Check memory leak in sized_output_name > > > * confdb: Move detection files to separate function > > > * confdb: Fix starting of implicit files domain > > > * confdb: Do not start implicit_files with proxy domain > > > * test_files_provider: Regression test for implicit_files + proxy > > > * SDAP: Fix typo in debug message > > > * Revert "intg: Disable add_remove tests" > > > * libnfsidmap: Use public plugin header file if available > > > * dyndns_tests: Fix unit test with missing features in nsupdate > > > * Remove unnecessary script for upgrading debug_levels > > > * Remove legacy script for upgrading sssd.conf > > > * BUILD: Add missing libs found by -Wl,-z,defs > > > * BUILD: Fix using of libdlopen_test_providers.so in tests > > > * SYSDB: Decrese debuglevel in sysdb_get_certmap > > > * KRB5: Pass special flag to krb5_child > > > * krb5_child: Distinguish between expired & disabled AD user > > > * AD: Suppress warning Wincompatible-pointer-types with sasl > > > callbacks > > > * pysss: Drop unused parameter > > > * pysss: Suppress warning Wincompatible-pointer-types > > > * CRYPTO: Suppress warning Wstringop-truncation > > > * INOTIFY: Fix warning Wstringop-truncation > > > * SIFP: Suppress warning Wstringop-truncation > > > * CLIENT: Fix warning Wstringop-overflow > > > * pysss_murmur: Allow to have NUL character in python bindings > > > * TESTS: Extend code coverage for murmurhash3 > > > * mmap_cache: Remove unnecessary memchr in client code > > > * test_memory_cache: Regression test for #3571 > > > * SPEC: Fix systemd executions/requirements > > > * SPEC: Reduce changes between upstream and downstream > > > * intg: Build with optimisations and debug symbols > > > * intg: Do not prefer builddir in PATH > > > * intg: Install configuration for dbus daemon > > > * intg: Install wrapper for getsockopt > > > * intg: Add sample infopipe test in cwrap env > > > * IPA: Drop unused ifdef HAVE_SELINUX_LOGIN_DIR > > > * IPA: Fix typo in debug message in sssm_ipa_selinux_init > > > > > > * Michal Židek (9): > > > > > > * NSS: Move memcache setup to separate function > > > * NSS: Specify memcache_timeout=0 semantics > > > * MAN: Document memcache_timeout=0 meaning > > > * MAN: GPO Security Filtering limitation > > > * SYSDB: Better debugging for email conflicts > > > * TESTS: Order list of entries in some lists > > > * Revert "BUILD: Disable tests with know failures" > > > * SELINUX: Check if SELinux is managed in selinux_child > > > * util: Add sss\_ prefix to some functions > > > > > > * Niranjan M.R (1): > > > > > > * Initial revision of sssd pytest framework > > > > > > * Pavel Březina (10): > > > > > > * sudo: document background activity > > > * sudo: always use srv_opts from id context > > > * AD: Remember last site discovered > > > * sysdb: add functions to get/set client site > > > * AD: Remember last site discovered in sysdb > > > * dp: use void * to express empty output argument list > > > * dp: add method to refresh access control rules > > > * ipa: implement method to refresh HBAC rules > > > * ifp: add method to refresh access control rules in domain > > > * sssctl: call dbus instead of pam to refresh HBAC rules > > > > > > * René Genz (12): > > > > > > * Fix minor spelling mistakes > > > * README: Add link to docs repo > > > * Fix minor spelling mistakes > > > * Fix minor spelling mistakes in providers/* > > > * Fix minor spelling mistakes in responder/* > > > * Fix minor spelling mistakes in sss_client/* > > > * Fix minor spelling mistakes in tests/cmocka/* > > > * Fix minor spelling mistakes > > > * Fix minor spelling mistakes in tests/* > > > * Fix minor spelling mistakes in tests/multihost/* > > > * Fix minor spelling mistakes in PY files in tests/python/* > > > * Fix minor spelling mistakes and formatting in tests/python/* > > > > > > > > > * Sumit Bose (48): > > > > > > * sss_client: create nss_common.h > > > * nss-idmap: add nss like calls with timeout and flags > > > * NSS: add \*_EX version of some requests > > > * NSS: add support for SSS_NSS_EX_FLAG_NO_CACHE > > > * CACHE_REQ: Add cache_req_data_set_bypass_dp() > > > * nss: make memcache_delete_entry() public > > > * NSS: add support for SSS_NSS_EX_FLAG_INVALIDATE_CACHE > > > * NSS/TESTS: add unit tests for \*_EX requests > > > * nss-idmap: add timeout version of old sss_nss_* calls > > > * nss-idmap: allow empty buffer with > SSS_NSS_EX_FLAG_INVALIDATE_CACHE > > > * p11_child: return multiple certs > > > * PAM: handled multiple certs in the responder > > > * pam_sss: refactoring, use struct cert_auth_info > > > * p11_child: use options to select certificate for authentication > > > * pam: add prompt string for certificate authentication > > > * PAM: allow missing logon_name during certificate authentication > > > * p11_child: add descriptions for error codes to debug messages > > > * pam: filter certificates in the responder not in the child > > > * PAM: add certificate's label to the selection prompt > > > * NSS: Use enum_ctx as memory_context in > _setnetgrent_set_timeout() > > > * mmap_cache: make checks independent of input size > > > * sysdb: be_refresh_get_values_ex() remove unused option > > > * sysdb: do not use objectClass for users and groups > > > * sysdb: do not use LDB_SCOPE_ONELEVEL > > > * sysdb: remove IDXONE and objectClass from users and groups > > > * krb5: show error message for krb5_init_context() failures > > > * UTIL: add find_domain_by_object_name_ex() > > > * ipa: handle users from different domains in > > > ipa_resolve_user_list_send() > > > * overrides: fixes for sysdb_invalidate_overrides() > > > * ipa: check for SYSDB_OVERRIDE_DN in process_members and > > > get_group_dn_list > > > * IPA: use cache searches in get_groups_dns() > > > * ipa: compare DNs instead of group names in > ipa_s2n_save_objects() > > > * p11_child: make sure OCSP checks are done > > > * nss-idmap: allow NULL result in \*_timeout calls > > > * Revert "p11_child: make sure OCSP checks are done" > > > * p11_child: properly check results of CERT_VerifyCertificateNow > > > * ifp: use realloc in ifp_list_ctx_remaining_capacity() > > > * SDAP: skip builtin AD groups in sdap_save_grpmem() > > > * sysdb: add userMappedCertificate to the index > > > * krb5_child: check preauth types if password is expired > > > * pam_sss: password change with two factor authentication > > > * nss-idmap: check timed muted return code > > > * krb5: call krb5_auth_cache_creds() if a password is available > > > * DESKPROFILE: Fix 'Improper use of negative value' > > > * AD: sdap_get_ad_tokengroups_done() allocate temporary data on > state > > > * AD: do not allocate temporary data on long living context > > > * ipa: remove SYSDB_USER_CERT from sub-domain users > > > * ipa: add SYSDB_USER_MAPPED_CERT for certs in idoverrides > > > > > > * Thorsten Scherf (1): > > > > > > * IPA: Fixed subdomain typo > > > > > > * Victor Tapia (1): > > > > > > * WATCHDOG: Restart providers with SIGUSR2 after time drift > > > > > > * amitkuma (3): > > > > > > * cache_req: Correction of cache_req debug string ID format > > > * cache: Check for max_id/min_id in cache_req > > > * MAN: Explain how does auto_private_groups affect subdomains > > > _______________________________________________ > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > > > > > > > > > -- > > Best Regards, > > Avigdor > > ---- > > Avigdor Finkelstein > > Mobile: +972 (0)54 2278452 > > Fax: +972 8 9316406 > > > > Email: AvigdorFin@g <avigdor.finkelst...@tangram-soft.co.il>mail.com > > Home Address: P.O.B 187 > > Rehovot 76101 > > ISRAEL > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/PZIMORUNP3IEVB53T67XXITYODL7UCRD/ > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/W7FSJPBOYC6CHBSIXEH3F5RMULPOJPQC/ > -- Best Regards, Avigdor ---- Avigdor Finkelstein Mobile: +972 (0)54 2278452 Fax: +972 8 9316406 Email: AvigdorFin@g <avigdor.finkelst...@tangram-soft.co.il>mail.com Home Address: P.O.B 187 Rehovot 76101 ISRAEL
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/N5Z5UPAVYQVTYGTWBW4WPSSVAZZ7PIMG/