On Thu, Apr 28, 2016 at 09:08:18AM +0000, Terry John wrote: > I am plagued by the "sssd dereference processing failed : Input/output error" > problem. Is there any news when this version of sssd will be released for > RedHat/Centos? > > My current version is: 1.12.4-47.el6
RHEL-6.8. But please note that in most cases it's just a harmless error message. Do you actually see some issue or just an annoying message in the logs? > > Terry > > -----Original Message----- > From: freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jakub Hrozek > Sent: 14 April 2016 16:17 > To: sssd-de...@lists.fedorahosted.org; sssd-us...@lists.fedorahosted.org; > freeipa-users@redhat.com; freeipa-inter...@redhat.com > Subject: [Freeipa-users] Announcing SSSD 1.13.4 > > == SSSD 1.13.4 === > > The SSSD team is proud to announce the release of version 1.13.4 of the > System Security Services Daemon. > > As always, the source is available from https://fedorahosted.org/sssd > > RPM packages will be made available for Fedora shortly. > > == Feedback == > Please provide comments, bugs and other feedback via the sssd-devel or > sssd-users mailing lists: > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel > https://lists.fedorahosted.org/mailman/listinfo/sssd-users > > == Highlights == > * The IPA sudo provider was reimplemented. The new version reads the > data from IPA's LDAP tree (as opposed to the compat tree populated by > the slapi-nis plugin that was used previously). The benefit is that > deployments which don't require the compat tree for other purposes, > such as support for non-SSSD clients can disable those autogenerated > LDAP trees to conserve resources that slapi-nis otherwise requires. > There > should be no visible changes to the end user. > * SSSD now has the ability to renew the machine credentials (keytabs) > when the ad provider is used. Please note that a recent version of > the adcli (0.8 or newer) package is required for this feature to work. > * The automatic ID mapping feature was improved so that the administrator > is no longer required to manually set the range size in case a RID in > the AD domain is larger than the default range size > * A potential infinite loop in the NFS ID mapping plugin that was > resulting in an excessive memory usage was fixed > * Clients that are pinned to a particular AD site using the ad_site > option no longer communicate with DCs outside that site during service > discovery. > * The IPA identity provider is now able to resolve external > (typically coming from a trusted AD forest) group members during > get-group-information requests. Please note that resolving external > group memberships for AD users during the initgroup requests used to > work even prior to this update. This feature is mostly useful for cases > where an IPA client is using the compat tree to resolve AD trust users. > * The IPA ID views feature now works correctly even for deployments > without a trust relationship. Previously, the subdomains IPA provider > failed to read the views data if no master domain record was created > on the IPA server during trust establishment. > * A race condition in the client libraries between the SSSD closing > the socket as idle and the client application using the socket was > fixed. This bug manifested with a Broken Pipe error message on the > client. > * SSSD is now able to resolve users with the same usernames in different > OUs of an AD domain > * The smartcard authentication now works properly with gnome-screensaver > > == Packaging Changes == > * The krb5.include.d directory is now owned by the sssd user and > packaged in the krb5-common subpackage > > == Documentation Changes == > * A new option ldap_idmap_helper_table_size was added. This option can > help tune allocation of new ID mapping slices for AD domains with a high > RID values. Most deployments can use the default value of this option. > * Several PAM services were added to the lists that are used to map > Windows logon services to Linux PAM services. The newly added PAM > services include login managers (lightdm, lxdm, sddm and xdm) as well > as the cockpit service. > * The AD machine credentials renewal task can be fine-tuned using > the ad_machine_account_password_renewal_opts to change the initial > delay and period of the credentials renewal task. In addition, the new > ad_maximum_machine_account_password_age option allows the administrator > to select how old the machine credential must be before trying to > renew it. > * The administrator can use the new option pam_account_locked_message to > set a custom informational message when the account logging in is > locked. > > == Tickets Fixed == > https://fedorahosted.org/sssd/ticket/1041 > [RFE] Support Automatic Renewing of Kerberos Host Keytabs > https://fedorahosted.org/sssd/ticket/1108 > [RFE] SUDO: Support the IPA schema > https://fedorahosted.org/sssd/ticket/2188 > automatically assign new slices for any AD domain > https://fedorahosted.org/sssd/ticket/2522 > [RFE] IPA: resolve external group memberships of IPA groups during > getgrnam and getgrgid > https://fedorahosted.org/sssd/ticket/2626 > Retry EPIPE from clients > https://fedorahosted.org/sssd/ticket/2764 > the colondb intreface has no unit tests > https://fedorahosted.org/sssd/ticket/2765 > ad_site parameter does not work > https://fedorahosted.org/sssd/ticket/2785 > incompatibility between sparkleshare and sss_ssh_knownhostsproxy due > to setlocale() > https://fedorahosted.org/sssd/ticket/2791 > sssd dereference processing failed : Input/output error > https://fedorahosted.org/sssd/ticket/2829 > collapse_srv_lookups frees fo_server structure that is returned by > fail over API > https://fedorahosted.org/sssd/ticket/2839 > Allow SSSD to notify user of denial due to AD account lockout > https://fedorahosted.org/sssd/ticket/2849 > cache_req: don't search override values in LDAP when using LOCAL view > https://fedorahosted.org/sssd/ticket/2865 > sssd_nss memory usage keeps growing on sssd-1.12.4-47.el6.x86_64 > (RHEL6.7) when trying to retrieve non-existing netgroups > https://fedorahosted.org/sssd/ticket/2881 > MAN: Clarify that subdomains always use service discovery > https://fedorahosted.org/sssd/ticket/2888 > SRV lookups with id_provider=proxy and auth_provider=krb5 > https://fedorahosted.org/sssd/ticket/2899 > [sssd] Trusted (AD) user's info stays in sssd cache for much more > than expected. > https://fedorahosted.org/sssd/ticket/2902 > Review and update wiki pages for 1.13.4 > https://fedorahosted.org/sssd/ticket/2904 > sssd_be AD segfaults on missing A record > https://fedorahosted.org/sssd/ticket/2906 > Cannot retrieve users after upgrade from 1.12 to 1.13 > https://fedorahosted.org/sssd/ticket/2909 > extreme memory usage in libnfsidmap sss.so plug-in when resolving > groups with many members > https://fedorahosted.org/sssd/ticket/2910 > sssd mixup nested group from AD trusted domains > https://fedorahosted.org/sssd/ticket/2912 > refresh_expired_interval stops sss_cache from working > https://fedorahosted.org/sssd/ticket/2917 > Properly remove OriginalMemberOf attribute in SSSD cache if user has > no secondary groups anymore > https://fedorahosted.org/sssd/ticket/2922 > ID mapping - bug in computing max id for slice range > https://fedorahosted.org/sssd/ticket/2925 > Add gnome-screensaver to the list of PAM services considered for > Smartcard authentication > https://fedorahosted.org/sssd/ticket/2931 > Warn if user cannot read krb5.conf > https://fedorahosted.org/sssd/ticket/2934 > After removing certificate from user in IPA and even after sss_cache, > FindByCertificate still finds the user > https://fedorahosted.org/sssd/ticket/2937 > sss_obfuscate: SyntaxError: Missing parentheses in call to 'print' > https://fedorahosted.org/sssd/ticket/2938 > Cannot start sssd after switching to non-root > https://fedorahosted.org/sssd/ticket/2959 > The delete operation of the memberof plugin allocates memory on > NULL context > https://fedorahosted.org/sssd/ticket/2960 > IPA view: view name not stored properly with default FreeIPA installation > https://fedorahosted.org/sssd/ticket/2961 > Initgroups in AD provider might fail if user is stored in a non-default ou > https://fedorahosted.org/sssd/ticket/2962 > GPO: Access denied in non-root mode > https://fedorahosted.org/sssd/ticket/2964 > GPO: Access denied after blocking connection to AD. > https://fedorahosted.org/sssd/ticket/2969 > sudorule not working with ipa sudo_provider on older freeipa > https://fedorahosted.org/sssd/ticket/2970 > sudo smart refresh does not work correctly on openldap > https://fedorahosted.org/sssd/ticket/2971 > SSSD PAM module does not support multiple password prompts (e.g. Password > + Token) with sudo > https://fedorahosted.org/sssd/ticket/2972 > IPA sudo: support the externalUser attribute > https://fedorahosted.org/sssd/ticket/2980 > sssd_be[11010]: segfault at 0 ip 00007ff889ff61bb sp 00007ffc7d66a3b0 > error 4 in libsss_ipa.so[7ff889fcf000+5d000] > > == Detailed Changelog == > Dan Lavu (1): > * PAM: Fix man for pam_account_{expired,locked}_message > > David Disseldorp (1): > * build: detect endianness at configure time > > Jakub Hrozek (17): > * Upgrading the version for the 1.13.4 release > * SDAP: Make it possible to silence errors from dereference > * Add a new option ldap_group_external_member > * IPA: Add interface to call into IPA provider from LDAP provider > * LDAP: Use the IPA provider interface to resolve external group members > * FO: Don't free rc-allocated structure > * tests: Reduce failover code duplication > * FO: Use refcount to keep track of servers returned to callers > * FO: Use tevent_req_defer_callback() when notifying callers > * memberof: Don't allocate on a NULL context > * tests: Add a unit test for the external groups resolution > * MAN: Remove duplicate description of the pam_account_locked_message > option > * AD: Recognize Windows Server 2016 > * memberof: Fix a memory leak when removing ghost users > * memberof: Don't allocate on NULL when deleting memberUids > * tests: Check NULL context in sysdb-tests when removing group members > * Updating translations for the 1.13.4 release > > Lukas Slebodnik (33): > * SPEC: Change package ownership of %{pubconfpath}/krb5.include.d > * CONFIGURE: Replace obsoleted macro AC_PROG_LIBTOOL > * TESTS: Fix race condition in python test > * PYTHON: sss_obfuscate should work with python3 > * PYTHON: Fix pep8 errors in sss_obfuscate > * UTIL: Backport error code ERR_ACCOUNT_LOCKED > * sss_idmap-tests: Fix segmentation fault > * krb5_child: Warn if user cannot read krb5.conf > * Fix typos reported by lintian > * UTIL: Use prefix for debug function > * UTIL: Provide varargs version of debug_fn > * UTIL: Use sss_vdebug_fn for callbacks > * Revert "DEBUG: Preventing chown_debug_file if journald on" > * DEBUG: Ignore ENOENT for change owner of log files > * TOOLS: Fix minor memory leak in sss_colondb_writeline > * CI: Use yum-deprecated instead of dnf > * FAIL_OVER: Fix warning value computed is not used > * UTIL: Fix indentation in dlinklist.h > * UTIL: Fix warning misleading-indentation > * CLIENT: Reduce code duplication > * CLIENT: Retry request after EPIPE > * UTIL: Move debug part from util.h -> new debug.h > * UTIL: Allow to append new line in sss_vdebug_fn > * AUTOMAKE: Force usage of parallel test harness > * CI: Use make check instead of make-check-wrap > * test_ipa_subdom_server: Workaround for slow krb5 + SELinux > * SPEC: Run extra unit tests with epel > * GPO: Soften umask in gpo_child > * GPO_CHILD: Create directories in gpo_cache with right permissions > * GPO: Process GPOS in offline mode if ldap search failed > * IPA: Check RDN in ipa_add_ad_memberships_get_next > * dp_ptask: Fix memory leak in synchronous ptask > * test_be_ptask: Check leaks in tests > > Michal Židek (6): > * NSS: do not skip cache check for netgoups > * util: Continue if setlocale fails > * server_setup: Log failed attempt to set locale > * tests: Run intgcheck without libsemanage > * tests: Regression test with wrong LC_ALL > * GPO: log specific ini parse error messages > > Pavel Březina (37): > * AD SRV: prefer site-local DCs in LDAP ping > * SDAP: do not fail if refs are found but not processed > * SDAP: Add request that iterates over all search bases > * SDAP: rename sdap_get_id_specific_filter > * SDAP: support empty filters in sdap_combine_filters() > * SUDO: use sdap_search_bases instead custom sb iterator > * SUDO: make sudo sysdb interface more reusable > * SUDO: move code shared between ldap and ipa to separate module > * SUDO: allow to disable ptask > * SUDO: fail on failed request that cannot be retry > * IPA: add ipa_get_rdn and ipa_check_rdn > * SDAP: use ipa_get_rdn() in nested groups > * IPA SUDO: choose between IPA and LDAP schema > * IPA SUDO: Add ipasudorule mapping > * IPA SUDO: Add ipasudocmdgrp mapping > * IPA SUDO: Add ipasudocmd mapping > * IPA SUDO: Implement sudo handler > * IPA SUDO: Implement full refresh > * IPA SUDO: Implement rules refresh > * IPA SUDO: Remember USN > * SDAP: Add sdap_or_filters > * IPA SUDO: Implement smart refresh > * SUDO: sdap_sudo_set_usn() do not steal usn > * SUDO: remove full_refresh_in_progress > * SUDO: assume zero if usn is unknown > * SUDO: allow disabling full refresh > * SUDO: remember usn as number instead of string > * SUDO: simplify usn filter > * IPA SUDO: Add support for ipaSudoRunAsExt* attributes > * sdap_connect_send: fail if uri or sockaddr is NULL > * cache_req: simplify cache_req_cache_check() > * cache_req: do not lookup views if possible > * remove user certificate if not found on the server > * IPA SUDO: download externalUser attribute > * IPA SUDO: fix typo > * IPA SUDO: support old ipasudocmd rdn > * SUDO: be able to parse modifyTimestamp correctly > > Pavel Reichl (11): > * sudo: remove unused param name in sdap_sudo_get_usn() > * sudo: remove unused param. in ldap_get_sudo_options > * IDMAP: Fix computing max id for slice range > * IDMAP: New structure for domain range params > * IDMAP: Add support for automatic adding of ranges > * IDMAP: Fix minor memory leak > * IDMAP: Man change for ldap_idmap_range_size option > * NSS: Fix memory leak netgroup > * IDMAP: Add test to validate off by one bug > * SDAP: Add return code ERR_ACCOUNT_LOCKED > * PAM: Pass account lockout status and display message > > Petr Cech (6): > * KRB5: Adding DNS SRV lookup for krb5 provider > * TOOLS: Fix memory leak after getline() failed > * TOOLS: Add comments on functions in colondb > * TEST_TOOLS_COLONDB: Add tests for sss_colondb_* > * REFACTOR: umask(077) --> umask(SSS_DFL_X_UMASK) > * REFACTOR: umask(0177) --> umask(SSS_DFL_UMASK) > > Stephen Gallagher (2): > * GPO: Add Cockpit to the Remote Interactive defaults > * GPO: Add other display managers to interactive logon > > Sumit Bose (20): > * nfs idmap: fix infinite loop > * Use right domain for user lookups > * sdap_save_grpmem: determine domain by SID if possible > * ipa_s2n_save_objects(): use configured user and group timeout > * ldap: remove originalMeberOf if there is no memberOf > * UTIL: allow to skip default options for child processes > * DP_TASK: add be_ptask_get_timeout() > * AD: add task to renew the machine account password if needed > * FO: add fo_get_active_server() > * FO: add be_fo_get_active_server_name() > * AD: try to use current server in the renewal task > * p11: add gnome-screensaver to list of allowed services > * IPA: lookup idview name even if there is no master domain record > * IPA: invalidate override data if original view is missing > * sdap: improve filtering of multiple results in GC lookups > * pam_sss: reorder pam_message array > * sss_override: do not generate DN, search object > * tools: read additional data of the master domain > * sss_override: only add domain if name is not fully qualified > * intg: local override for user with mixed case name > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > The Manheim group of companies within the UK comprises: Manheim Europe > Limited (registered number: 03183918), Manheim Auctions Limited (registered > number: 00448761), Manheim Retail Services Limited (registered number: > 02838588), Motors.co.uk Limited (registered number: 05975777), Real Time > Communications Limited (registered number: 04277845) and Complete Automotive > Solutions Limited (registered number: 05302535). Each of these companies is > registered in England and Wales with the registered office address of Central > House, Leeds Road, Rothwell, Leeds LS26 0JE. The Manheim group of companies > operates under various brand/trading names including Manheim Inspection > Services, Manheim Auctions, Manheim Direct, Manheim De-fleet and Manheim > Aftersales Solutions. > > V:0CF72C13B2AC > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project